Re: [Netconf] Updating RFC 5539 WAS:FW: New version of draft-badra-netconf-rfc5539bis

[Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>]

On Tue, Apr 03, 2012 at 03:34:18PM -0700, Kent Watsen wrote:
 
> >The suggestions sound reasonable.  How about changing the typedef and
> >YANG object to:
> >
> > typedef tls-fingerprint-type {
> >   type binary {
> >     length "1..255";
> >   }
> 
> Better now that min-length has been bumped from '0' to '1'

I had a discussion about this with Martin. While SNMP adds the byte
identifying the has algorithm to the hash value so that updates are
atomic, I think in a YANG world this looks kind of awkward. I would
rather see something like this in a config representation:

  <fingerprint>
    <sha1>de:ad:...:be:ef</sha1>
  </fingerprint>

Most tools that compute fingerprints do not seem to produce the format
with the embedded code for the hash algorithm. To achieve the above,
we would need an IANA controlled grouping such that we achieve crypto
agility.

> >>Regarding "certificate-to-username-transform-count"... 
> >>Regarding "certificate-to-username-transform-last-changed"...
> >
> > These are patterned after informational objects in the SNMP-TLS-TM-MIB.  
> > I have no strong preference whether or not these are retained in the 
> > YANG module.  Resetting the value to 0 is intended to allow implementation 
> > on devices that cannot keep time across reboots.  
> 
> If they're not referenced, then I don't believe they have any value and thus imagine they should be removed.

The last one we do not really need since we have config change
notifications (in case someone is interested to be notified). The
counter - well not really essential either; I guess I prefer to keep
this data model config true only.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>