Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Sun, 06 January 2019 05:03 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6A83131002; Sat, 5 Jan 2019 21:03:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRB_C2TJlI-4; Sat, 5 Jan 2019 21:03:04 -0800 (PST)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730134.outbound.protection.outlook.com [40.107.73.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45648130DEA; Sat, 5 Jan 2019 21:03:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zmxBkQj7DSaOKOPMPHeTWDCG1H7Ialhh3roZHsGmMTM=; b=CAwOxZMQ14Tb6QqNDSXz6z5UB8YG5E/7XgOxo5P2RHgT+3JrD8DF7kFwXSWSnFaz/GNgx0uxvdKXR91UuxHNKUmyMq/TFdCgb2G7TiJP0pgNLJzk7XNglVS06kJbI3NNDYnqQjmgvZQ9yIv/5yUkZTYfWznhLKC0zY6Jsr3wcSY=
Received: from DM5PR0102CA0018.prod.exchangelabs.com (2603:10b6:4:9c::31) by SN6PR01MB4029.prod.exchangelabs.com (2603:10b6:805:a3::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1495.6; Sun, 6 Jan 2019 05:03:01 +0000
Received: from CO1NAM03FT014.eop-NAM03.prod.protection.outlook.com (2a01:111:f400:7e48::205) by DM5PR0102CA0018.outlook.office365.com (2603:10b6:4:9c::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1495.6 via Frontend Transport; Sun, 6 Jan 2019 05:03:00 +0000
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates 18.9.28.11 as permitted sender) receiver=protection.outlook.com; client-ip=18.9.28.11; helo=outgoing.mit.edu;
Received: from outgoing.mit.edu (18.9.28.11) by CO1NAM03FT014.mail.protection.outlook.com (10.152.80.101) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Sun, 6 Jan 2019 05:03:00 +0000
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x0652uha026445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 6 Jan 2019 00:02:58 -0500
Date: Sat, 05 Jan 2019 23:02:55 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: Kent Watsen <kwatsen@juniper.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-netconf-zerotouch@ietf.org" <draft-ietf-netconf-zerotouch@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20190106050255.GJ28515@kduck.kaduk.org>
References: <154390493154.31734.13025584839857369253.idtracker@ietfa.amsl.com> <F526DA60-77EC-45D6-ADE0-B345020A89BF@juniper.net> <20181230003002.GC57547@kduck.kaduk.org> <5DCD6C74-7918-45AB-BEA7-2C1A020B4411@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5DCD6C74-7918-45AB-BEA7-2C1A020B4411@juniper.net>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:18.9.28.11; IPV:CAL; SCL:-1; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(39860400002)(136003)(396003)(376002)(346002)(2980300002)(51914003)(40224003)(51444003)(53234004)(189003)(199004)(23756003)(58126008)(8676002)(88552002)(345774005)(2870700001)(316002)(786003)(229853002)(47776003)(54906003)(36906005)(14444005)(246002)(8936002)(76176011)(55016002)(6346003)(26005)(305945005)(478600001)(966005)(50466002)(93886005)(33656002)(26826003)(186003)(561944003)(5660300001)(956004)(126002)(6246003)(476003)(53416004)(11346002)(446003)(486006)(106466001)(7696005)(6916009)(2906002)(575784001)(86362001)(426003)(4744004)(4326008)(75432002)(336012)(6306002)(9686003)(106002)(1076003)(1941001)(6666004)(356004)(53946003)(104016004)(18370500001)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR01MB4029; H:outgoing.mit.edu; FPR:; SPF:Pass; LANG:en; PTR:outgoing-auth-1.mit.edu; MX:1; A:1;
X-Microsoft-Exchange-Diagnostics: 1; CO1NAM03FT014; 1:cfuPgh3R+MIePPw3+KqYhRY6/top91CggCx/EY3DzXHt3vBWVw6yIzhANNQp86pl24rLpE9RZpje4v1Av2xZPwf7VzhQJYb0vo9gFGr1gYg/69MMVzkv+AYX/A6WpXmO
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 0555dda8-582c-45f2-50aa-08d673943b60
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4608076)(4709027)(2017052603328)(7153060); SRVR:SN6PR01MB4029;
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB4029; 3:vUD6nTWEgi7SUO09k20xz1pjH+gmYWGl1Vn9mfvq3UGNg/PxJiHfZbt3ezACxqbsH+FiHjbZsr+QvjWh01Ir2JQfhBCgmwAFdThgbmWTWOpMkn+II2fscqNRzXhUPA0kUkKnJx7jSvssRe8LSK2OJudGMxzjroDGTjY+r0o72bRk8lBJqGPysSLHtmlwaQFsW3kO87U11LyF2B7+bgsf8+WxmG40EqskshhYK4RjkJwt5hTl2irwIZzi6JDNQdxToDqg6dVAec3RXlEzg9jlWhgn4J1G/1525N9XvDl1M016F9ltQsy9uy5wAZWRFMoMewTmChqbXRKg8pXx7zFY8OlsFmdthjBDqhFQ3SVlZQDr6HTrABFhkhhTWK1xufsP; 25:Jq0MAVncN0VyQCoVNp3jV/NAK5cqclKT/9Xyq1TUqj9t/ENR0HTX0pXx3TMQ9axON1yhMJbMWWBaQdxhNWSjgAyob6DPcs8KYeP3HPrd4+qps5FQwqbC55kpm5YxE51FP8eyrcC3a7iAeRoss8A5bGkHLEx9xDxJGhUcgmgXPppzGexE1Rom+pYFL+EQFhy0G9s9zavradQhWDWm6DZjev7SMlYU+JTDKMdQ6pMzfDp6f/kAtQBHPczsxBoD+v7iryhQmaxTBkRQi3nCgBO6/bebGzYSL5i6EFetTzewhWXxkNCLHuuHyeRjGXLvXYWYCYYXW79tIiTGROjOwFZdpg==
X-MS-TrafficTypeDiagnostic: SN6PR01MB4029:
