Re: [netconf] draft-ietf-netconf-keystore-09.txt

Kent Watsen <kent+ietf@watsen.net> Thu, 02 May 2019 02:41 UTC

Return-Path: <0100016a766b430d-005d7041-a607-42d6-b91a-558bbb93e4c6-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7EB1202D3 for <netconf@ietfa.amsl.com>; Wed, 1 May 2019 19:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eZ0opJxmuPFK for <netconf@ietfa.amsl.com>; Wed, 1 May 2019 19:41:43 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AB611202EA for <netconf@ietf.org>; Wed, 1 May 2019 19:41:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556764902; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=IdCUxtVesY88/f6fXkS6Mov/oA8A7koOO20rX+K2gqQ=; b=QQrWVLJ2TUgQU/hXSZgtWnxLubCHsagPpuVK89BUmRbOIjG0DWjHFt/VqEiQUSIJ Q8UI2PdOu3aRIJhxmz4uR5eToRGR8BUo4X4LsR9WsFaLykogGxPOE3u1fQ5OAra/5Lv rSL8Zi6rM1LHG2mCJM/7DRPuV86yhxCapS674AZs=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016a766b430d-005d7041-a607-42d6-b91a-558bbb93e4c6-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E6B5B10F-56D1-4EF9-A75C-89C073572A1E"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Thu, 2 May 2019 02:41:42 +0000
In-Reply-To: <BD6D193629F47C479266C0985F16AAC7011EA6CCF7@ex-mb1.corp.adtran.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Nick Hancock <nick.hancock@adtran.com>
References: <BD6D193629F47C479266C0985F16AAC7011EA6CCF7@ex-mb1.corp.adtran.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.05.02-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qQF6v_D1x2YlpTyp5sClkzGyNjw>
Subject: Re: [netconf] draft-ietf-netconf-keystore-09.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 02:41:49 -0000

Hi Nick,

You are correct that something is amiss, but I'd like to discuss the fix more.

Your proposal looks (squinting my eyes) right (have you tested it?), but I'm wondering if there isn't a lower-level and potentially more useful fix...

In particular, note that 'ks:asymmetric-key-certificate-ref' points to a certificate in the the keystore that comes from the 'uses ct:asymmetric-key-pair-with-certs-grouping' statement.   The idea behind this grouping is that, whenever a certificate is configured, whether in the keystore or not, that the 'asymmetric-key-pair-grouping 3-tuple (alg, pub key, private key) is also configured.   This suggests that ct:asymmetric-key-pair-with-certs-grouping may be missing a 'must' statement or, more likely (due to the fact that the 3-tuple may only exist in <operational>), its 'description' statement is missing that precondition in its text.

Thoughts?

Kent // contributor



> On Apr 30, 2019, at 11:39 AM, Nick Hancock <nick.hancock@adtran.com>; wrote:
> 
> Hi Kent,
> 
> I have just noticed a issue with the leaf 'keystore-reference' used 
> in the grouping 'local-or-keystore-end-entity-cert-with-key-grouping' 
> in ietf-keystore.
> 
> This leafref uses the typedef 'asymmetric-key-certificate-ref', but, 
> unless I am missing something, this alone will not work, because a 
> predicate for the list 'asymmetric-key' is missing. 
> 
> I would expect something like the following:
> 
> case keystore {
>  if-feature "keystore-supported";
>  leaf asymmetric-key-name {
>    type ks:asymmetric-key-ref;
>      description
>        "A reference to an asymmetric key that exists in
>         the keystore. "; 
>  }
>  leaf certificate-name {
>    type leafref {
>      path 
>        "/ks:keystore"
>        + "/ks:asymmetric-keys"
>        + "/ks:asymmetric-key"
>        + "[ks:name=current()/../" 
>        + "asymmetric-key-name]" 
>        + "/ks:certificates" 
>        + "/ks:certificate/ks:name";
>    }
>    description
>     "A reference to a specific certificate associated 
>      with the given private key, stored in the keystore.";   
>  }
> }
> 
> Regards
> Nick
>