IETF Logo Mail Archive

Re: [netconf] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21

Kent Watsen <kent+ietf@watsen.net> Tue, 12 December 2023 18:37 UTC

Return-Path: <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7823FC14CF01; Tue, 12 Dec 2023 10:37:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGs-hGPs1PGR; Tue, 12 Dec 2023 10:37:05 -0800 (PST)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BF55C14F5FC; Tue, 12 Dec 2023 10:36:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1702406218; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=oqu1DIvt2cQiWIMrBFNudNaMGxYf60TEGOvHt/6qOVQ=; b=CMXSsJ+0Is9qerrPA9Xv9NaMCspGfNAW6FESehw1g1xrlXbTqKc315xp2c/shesK 8JcfJTbyxJygCpZ0Y6SVmxbsJcJCahOX/FCyJafpZvE4SYTQhFmaBtZquriQHr/LpHo xgANFeYeZQDDVE8LQq9M42XF4PiqTBEtfb5Zbpfw=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3024EA26-E74F-47A4-B7D6-6DD1FCA94459"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Tue, 12 Dec 2023 18:36:57 +0000
In-Reply-To: <CAAbpuypYpm863NC3ka6LvEJMBEarpSguQKdHNs7EiooSWNsXcA@mail.gmail.com>
Cc: draft-ietf-netconf-trust-anchors@ietf.org, "netconf@ietf.org" <netconf@ietf.org>, IETF ALTO <alto@ietf.org>
To: Jensen Zhang <jingxuan.n.zhang@gmail.com>
References: <CAAbpuypYpm863NC3ka6LvEJMBEarpSguQKdHNs7EiooSWNsXcA@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2023.12.12-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qmw3OlIHj9YjQ9JsnPk7y7OMXpg>
Subject: Re: [netconf] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 18:37:06 -0000

Hi Jensen,

> On Dec 12, 2023, at 7:47 AM, Jensen Zhang <jingxuan.n.zhang@gmail.com> wrote:
> 
> Hi authors,
> 
> I am one of the authors of the draft-ietf-alto-oam-yang draft. Our draft is trying to reuse some groupings and typedefs in this document to support some TLS authentication features. But we find the current typedef 'public-key-ref' cannot be used by another module.
> 
> To be more concrete, in the current document, the path of the typedef 'public-key-ref' enforces a prefix of the relative path to the sibling 'public-key-bag' leaf:
> 
>    typedef public-key-ref {
>      type leafref {
>        path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
>          + "[ts:name = current()/../ts:public-key-bag]/"
>          + "ts:public-key/ts:name";
>      }
>      ...
>    }
> 
> From my understanding, this typedef is for other modules to reference a public key in the trust store. The sibling 'public-key-bag' leaf should be in the same module of the leaf using this typedef, instead of the module 'ts'.
> 
> To make this typedef usable, I believe it should look like the following:
> 
>    typedef public-key-ref {
>      type leafref {
>        path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
>          + "[ts:name = current()/../public-key-bag]/"
>          + "ts:public-key/ts:name";
>      }
>      ...
>    }
> 
> Otherwise, we have to define another typedef in our own module like this: https://github.com/ietf-wg-alto/draft-ietf-alto-oam-yang/blob/284d2e630cec00f752ea94f586469797786c6f57/yang/ietf-alto.yang#L612-L628

This is my first time looking at Alto.  It may take me a little to fully grok what’s going on.  Please let me know if you think a call would be helpful.

Looking at the linked YANG module, I see that it looks very much like the "ietf-restconf-server" module’s grouping "restconf-server-listen-stack-grouping”, which is fine.

I take it that Alto is okay referencing the central truststore (not defining its own instances of "truststore-grouping") as well as supporting inlined definitions.  I do not see the Alto module augmenting the centralized truststore and, in general, it seems to behave just like the ietf-restconf-server module, though I’m sure I’m missing something  ;)

What I don’t understand is why what seems to work in ietf-restconf-server doesn’t work in ietf-alto.  Can you help me understand?  

Separately, did ALTO WG ever consider renaming to “ietf-alto-server”?  Would there be value to extending that convention for consistency?

One last thought, I notice that ietf-alto defines a number of typedefs that seem generic enough to move to ietf-truststore.  Is this thought yours as well?


> Thanks,
> Jensen


Kent   // author

v2.23.0 | Report a Bug | By Email