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB4029; 31:NK46cneHFidG/DWETL9Ih+e5tMzjVr3vnmjZgpRV9iKA3r0TnPvJ9RDP6lrOq/uk5b28k4XxEO0g9d/TJlPJAdsWLmHDmmtGTwjijjYFQy60/RESmW3BWG0lDxHZVeWDfODrtBonqEunIIlTin0Kk+5UzsbsANqdwEwMHMS3h/IDS6+gluaCVjG0iZ1HBDdVwNRWlTuJ/jtEQQbv7NWZQZ6wYqBrodZipu+AHz4DoqQ=; 20:/7idQNV7nV2HmmF6FT0+dRSlqQWyVz5jkf0TL4u5+x3uSDe/4WjxORCzHT+NuWOXoOS1HLWcu9z6j7GopB8rDtDHvbQAg7i+Tz6f4rOrXUmsiioo4bVtDldFIwvoeDpSEBxfKhPqeZcr7Xloh9wTxu3jEAU9KO2ExiTC6JwxCkvcXN8buM7iTYarcVIrglAyDG6bPt78tUN/5nzGoHWobno1DHA/FMCRZXM0Zbmr5QNdRePGky9/2GZuHfXAP/ebnaixp+CCz8plYrQNzgiCfp/oWaAEDvXl60XjhF3IbuX/olHPiM+wwaFSZCLsZWI72caFhuRBIPwjjfKy+J3pukdJj5O4I36hiMqazqJSU2yEWYKZaH9+NQesKkCovlRg1wdijsDDERg2AmiyiZgiW1l73pjn9t00/JaOdN+4slpDEL+1TiKwVR35dEVlKKAi6gDrrot/7BpdKyfwQh0YXlCirQnNgW9UA3S012tD/7PObd+DePqJLexBhZdWUkWA
X-Microsoft-Antispam-PRVS: <SN6PR01MB4029293A0C180D737384C8CDA0880@SN6PR01MB4029.prod.exchangelabs.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(3231475)(944501520)(4982022)(52105112)(3002001)(93006095)(93004095)(10201501046)(6041310)(201703131423095)(201702281528075)(201702281529075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123560045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:SN6PR01MB4029; BCL:0; PCL:0; RULEID:; SRVR:SN6PR01MB4029;
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB4029; 4:NOs7kFh+nyqdQQKAXjwOATwYFTr2CLIqNKS9Pq3tdbuOJRRSHMLMvJfb/KtMBBAf4J8KRLz10MFcI1jM4tbyeQMtp3NNgiaDlo4/4hx9w7ITB3ot5k2ANez1Ag4JVCA6fi7XCxGMpnc260v3/7i1OzCgDnbw5ul6sgUOKKgLGvLwhjFkcedtkou2NKri/M3cxkWQFWe/yfKxSvYEc3SV7E8b6NPw7Sf02uqanwkv/ZJb/WG1O51EBdbb8160g2FZrPmVWKmf9pGYys/sR2iWUyVjfhK7ndKOC5J2dnozZAM=
X-Forefront-PRVS: 09090B6B69
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB4029; 23:HGhqy2Pe5AkWxCiXVIwvUuhi4ngtD7gCkj5KEY/ygAjQXDg/tNC4i1MBQqV9+mpForu7iVYNxwX/YCtNmSwO1w66gX7M780r30KodL2IAnMuVMK45r2Hq7nndTOP+RAkP2uzS2KtM8qgbseGCDW+JJ8FN26CTpdLGI1h/7f9JsnnpPc6LKWooS/iOEFTYqLYI863HGcnd+u6zQohU1lGkPLfQUPk7frp1Tgca0E0yh9imbqcnx+wrE3kMtUjYPReQr2vJWFK3T0ex0fXK4yvbGl0a7w96PswZ9H4k31bbPtkjoZH+RgXMiz/R8NO0XgTdU6Fxbi/h2CojJ42DDzOvqZXklnCyiowvL1XRehtCeJ6Mr+8CKFbqJm8IipyrsnbNr8R2c6SgBNLxGFsyu7UVgpRPkmO/7hiV9/u1pLp0I68NoaCrfsbCyJHWCpEUWyASejU7AZobaW8/oLEu/AMRISNPmc5oZCeTtLni6N197bL1x6IF9o0l0sCfl5NlpHfJ9KoLpLGMnOISH3qynFliNNqOgqXyVDu8Rk73uLiRhSsEZ3krZaLsSGMYJmi3ptDqpDoQiG0c5UL1M9kEYjBSpUd92RRGJUQUmA3jMwyCnrLMhvv3WtkwipYMkUXQGZvKry0k6M4J7zhJosreAE9JRGw4e+Du/FZLQc5WAybrTLXys/UOEZ15wEU1vIC6zmA2DSRzarVZ/PdemSoGHOX1ojh6grFzEy31pyG5i1eNijpu/PerIrvM2qcgUzaQ34SShTNrxhirjUe15qV2H4gjhMsIyNnFger5MIS1ULXHbwN8RRe8/zHCLy/u9yHrF0cw0wzrOeT+3a5mpeRdvxCR+xAFGi4pCiqu9EuTQ3oTsOc+yLSj7eLtjngqdxv3AdhMaOlF9B/75dfba9IRzb93271+93J3d4DeL78Op2e8YjKu7hrxhU9ILtLVLZrzka+0kEvgbxAdX/E7otgpANm23HuFQ7ivZb76DLqexT6CkQ0YgwA340Tea3mQFgiLyknmS137fYfd/q/rvJ/y1Gcz5r1gh6d4RmeoZl3QDlrjof1nPa4L8Hy59RhklLV3i86KVtqytPvyWhGXl2creb1rWUo7+1iETxQ/BT9OHoDWwxYSt44tFGoWzdcrFreyJG2ZZggE5eNKyuGCjN5gcHX3fS3R9yaC8KM6Ck22jP9F0oXt5RK6mQAaTYanxDfltoUAmd4Qyw+m8/2lTA9/naVUQsUILeHHUQXkfyk9PG7P08ylhEL6qEc7pjD8zNR0WKk/vwNh93j++q1N+F4SWJW7H4rgmDp+7B8la6qTtKD4aL8Y7zonrGY1qHMUOqdxmqWNfWZX6KMZ7FvhY7r3JznLVFZvwZDidUSxYKT3uiNM6BjItVsb78bz9HEAj5LlVAmftmYqzwfAi686+fRsTpzjUiYoUT32+BGr0cjPx+KzrGMn8WDzI+0dO2jd3fA089OBF2kfpjedxw26ip8nhGYWhtl7nZOrtL3AewHxlhsy5FDbNwguzf1NdS8EBBLTo4S
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: ip2MH90clN4bAoAjq6jeCfvKYFuPQ5O+521dVvstCG9aJqoWP2sUlBWoKq2q3M++HHgPcdScOhi3NtwAoYj8SBkGYEvl+B5grixyY8WTtT2wXaacI5wXiWiOXAdA6Cu8vg4G2LLLzCUrTlr0obRycI4UQI9YRl/zb6t9nGsCtVh2DRMPw8KWPzwQzpHAEYqw8EpMuUVI+/kIp98XF2OpUazQ+YwowuHF95HH4FGfaO7RW2QUaIfS3STyLDpvfi82mpxRdbMr7msOJepSoCwpWVnY5hMFSSpK6HYthqsCu2LLO/0oN5wMUu00uYIo0ino
X-Microsoft-Exchange-Diagnostics: 1; SN6PR01MB4029; 6:so+I7tqtJcIeaW8e8qToPjxtMzywMoQmeeY7yz4SRlkHJNsvo9fsDcnPnRE3XIluzkOiFzR01akZ+gLbWlENPqdJ8A5cYcPnSZOqF49L7dFLxWwOBavVTvo0JKT+uChooI2a/iGCpbRa089gCbSEebVcJCLCX0hAboiZdId0uAzlT1ckPn6KQVtwBGfAhiNcF58DnSl2erDdgH960jkWi4Frue90BRfxIhUwCKdqaEj/rcelHwUoiVpaBL7EQ0OISrQWcpnOEDRFljzUwrMgo8XMUbm2PbJOnfYaYgFdK11rso+dopan/Se6XqWhPLPXhmlQeFFZZ/tjW7HBUaJxc2UG9r2O50UK6P4wVPXkBqY8MNykKdMxrpwR5+rz7Tjq6dWGEpOo5aEqIccWNrJB2m881Lx2s0UogtDgwwnwAhg5dbE9WHRLOOlqWdgN2z3Fh1OOHkNeq/W7e9YGXCI3kA==; 5:ZXFuFR63DoQpzeSDYrMuGlA0UbB0HMrv7yNuvjeTlWOh78I/LlFchiaTi3QTu9AnytFtF63b3BjfCS9fBkizBYNDBguqyhK1Q9s3ih3qNlAEN9MWF8YpX0kWBtq1Xrz5ItkpY05itno7yfjXmnxuFqItwkGw1B4l42VZWz5m9WqJkq9pc33h6mfr2vPiEtZiX4cgFSST8ZdhGQL75hUhow==; 7:2E1Z6VxGVQNcAesR77ThuTJGvSYuK1PKr1VjbYESthJWSoN3A6nb8jh3moTQ3hFOGAvTD5cmVntfvZ128cMoqCy6+JB8ifh7Rg5rIXS0rMH4wGJS3/Mo7EbYCEZ4h5d/aamxQUFddshmyoZKHUaH7A==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jan 2019 05:03:00.4744 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 0555dda8-582c-45f2-50aa-08d673943b60
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=64afd9ba-0ecf-4acf-bc36-935f6235ba8b; Ip=[18.9.28.11]; Helo=[outgoing.mit.edu]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB4029
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/q38i_tFuJbHnBrrckMMReZjuJEI>
Subject: Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2019 05:03:09 -0000

Hi Kent,

(Also a heads-up for Adam and Alexey, mentioned below regarding
dnsop-attrleaf registry actions)

On Sat, Jan 05, 2019 at 03:05:35AM +0000, Kent Watsen wrote:
> Hi Benjamin,
> 
> Below are several links to individual GitHub commits, but here's the link
> to the complete/rendered draft:
> 
> 	https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-27

You probably already saw the mail, but these changes did address my Discuss
points, so I've cleared in the datatracker.  Thank you for the really good
discussions we've been having; I'll try to finish things up below.

> 
> 
> >> > ----------------------------------------------------------------------
> >> > DISCUSS:
> >> > ----------------------------------------------------------------------
> >> >
> >> > First off, thanks for this clear and considered document and design; it
> >> > really lays out the scenario of applicability and the functionality quite
> >> > well.  I just have a couple lingering places that we might want to nail
> >> > down a little bit tighter...
> >> >
> >> > (1) SSH key formats
> >> >
> >> > The module in Section 7.3 says:
> >> >
> >> >           leaf-list ssh-host-key {
> >> >             type binary;
> >> >             description
> >> >               "The binary public key data for this SSH key, as
> >> >                specified by RFC 4253, Section 6.6, i.e.:
> >> >
> >> >                  string    certificate or public key format
> >> >                            identifier
> >> >                  byte[n]   key/certificate data.";
> >> >             reference
> >> >               "RFC 4253: The Secure Shell (SSH) Transport Layer
> >> >                          Protocol";
> >> >
> >> > but RFC 4523 Section 6.6 says:
> >> >
> >> >   The key type MUST always be explicitly known (from algorithm
> >> >   negotiation or some other source).  It is not normally included in
> >> >   the key blob.
> >> >
> >> >   Certificates and public keys are encoded as follows:
> >> >
> >> >      string    certificate or public key format identifier
> >> >      byte[n]   key/certificate data
> >> >
> >> > How is the key type known for the SZTP usage?
> >> 
> >> Good catch.  The fix here is to mimic RFC7317's "authorized-key" list.
> >> That is, convert "ssh-host-key" from a "leaf-list" to a "list"
> >> containing the extra "algorithm" node.  This fix is here:
> >> 
> >> https://github.com/netconf-wg/zero-touch/commit/7a33c418f733aebcd95f2c91c4e9abbccfd362e4
> >
> > Sounds good.
> 
> Excellent - this item is closed.
> 
> 
> 
> >> > (2) Privilege escalation by design
> >> >
> >> > There's text in Section 2.1 (and, really, throughout) that indicates that
> >> > a device being bootstrapped should allow a trusted bootstrap server to
> >> > behave as (i.e., supply) a trust anchor for verifying a different service.
> >> > In some sense this is elevating an EE cert to a CA cert, and I had hoped
> >> > to see some discussion of this escalation in the security considerations.
> >> > (Same for the owner cert, though there's a stronger argument that the 
> >> > owner should be considered fully privileged here.)
> >> 
> >> Correct, "redirect information" from a trusted source should contain a
> >> trust-anchor certificate (actually, a CMS containing a chain of certs).
> >> 
> >> Yes, the device's trust in a TLS trust anchor cert (e.g., provided via the
> >> manufacturing process) is used to trust the EE cert for a bootstrap 
> >> server that returns a new trust anchor cert, enabling the device to 
> >> pin the new TA cert for subsequent EE cert validation.  
> >> 
> >> This is similar to a CA in that a chain of trusted certs is formed, but
> >> it isn't quite like a CA cert, in that the EE cert doesn't itself sign
> >> the new TA cert; it only signs that transport used to convey the TA cert.
> >> 
> >> Regarding the owner cert being similar, I think you mean that the 
> >> ownership voucher [RFC 8366] is similar, which is true.  In this case,
> >> the device's trust in a trust anchor for voucher-signing certs (e.g., 
> >> provided via the manufacturing process) is used to trust a specific
> >> signing cert for a voucher, which encodes a new trust anchor cert 
> >> (the 'pinned-domain-cert'), which is, in fact, the issuing CA for
> >> the owner certificate.
> >> 
> >> Okay, so we have these two things.  In both cases, trust anchors are 
> >> conveyed via trusted mechanisms.  Do you want me to add a Security
> >> Consideration saying this?  
> >> 
> >> I somehow thought this concept was fairly common, is it not done 
> >> elsewhere?
> >
> > It is fairly common, but it is probably still worth describing the security
> > properties of the protocol exchanges, here.  (In that a compromise of the
> > initial interaction can result in compromise of all subsequent
> > interactions, just as for trust-on-first-use.)
> 
> Please let me know if this update addresses the concern:
> https://github.com/netconf-wg/zero-touch/commit/a5086b299f60c00afcaddc0ddf0a0e9d3431c04e

Perfect, thanks!

> 
> 
> 
> 
> >> > (3) Nonce length
> >> >
> >> > Section 7.3 describes the nonce leaf:
> >> >
> >> >         leaf nonce {
> >> >           type binary {
> >> >             length "8..32";
> >> >
> >> > There is probably some discussion to be had about the minimum nonce
> >> > length (not necessarily in the document itself).  Do you have a 
> >> > pointer handy to previous disucsions or do we need to have it now?
> >> > (I do see that this is just following RFC 8366, so hopefully this
> >> > is an easy question.)
> >> 
> >> 
> >> I sent email to my RFC 8366 co-authors, as they were behind setting
> >> this min nonce length.  I have yet to hear back from them, but will
> >> let you know when I do.
> >
> > [covered in separate thread]
> 
> [Bringing back into this thread]
> 
> I emailed the RFC 8366 authors (CC you) regarding your concern with the
> minimum-allowed nonce length.
> 
> As for this draft, I feel that the easiest solution is to change the YANG
> as follows:
> 
>        leaf nonce {
>          type binary {
> -          length "8..32";
> +          length "16..32";
>          }
> 
> It is within the range allowed by RFC 8366 (i.e., no compatibility violation)
> while eliminated the low-end that you objected to.  I can't imagine there
> being an issue in asking a low-end device (even a measly IoT thing) to generate
> an extra 8 bytes of random data.
> 
> I've made this change in my local copy.

Sounds good.  This is certainly the easiest way forward, and if there are
no objections there's not much reason to not just go with it.  I may have
some generic desire in the abstract to fully understand whether it's
needed, but I am pretty sure I can suppress that desire if needed :)

> 
> 
> >> > (4) OPTION_V4_ZEROTOUCH_REDIRECT repeated instances
> >> >
> >> > (In Section 8.1.)
> >> >
> >> > I think I may just be misunderstanding things here, but aren't
> >> >
> >> >   As the list of URIs may exceed the maximum allowed length of a single
> >> >   DHCPv4 option (255 octets), the client MUST implement [RFC3396],
> >> >   allowing the URI list to be split across a number of
> >> >   OPTION_V4_ZEROTOUCH_REDIRECT option instances.
> >> >
> >> > and
> >> >
> >> >   The DHCPv4 server MAY include a single instance of Option
> >> >   OPTION_V4_ZEROTOUCH_REDIRECT in DHCP messages it sends.  Servers MUST
> >> >   NOT send more than one instance of the OPTION_V4_ZEROTOUCH_REDIRECT
> >> >   option.
> >> >
> >> > in conflict about sending more than one instance of
> >> > OPTION_V4_ZEROTOUCH_REDIRECT?
> >> 
> >> Yes, these statements appear to be contradictory.  I asked my co-author,
> >> Ian Farrer, our local DHCP expert, to answer this question.  I think some
> >> word-smithing is needed to convey that a "singleton" option may be split
> >> into pieces.
> >
> > If memory serves, this was resolved in a different AD's ballot thread.
> 
> I think you mean this commit by my co-author Ian to address a comment from Suresh: https://github.com/netconf-wg/zero-touch/commit/1c846ca3bc6ce8ffe1813a0c864dc3aebaf3af65.
> 
> In either case, we believe the issue is resolved in the current (posted) text.
> Here is the direct link: https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-26#section-8.
> 
> Can this DISCUSS item be closed now?

It already was; I had updated my ballot position in the datatracker for the
-26 (but did not have it send mail)

> 
>  
> >> > ----------------------------------------------------------------------
> >> > COMMENT:
> >> > ----------------------------------------------------------------------
> >> >
> >> > Should we consider recommending AuthEnvelopedData throughout instead
> >> > of just EnvelopedData?
> >> 
> >> I don't think this is necessary as 1) the decrypted data can be tested
> >> to be a well-formed CMS and 2) using SZTP to cause the device to act as a
> >> decryption oracle doesn't work well, if at all, as the decrypted text
> >> isn't subsequently made available.
> >> 
> >
> > I'm not sure that (2) is relevant, but (1) and being a SignedData ought
> > to be enough.  Thanks for thinking it through with me.
> 
> Great - this item is closed.
> 
> 
>  
> >> > TLS and CMS are probably good enough about adding context in their
> >> > signatures (well, provided modern versions are used) that we don't
> >> > get too much heartburn about reusing the same key directly for both
> >> > zerotouch [artifact] decryption and TLS client certificates, but 
> >> > it's generally the sort of thing that we frown upon.
> >> 
> >> Understood, which is why the last paragraph of Section 3.4 (Artifact
> >> Encryption) says "This [encryption] certificate MAY be the same as 
> >> the TLS-level client certificate the device uses when connecting to
> >> bootstrap servers.".  The draft is going out of its way to say that
> >> this is okay.  This is necessary, in part, because devices tend to
> >> have only a single IDevID certificate, and hence it tends to be used
> >> for both digitalSignature (for when used as a TLS client cert) and
> >> keyEncipherment (for decrypting the zerotouch artifacts).  The draft
> >> also leaves open the possibility to use distinct certificates for
> >> each purpose.  Perhaps a Security Consideration for this would be
> >> good?  [But given that these are distinct/separate uses, with no
> >> leakage between (AFAICT), then maybe not needed?]
> >
> > I would suggest (recalling that this is a non-blocking comment) adding
> > some text that this does allow for reuse of the private key to make
> > different types of signatures, but there are not any known ways to
> > cause a signature made in one context to be (mis)interpreted as valid
> > in the other.
> 
> I have added a new Security Considerations section to highlight this reuse: https://github.com/netconf-wg/zero-touch/commit/62076e8421fd286a74519b60e8346dbf78d3c4f2
> 

Thanks; it does a great job laying out the situation.

> 
> 
> >> > I a little bit wonder if we want references for TLS and/or HTTP client
> >> > authentication.  Section 2.5 of RFC 8040 might be enough (though it is
> >> > of course not citing TLS 1.3).
> >> 
> >> This draft's use of TLS and HTTP authentication is exclusively for
> >> RESTCONF (RFC 8040).   I'm generally hoping to just reference that
> >> RFC and let it speak for itself.
> >> 
> >> Correct, RFC 8040 does not cite TLS 1.3 explicitly, though TLS 1.3 is
> >> allowed, as Section 2.1 says:
> >> 
> >>    RESTCONF does not require a specific version of HTTP.  However, it 
> >>    is RECOMMENDED that at least HTTP/1.1 [RFC7230] be supported by all
> >>    implementations.
> >> 
> >> BTW, does this comment regard Section 9.6?  
> >
> > Section 9.6 is about making sure the client does not send sensitive data to
> > an unauthenticated server, which is not limited to the data in the
> > certificate; my comment here is more about the mechanics of the client
> > authenticating itself to a server for the server to make authorization
> > decisions (admittedly, I did not mention "authorization" prior to now, so
> > my apologies for being unclear).  Client authentication is mentioned
> > directly or in passing in at least sections 5.1 (which does mention Section
> > 2.5 of RFC 8040 already) and 5.3 (ditto), as well as 9.6.
> 
> As you say, authentication is mentioned in several places already 
> and, if I understand you correctly, this text is sufficient.
> 
> While the word "authorization" does not appear in this document, 
> Section 9.13 discusses "access", which relates to statements in 
> RFC 8040, such as:
> 
>    The RESTCONF server MUST authenticate client access to any protected
>    resource.
> 
>    The server MUST NOT allow any RESTCONF operation for any resources
>    that the client is not authorized to access.
> 
> To provide a more complete picture, the bootstrap server exposes just
> two RPCs.  Each RPC *requires* an authenticated client-credential to
> function.  That is, "get-bootstrapping-data" can only return the 
> bootstrapping data for the authenticated client credential; there is
> no other parameter passed for the server to determine which data to 
> return. Likewise, "report-progress" can only report progress for the
> authenticated client credential; there is no other parameter passed
> for the server to determine for which client is reporting the data.
> 
> This COMMENT began by asking if we might want references for TLS 
> and/or HTTP client authentication, and now maybe authorization.
> Given the above discussion, what is your recommendation?

I think that the document will be good with no additional change for this
matter; the contents of RFC 8040 and the way we use RESTCONF makes things
clear enough.

> 
> >> > (Are there generic RESTCONF internationalization considerations?
> >> > I see 8040 say "just use UTF-8", but is more needed?)
> >> 
> >> I'm not aware of any problems here.  No RFC 8040 errata has been filed.
> >> Is there something in particular you're thinking about?
> >
> > Nothing in particular, no.  
> 
> Okay, this item seems to be closed then.
> 
> 
> 
> >> > Section 1.2
> >> >
> >> >   Network Management System (NMS):  The acronym "NMS" is used
> >> >       throughout this document to refer to the deployment specific
> >> >
> >> > nit: deployment-specific (with hyphen)
> >> 
> >> Fixed (as well as the instance in Section C.2)
> 
> 
> 
> 
> >> > Section 2.1
> >> >
> >> > Does RFC 8340 require a "ro" (or similar) to appear in the tree
> >> > diagram? (Both here and in §2.2.)
> >> 
> >> No, because these are "yang-data" structures.
> >> https://tools.ietf.org/html/rfc8340#section-2.3.
> >
> > Ah, thanks for the pointer -- learn something every day.
> 
> 
> 
> 
> >> > Section 3.2
> >> >
> >> > Do we want to impose any ordering requirements on the certificate
> >> > chain (e.g., owner cert must come first, each cert SHOULD certify
> >> > the one immediately prior to it, etc.)?
> >> 
> >> The owner certificate is encoded using a CMS SignedData structure.
> >> SignedData is defined in RFC 5652, 5.1.  The "certificates" field
> >> is of type "CertificateSet", defined in Section 10.2.3 as a "SET OF",
> >> which is defined in ASN.1 as an unordered collection.  So, ordering
> >> is not possible.
> >
> > Okay.
> 
> 
> 
> 
> >> > Section 3.4
> >> >
> >> > Thank you for including the motivating text about sign-then-encrypt.
> >> > I do wonder if it's worth saying anything about why the well-publicized
> >> > security risks of mac-then-encrypt do not apply.  (The authors of
> >> > draft-campbell-sip-messaging-smime probably already have some text
> >> > that could be used, but it doesn't seem to be in the public view yet.)
> >> 
> >> Are you referring to the padding oracle attack?  As mentioned above, the
> >
> > Right.
> >
> >> solution presented in this document doesn't lend the device to being a
> >> very good decryption oracle.  I suppose the fix would be to add to this
> >> section (or the Security Considerations section?) something like:
> >> 
> >>   This document specifies the encryption of signed objects, as opposed
> >>   to the signing of encrypted objects, as might be expected given well-
> >>   publicized oracle attacks (e.g., the padding oracle attack).  This
> >>   document does not view such attacks as being feasible in the context
> >>   of the solution because i) the decrypted text never leaves the device
> >>   and ii) the solution does not differentiate between a "bootstrap-error"
> >>   cause by a decryption failure versus a failure occurring when parsing
> >>   the decrypted text.
> >
> > That works for me, thanks.  (But feel free to leave it out if you don't
> > think it's adding value, too.)
> 
> I added a slightly reduced version of the above text (taking out clause "ii"):
> https://github.com/netconf-wg/zero-touch/commit/388d0355b3c7c6ce4aa48028a4ef89dc64147304.
> 
> Still good?

Yes.

> 
>  
> >> > Section 4.1
> >> >
> >> > Mounting all filesystems found on removable devices can be a security
> >> > risk, with intentionally malformed filesystem images causing system
> >> > compromise in some cases.
> >> 
> >> Is the concern the mounting of *all* or *any* filesystems?  It seems 
> >> that even if there were just one filesystem, it could be intentionally
> >> malformed.  Are you hoping to see a Security Consideration for this?
> >
> > The concern was any, thanks for figuring out what I meant.
> > Thinking about this again after the long gap, it seems a pretty generic
> > consideration, so it's unclear that Security Considerations text in this
> > document specifically would be particularly helpful.
> 
> Okay, let's close this one with no update.

Okay.

> 
> 
>  
> >> > Section 4.2
> >> >
> >> > I agree with Adam about registering "zerotouch" (and the name is
> >> > perhaps overly generic?).
> >> >
> >> > I'm also not sure I properly understand the "zt-info"/zt-* TXT
> >> > records' usage; would they need to be registered akin to
> >> > draft-moonesamy-dnsop-special-use-label-registry?
> >> 
> >> First, regarding the term "zerotouch" being perhaps overly generic,
> >> I have somewhat felt this way for a while.  One thing that could be
> >> done fairly easily is to more the bulk of the "zerotouch" references
> >> to "sztp", the acronym given throughout.  Admittedly, what SZTP
> >> stands for isn't tremendously better, but I think that it is
> >> generally better than just "zerotouch".  Thoughts?
> >
> > SZTP does seem better than just "zerotouch" to me, all things considered.
> 
> 
> Okay, I did the following:
> 
>   When referring to the draft/solution:
>     Zero Touch --> SZTP
> 
>   When referring to the bootstrapping artifact:
>     zero touch information --> conveyed information
>     zerotouch-information  --> conveyed-information
> 
>   For the CMS content types:
>     id-ct-zerotouchInformationXML  --> id-ct-sztpConveyedInfoXML
>     id-ct-zerotouchInformationJSON --> id-ct-sztpConveyedInfoJSON
> 
>   For the YANG modules:
>     ietf-zerotouch-information.yang      --> ietf-sztp-conveyed-info.yang
>     ietf-zerotouch-bootstrap-server.yang --> ietf-sztp-bootstrap-server.yang
> 
>   For the DNS/service name:
>     _zerotouch --> _sztp
> 
> A big change, though I scripted most of it. Here's the diff:
> https://github.com/netconf-wg/zero-touch/commit/394b863d1850019fd451554a9f86c3c10d280d08

Thank you for your willingness to make these disruptive changes "for the
good of the team"; I know it's pretty thankless work.

> 
> 
> 
> 
> >> Second, I am not a DNS expert, do you know who we can discuss
> >> such things with?  That said, I guess our idea was to use TXT
> >> records like RFC 1464, where the TXT value itself has the form
> >> "<attribute name>=<attribute value>", in which case it doesn't
> >> seem to need IANA registration?
> >
> > Please correct me if I'm wrong, but I think this issue was
> > already covered in a different AD's ballot thread.
> 
> Correct, Section 4.2 was updated (posted in -26) per Alexey's DISCUSS.
> Per your original comment (and his, and Adam's), Section 10.6 now
> requests IANA to register the service name "sztp" (was "zerotouch"). 
> 
> > That said, the addition of <serial number>._zerotouch.fqdn in the
> > -26 seems to indicate that mention of draft-ietf-dnsop-attrleaf
> > is appropriate, if I remember correctly how that works.
> 
> I've just now read draft-ietf-dnsop-attrleaf.  I see the applicability,
> but I don't understand your proposal.  Looking at DataTracker, I see
> that it is already in RFC Ed Queue, so I think you're suggesting me
> treat it as a fait accompli, and add an IANA Consideration section
> to register "_sztp", yes?  Assuming that is the case, then what should

>From memory, yes.

> be done with the service name registration in Section 10.6, added per
> comments from Alexey and Adam?

I think we'll need to get some further input from Alexey and/or Adam, but
my understanding is that we would need both registrations -- the service
name registration covers our _sztp._tcp.fqdn SRV records, but we are also
using <serial number>._sztp._tcp.fqdn TXT records, and so (IIUC) we'd need
to add a reference to this document for the TXT _tcp entry that RFC 6763
(DNS-SD) is currently the reference for.

> 
> 
> >> > Section 5.3
> >> >
> >> > This is the first time we talk about "serial number" as device identity;
> >> > maybe a forward-reference is in order?
> >> 
> >> I'm unsure what the forward reference would be to.  However, I think that
> >> we could add "serial number" to Section 5.1 (Initial State), as a new
> >> first item in the <read-only storage> box.  Would that be better?
> >
> > It looks like -26 added some text relating "serial number" and "device
> > identity [certificate]", so let's call this OBE.
> 
> Sounds good, thanks.
> 
> 
> 
> 
> >> > Does the device have any reason to track whether the incoming artifact is
> >> > encrypted (whether at the CMS layer or the transport layer)?  I can't think
> >> > of one, but sometimes this is useful information in other settings.
> >> 
> >> I also cannot think of a reason.  That the incoming CMS is encrypted has
> >> no bearing on device's processing logic.  This is expected, given that the
> >> device's public key is, well, public, and therefore access to it has no
> >> special meaning.  Note that encryption here is used to ensure privacy, as
> >> only the device can decrypt/access the data.
> >
> > Agreed.
> 
> Excellent (closed)
> 
> 
> 
> >> >   If the zero touch information artifact contains onboarding
> >> >   information, and trust-state is FALSE, the device MUST exit the
> >> >   recursive algorithm (as this is not allowed, see the figure above),
> >> >   returning to the bootstrapping sequence described in Section 5.2.
> >> >   Otherwise, the device MUST attempt to process the onboarding
> >> >   information as described in Section 5.6.  In either case, success or
> >> >   failure, the device MUST exit the recursive algorithm, returning to
> >> >   the bootstrapping sequence described in Section 5.2, the only
> >> >   difference being in how it responds to the "Able to bootstrap from
> >> >   any source?" conditional described in the figure in the section.
> >> >
> >> > Does this "either case" refer to just the processing of onboarding
> >> > information, or the exit vs. attempt to process cases?  (I assume the
> >> > former, but perhaps some editorial work is in order.)
> >> 
> >> Your intuition is correct :)   How about this:
> >> 
> >>   OLD:
> >>     In either case, success or failure, ...
> >> 
> >>   NEW:
> >>     Whether the processing of the onboarding information succeeds
> >>     or fails, ...
> >
> > SGTM :)
> 
> Edit made in -27.
> 
> 
> 
> 
> >> >   If the zero touch information artifact is signed, and the device is
> >> >   able to validate the signed data using the algorithm described in
> >> >   Section 5.4, then the device MUST set trust-state to TRUE; otherwise,
> >> >   if the device is unable to validate the signed data, the device MUST
> >> >   set trust-state to FALSE.  Note, this is worded to cover the special
> >> >   case when signed data is returned even from a trusted bootstrap
> >> >   server.
> >> >
> >> > Having read Section 5.4, I'm still unsure where the special handling
> >> > for this special case is described.
> >> 
> >> There is no special handling per se but, the point that is trying 
> >> (perhaps ineffectually) is that, if signed-data is received from a
> >> trusted-source, validating the signature is all that matters, that
> >> the source was trusted becomes irrelevant to being able to validate
> >> the data.  Makes sense now?  Does it need to be reworded?
> >
> > It does make sense now, and I don't think it needs to be reworded -- thanks
> > for the extra explanation.  (I was mostly concerned that there was a
> > special case that I wasn't finding in the text, but the existing text
> > describes exactly what to do, so it's all good.)
> 
> Okay, item closed with no update made.
> 
> 
> 
>  
> >> > Section 5.5
> >> >
> >> >   Processing redirect information is straightforward, the device
> >> >   sequentially steps through the list of provided bootstrap servers
> >> >   until it can find one it can bootstrap from.
> >> >
> >> > nit: I think this is a comma splice.
> >> 
> >> Changed to a semicolon.
> 
> 
> 
>   
> >> > Section 5.6
> >> >                                                Regardless the
> >> >   reporting-level indicated by the bootstrap server, the device MAY
> >> >   send progress reports beyond the mandatory ones specified for the
> >> >   given reporting level.
> >> >
> >> > nit: "Regardless of"
> >> 
> >> Fixed in -26.
>  
>  
>  
> >> >   When the onboarding information is obtained from an untrusted
> >> >   bootstrap server, the device MUST NOT send any progress reports to
> >> >   the bootstrap server.
> >> >
> >> > I'm not sure if I would want a parenthetical "(that is, the onboarding
> >> > information was authenticated at the CMS layer)", but I would think about
> >> > adding one.
> >> 
> >> How about postpending:
> >> 
> >>   ", even though the onboarding information must have been signed and
> >>    authenticated.  Please be aware that bootstrap servers are recommended,
> >>    in the last paragraph of Section 9.6, to promote untrusted connections
> >>    to trusted connections so as, in part, to be able to collect progress
> >>    reports from devices."
> >> 
> >> Too wordy, or just right?
> >
> > I am prone to being too wordy myself, but that seems just right to me.
> 
> Okay, I added a slightly modified version of the above to -27.
> 
> 
>  
> 
> >> >   The device MUST parse the provided onboarding information document,
> >> >   to extract values used in subsequent steps.  Whether using a stream-
> >> >   based parser or not, if there is an error when parsing the onboarding
> >> >
> >> > This line makes me consider the scenario where a stream-based parser is
> >> > used with a trusted bootstrap server and no CMS-layer signature.  At the
> >> > TLS layer, a truncation attack by the network is possible, and if
> >> > truncation is not detectable at the application layer, the device could end
> >> > up misconfigured with neither party aware (unless there's an additional
> >> > response or something that I'm forgetting about).  I think that for the XML
> >> > and JSON formats we know and love, truncation would make for a malformed
> >> > stream due to the outermost scope container, but please correct me if I'm
> >> > wrong.  There are probably some security considerations to mention w.r.t.
> >> > any future new encodings of this data model, though.
> >> 
> >> The steps are roughly: 
> >>   a) HTTPS GET an XML/JSON document (the get-bootstrapping-data" response).
> >>   b) extract the CMS-based artifacts from the XML/JSON document.
> >>   c) if encrypted, decrypt.
> >>   d) if signed, authenticate.
> >>   e) extract the onboarding-information (another XML/JSON doc) from the CMS artifact.
> >>   f) process the onboarding-information XML/JSON doc
> >> 
> >> So here we're at step (f), where the text mentions the possible use of a
> >> stream parser.  This is rather long after step (a), where TLS truncation
> >> may occur and, presumably caught in step (b).  This is by way of saying
> >> that I don't think this is an issue, but interested to hear your response.
> >> 
> >> FWIW, the point of this "stream-based parser" comment is to highlight
> >> that, unlike most all the other progress-types, which seem to reflect
> >> a serial processing of the steps, the parsing may either be a distinct
> >> step (e.g., a DOM-based parser) or something that is splayed across all
> >> the other steps (a stream-based parsed).  In the first case, the all
> >> the "parsing-*" progress reports (including any parsing-error report)
> >> are expected to be transmitted before any, e.g., boot-image-* reports
> >> are sent; whereas, in the second case, the parsing-* reports can be
> >> intermixed.
> >> 
> >> I don't think there is a TLS concern, but perhaps the paragraph needs
> >> to be reworded?
> >
> > I think your understanding basically matches mine; I tried to include in my
> > remark that it would only possibly apply to the case where the predicates
> > for (c) and (d) are false.  I just plain don't know whether (a)/(b) will
> > choke if the GET response is an incomplete XML/JSON document.  If it
> > properly errors out, then there's no concern here, and we should just move
> > on.  In any case, even if there was an issue, this paragraph would not
> > really be the place to talk about it -- my comment is only located here
> > because this is where we start talking about stream-based parsers.  The
> > errors in question are not necessarily those generated by the stream-based
> > parser, but can also include those generated at earlier steps.
> 
> Okay, if we step back from the stream-parsing angle, and instead just focus
> on the TLS truncation concern, my first thought is that said error will be
> detected in (a) and (b) will not be entered.  In case (b) is entered, then
> it seems that (b) would detect a malformed response from the server, as it
> would normally need to do.

Okay, defense in depth is a good thing.  It sounds like we don't need to
say anything about this in the document, IIUC.

>  
> >> >      *  Most steps are atomic.  For instance, when a commit fails, it
> >> >         is expected to have no impact on the configuration.  Similarly,
> >> >         if the error occurs when executing a script, the script will
> >> >         gracefully exit.
> >> >
> >> > As a reader it's hard to tell if this is giving guidance to script
> >> > authors or consumers.
> >> 
> >> Is this better?
> >> 
> >>    Most steps are atomic.  For example, the processing a configuration
> >>    is specified as atomic above, and the processing of scripts are
> >>    similarly atomic, as specified in the "ietf-zerotouch-information"
> >>    YANG module.
> >
> > Yes, thanks.  (I think the -26 lost both "of"s, though?)
> 
> Edit made to -27, including the missing "of"s.
> 
> 
> 
> 
> 
> >> > Section 6.2
> >> >
> >> > "base64encodedvalue==" is pretty cute, though maybe we could add some
> >> > trailing numbers to provide different values for the different fields?
> >> 
> >> The issue here is that the example documents must be valid (fwiw, they
> >> are tested each time `xml2rfc` is run).  Previous versions of this 
> >> document included compete base64 encoding of the real objects, but 
> >> people complained that it greatly distracted from readability.  To
> >> address this, the WG agreed to use "base64encodedvalue==" in examples
> >> to represent YANG "binary" data.
> >> 
> >> Is it okay to leave this as is?
> >
> > This is a non-blocking comment, so by definition my answer is "yes" :)
> > I mostly just wanted to point out that the examples use the same literal
> > string to fill in for many different data types -- I agree with not using
> > "real" examples since they're bulky and not readable in encoded form, but
> > was just wondering if we could use different short strings to represent
> > semantically different objects.
> 
> Okay, let's close this with no update.  That said, you may be pleased (or
> irked) to see that the nonce min-length change forced one example to have
> to change to "<nonce>extralongbase64encodedvalue=</nonce>" in order to pass
> build-time validation tests ;)

Cool, I wish my CI was that good :)

> 
> 
> 
>  
> >> > Section 6.3
> >> >
> >> > The YANG module boilerplate is still on the RFC 2119 version of BCP 14
> >> > (not RFC 8174).
> >> 
> >> Fixed in -26. Now both YANG modules read:
> >> 
> >>     The key words "MUST", "MUST NOT", "REQUIRED", "SHALL",
> >>     "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", 
> >>     "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document
> >>     are to be interpreted as described in BCP 14 [RFC2119]
> >>     [RFC8174] when, and only when, they appear in all
> >>     capitals, as shown here.
>  
> Note, a separate WG comment prompted an additional update here.
> Now "[RFC2119][RFC8174]" is "(RFC 2119, RFC 8174)", since YANG
> modules aren't themselves drafts with a references secton and
> such.
> 
> 
> 
> 
> 
> >> > Section 7.2
> >> >
> >> > If we're going to say "and receives signed data in the response", maybe we
> >> > could actually give an example that shows the (base64'd) CMS structure that
> >> > corresponds to the signature?  Not necessarily the whole payload, but
> >> > enough to see the outer structure at least...
> >> 
> >> See previous response regarding "base64encodedvalue==".  It's tricky
> >> business.  That said, in a separate "expert review" response from Russ
> >> Housley, we were thinking to add an appendix section containing all
> >> the possible ASN.1 structures.  For instance:
> >> 
> >>   X. ASN.1 for Various Artifacts
> >>   X.1. Zero Touch Information
> >>   X.2. Signed Zero Touch Information
> >>   X.3. Encrypted and Signed Zero Touch Information
> >>   X.4. Owner Certificate
> >>   X.5. Encrypted Owner Certificate
> >>   X.6. Ownership Voucher
> >>   X.7. Encrypted Ownership Voucher
> >> 
> >> Would this bridge the gap for you?
> >
> > That would help a lot, thanks!
> 
> Is it okay for me to back out of this one?  I had thought previously
> that Russ would provide the ASN.1, but he said he didn't have time and,
> well, I'd rather not venture into this if it can be avoided...

It will be okay if nothing happens on this front.  (You've already put in a
huge amount of effort anyway!)

Huge thanks for all your work on this -- hopefully the end is in sight!

-Benjamin

> 
> 
> 
> >> > Section 7.3
> >> >
> >> > The YANG module boilerplate is still on the RFC 2119 version of
> >> > BCP 14 (not RFC 8174).
> >> 
> >> Yep, fixed in -26 along with the fix to the other YANG module.
>  
>  
> 
> 
>  
> >> >             enum "boot-image-installed-rebooting" {
> >> >               description
> >> >                 "Indicates that the device successfully installed
> >> >                  a new boot image and is about to reboot.  After
> >> >                  sending this progress type, the device is not
> >> >                  expected to access the bootstrap server again.";
> >> >
> >> > Is this just scoped to the current connection/session?
> >> > (As opposed to "bootstrap-complete", which probably is a global statement.)
> >> 
> >> Yes, just the current scope. how about the following? - or should the last
> >> sentence be left off?
> >> 
> >>               "Indicates that the device successfully installed
> >>                a new boot image and is about to reboot.  After
> >>                sending this progress type, the device is not
> >>                expected to access the bootstrap server again
> >>                for this bootrapping attempt.  The device may
> >>                access this bootstrap server after rebooting
> >>                and restarting the zerotouch bootstrapping
> >>                process.";
> >
> > Probably the last sentence is not adding anything useful.
> 
> Last sentence removed (and spelling mistake fixed) in -27.
> 
> 
> 
> 
> 
> >> >   container trust-anchor-certs {
> >> >   [...]
> >> >               The CMS MUST contain only a single chain of
> >> >               certificates.  The device's end-entity certificate
> >> >               MUST only authenticate to the last intermediate CA
> >> >               certificate listed in the chain.
> >> >
> >> > I'm not sure whether "authenticate to" means that the CA cert directly
> >> > certifies or is the trust anchor.  Could we maybe use language like
> >> > "directly certifies the [next|previous]" certificate?
> >> 
> >> This text is trying to say that the "last certificate" is the issuer of
> >> the device's end-entity certificate.  More generally, it's trying to say
> >> that there are no superfluous certificates in the CMS.  Perhaps:
> >> 
> >> NEW:
> >>                The CMS MUST contain only a single chain of
> >>                certificates.  The last certificate in the chain
> >>                MUST be the issuer for the the device's end-entity 
> >>                certificate.
> >
> > That looks wonderful, thanks.
> 
> Change made (along with fixing "the the") in -27.
> 
> 
> 
> 
> >> > Also, the split of references of RFC 6187 for trust-anchor-certs but RFCs
> >> > 5280 and 5652 for trust-anchor-cert seems unusual, since potentially all
> >> > three would be relevant for both nodes, if I understand correctly.
> >> 
> >> True, but my general goal is to have the "reference" statements support
> >> the "description" statements.  So, in this case, the parent node mentions
> >> RFC 6187, hence I put the "reference" for it there.  Does it still seem
> >> unusual to you?
> >
> > Less so; thanks for the explanation :)
> 
> Okay, let's close this with no update made.
> 
> 
> 
> 
> >> > Section 9.1
> >> >
> >> > At this point draft-ietf-ntp-using-nts-for-ntp exists, though I don't know
> >> > whether it's appropriate to be citing it yet.
> >> 
> >> How about tacking on this last sentence, and list ietf-ntp-using-nts-for-ntp
> >> as an Informative reference?
> >>  
> >>           Implementations SHOULD NOT rely on NTP for time, as
> >>           NTP is not a secure protocol at this time.  Note, there
> >>           is an IETF work-in-progress to secure NTP
> >>           <xref target="I-D.ietf-ntp-using-nts-for-ntp"/>.
> >
> > SGTM.
> 
> Okay, and for posterity sake, the change was made in -26.
> 
> 
> 
> 
> >> > Section 9.6
> >> >
> >> > There is perhaps some room for discussion of the consequences of the device
> >> > telling the bootstrapping server whether the device thinks the connection
> >> > is trusted, in that it gives an attacker information about the target.
> >> > (Granted, it does not seem like much information, but it might be cleaner
> >> > to define the semantics of the node as being whether the client would like
> >> > the server to sign its responses at the application layer, which need not
> >> > have complete overlap with whether the client considers the server to be
> >> > trusted.
> >> 
> >> Hmmm, I agree with the optics.  Perhaps we could change it to "signed-data-
> >> preferred"?  Keep in mind that signed-data isn't required, as it would be
> >> okay for the server to return unsigned redirect information.  It's only if
> >> the data is onboarding information that it would need to be signed.
> >
> > That works for me.  (It doesn't seem like a big deal either way, of
> > course.)
> 
> Change made in -27.
> 
>  
>  
> >> > Section 9.8
> >> >
> >> > Does recommending frequent private key refreshes actually help in
> >> > environments where revocation is unusable (i.e., by virtue of not having
> >> > reliable time)?  (If not, perhaps that caveat should be more explicit here,
> >> > even though it is mentioned in Section 9.1 already.)
> >> 
> >> Good catch.  How about adding the last two lines below?
> >>  
> >>           Bootstrap server administrators are RECOMMENDED to follow best
> >>           practice to protect the private key used for any online operation.
> >>           Use of a hardware security module (HSM) is RECOMMENDED.  If an 
> >>           HSM is not used, frequent private key refreshes are RECOMMENDED,
> >>           assuming all bootstrapping devices have an accurate clock (see
> >>           <xref target="clock-sens"/>).
> >
> > SGTM.
> 
> Okay, and for posterity sake, this update was in -26.
> 
> 
> 
> 
> >> > Section 9.10
> >> >
> >> > I would suggest also mentioning the (lack of) mitigations possible if the
> >> > operator does not trust all the pre-configured authorities designated by
> >> > the manufacturers.
> >> 
> >> How about adding the last sentence below?
> >> 
> >>           Operators should be aware that this system assumes that they trust
> >>           all the pre-configured bootstrap servers and voucher signing authorities
> >>           designated by the manufacturers.  While operators may use points in
> >>           the network to block access to the well-known bootstrap servers, 
> >>           operators cannot prevent voucher signing authorities from generating
> >>           vouchers for their devices.
> >
> > Perfect :)
> 
> Ex excellent and, again, for posterity sake, this update was in -26.
> 
> 
>  
> >> > Section 9.11
> >> >
> >> >      revealing (e.g., network topology, firewall policies, etc.).  It
> >> >      is RECOMMENDED that operators encrypt the bootstrapping data when
> >> >      its contents are considered sensitive, even to the administrators
> >> >      of a bootstrap server.
> >> >
> >> > I don't understand what is meant by "even to the administrators of a
> >> > bootstrap server"?
> >> 
> >> Here I'm thinking that the bootstrap server may be hosted by a 3rd-party,
> >> or another group within the operator's organization.  For example, the
> >> NOC generates the artifacts, but IT admins the bootstrap server boxes.
> >> 
> >> Any need for an update to this text?
> >
> > Even given the above clarification, I'm still having a hard time not
> > reading the current text as saying that the administrators of the bootstrap
> > server are making the determination that content is considered sensitive.
> > Maybe "even with respect to distribution to the administrators of a
> > bootstrap server" or "even to the point of hiding it from the
> > administrators of a bootstrap server"?
> 
> Okay, slightly modified text to your 2nd suggestion in -27.
> 
> 
> 
>  
> >> > Section 9.12
> >> >
> >> > nit: the last word is "revoked".
> >> 
> >> Fixed in -26.
> 
>  
>  
> 
> >> > Section 9.13
> >> >
> >> >   Implementations should be aware that signed bootstrapping data only
> >> >   protects the data from modification, the contents are still visible
> >> >   to others.  [...]
> >> >
> >> > nit: this is a comma splice
> >> 
> >> Fixed in -26.
>  
>  
> >> >                                                         This
> >> >   information should be considered sensitive and precautions should be
> >> >   taken to protect it (e.g., encrypt artifact with device public key).
> >> >
> >> > nit: I think it's more conventional to "encrypt to" a public key than
> >> > "encrypt with" one.
> >> 
> >> How about "encrypt the artifact using the device's public key"?
> >
> > Sure.
> 
> Excellent, and this update was in -26.
>  
>  
>  
> >> > Section C.3
> >> >
> >> > We could perhaps recommend ecdsa-sha2-* keys instead of ssh-rsa keys.
> >> 
> >> Replaced "ssh-rsa key" with "SSH public key"
> >
> > Even better
> 
> Excellent and, again, this update was in -26.
> 
> 
> 
> 
>  
> >> >   4.  Otherwise, if redirect information is found, the device iterates
> >> >       through the list of specified bootstrap servers, checking to see
> >> >       if it has bootstrapping data for the device.  [...]
> >> >
> >> > The "it" is perhaps ambiguous; I would suggest "each server in turn".
> >> 
> >> Replaced "it" with "bootstrap server"
> >
> > Sure.
> 
> Also was in -26.
> 
> 
> 
> 
> Thanks again!
> Kent
> 
> 
>