Re: [netconf] Truststore: bags, sets, or other?
Balázs Kovács <balazs.kovacs@ericsson.com> Fri, 07 February 2020 16:13 UTC
Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA3E120936 for <netconf@ietfa.amsl.com>; Fri, 7 Feb 2020 08:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Y1_fA5aB001 for <netconf@ietfa.amsl.com>; Fri, 7 Feb 2020 08:13:29 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140080.outbound.protection.outlook.com [40.107.14.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C9BE120914 for <netconf@ietf.org>; Fri, 7 Feb 2020 08:13:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FwXliknSJYVRz4B4/mb1rmZplr/BVHMuqGa3qrUJQoJbIMhNomeo/9qAfrykzke8ikR0+O8S3pzgU6/L8LsBOiidpSX+c0WjObCK+jm8WSLItRZLSq6D6NsFgdNYg5VWxsSlQssduMbjp6BTGs630gFiemnovmLueCmX9xssIL2PmzxcEgjEi18J6aQs6k7nF9ePxfAWVE8A0l4xO0IPmeMEquHjkKSsWiYWavhv1WcgJQtO4nMhfw7jGwtxNJCQrW+VhmfXd9QOl+5EA4f0yrCy5/t16UjPqvnhd6EwSLInHKWEZ7xx+e4MVw8PuSrC0lpFLxt1S/+Qxe/y+TEkxQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iwjCKD1pDX/c3g+QIwo2n/Ltjp4OjtLd85HiqCCr060=; b=nTyJ0LVQ16rGv+1FE00xOzWSmc2CD3eUcarnoGEg+U8gMb6ZgkIxjyvbH55S6KqROyjKG9GKWusqPluIMmi/0qtf1/S39T7D9zoySNNcsz0XQ8Ww7vmeKgDaAL0utcDVjajyBInqRGWKs3wGBzc8GAG2HICFcorkGJLZwKgxpc6N4nWzV2tQ9wxl2WU38Kry3ERAGr3ndWa9H2jyTDz6XYW+PnPNjYIUCh1JKnj+oZfpdW1MisWE0Wv0j+1ECVpXL5xjHy+Vr88wAvkMHUEyn0bge2X/sW4KFvWzC7XToqtwoa/4fFHcJMT80qffUV6vNVJ7YkfnBhA383OifNXafg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iwjCKD1pDX/c3g+QIwo2n/Ltjp4OjtLd85HiqCCr060=; b=uHYfIeHX+sKnqF9a6QnGAJvWSIOkj61q4BF9JxWjSmvaQO1OYpzkAi6L+UPFYBF6cVUR7WrrWQ4JN92PHq1uwtUvjazNJjltNWd4EgPgSh6v3zTYE3RL8HuKDoe8qcFIiDe5CUEOOEfFP8zgrYyXY0keNGgd+ln8gU0aBp4H4gs=
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com (20.178.20.74) by AM0PR07MB5811.eurprd07.prod.outlook.com (20.178.116.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2729.14; Fri, 7 Feb 2020 16:13:25 +0000
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::8484:2bbf:1c00:59bf]) by AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::8484:2bbf:1c00:59bf%7]) with mapi id 15.20.2707.024; Fri, 7 Feb 2020 16:13:25 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, "Rob Wilton (rwilton)" <rwilton@cisco.com>
CC: Russ Housley <housley@vigilsec.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] Truststore: bags, sets, or other?
Thread-Index: AQHV19IFrT35I9oBREWFMndAWafGq6gEja2AgADH+ACAAKiCgIADlQqAgABcOQCABgOQYA==
Date: Fri, 07 Feb 2020 16:13:24 +0000
Message-ID: <AM0PR07MB51877EF23D740089789FB0D3831C0@AM0PR07MB5187.eurprd07.prod.outlook.com>
References: <0100016ff91dfd1b-9e8e6622-7e36-45dc-a661-f4702b494040-000000@email.amazonses.com> <20200131.111027.840757629039452002.mbj@tail-f.com> <0100016ffda3d528-f411ef14-2813-4372-99c4-8269e5ea435e-000000@email.amazonses.com> <20200201080916.yrlurqzzlconhxlr@anna.jacobs.jacobs-university.de> <MN2PR11MB4366AE21207AECD44DEF5D24B5000@MN2PR11MB4366.namprd11.prod.outlook.com> <010001700cb72510-63109303-e8df-4b7a-9910-1110131432b9-000000@email.amazonses.com>
In-Reply-To: <010001700cb72510-63109303-e8df-4b7a-9910-1110131432b9-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [176.63.13.27]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a3f90e7e-7ec3-440f-3137-08d7abe8a918
x-ms-traffictypediagnostic: AM0PR07MB5811:
x-microsoft-antispam-prvs: <AM0PR07MB5811509B599BF6BAE536919F831C0@AM0PR07MB5811.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:4502;
x-forefront-prvs: 0306EE2ED4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(376002)(396003)(366004)(136003)(346002)(189003)(199004)(4326008)(8936002)(66574012)(85182001)(55016002)(33656002)(9686003)(54906003)(110136005)(53546011)(6506007)(26005)(7696005)(316002)(186003)(76116006)(52536014)(86362001)(64756008)(66556008)(66476007)(66946007)(66446008)(71200400001)(5660300002)(85202003)(478600001)(8676002)(81156014)(81166006)(2906002)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB5811; H:AM0PR07MB5187.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: AcKAE0ABQu6ZayVNOlb9jHMZ5gSq/fuuZlpd1fhm8WtGfchtM3hppV08B/BWlcix9Etj77plAKX3t9paI/Jl02tNJu4YlvuE1Qrw5QLMS2dCyjo+CVRo1zsLMzZ0qPut4pC/EvbkzOLpRY0kigX7O9ePK/KPqmCRTq7uwqOdHNK8dqZSmPSTO+T/Hi+N1U15WSHAzlzBM/Uo+og4eMQ/AcGvRk376Xo9l7x984sH2+5ZYVxGQpFi9wIsyos0zcxdPyFbEepkTxzkUe2ld9VQ7bloeaa3GWDTcXggcg5dsSFpqFprJ62PWxSuvn/SX3U+CGZ5npc/SSCBo+rzd2zZc7m4A9vQpbOQJQdfl8EHWXJgefboxrI0O+dz24sve4bzSupyu4m0IgSUlYp5cFtNUh3UlUnSW0LZx457ViX4b1RG7is9He/kjUN38NCHPUHbAW1kFKNkg0SyxcROGQHeLlMNULVQS9kDWs0yAIjrcwOF9vnPO81o99O0NBy/Pl73/wnHGXK5QdRlwNHo5NjT0g==
x-ms-exchange-antispam-messagedata: +pCVa4m/03F3J7ZPnuos6CLJtMyRm8xLVmK4iC4ulEqxJZP6VaG796YVrY5p78xOrQ/wyPRtWiy75R0dBuwYYCCCB3yBINjWDC5FUtzzC6EjKNIrEBqD8S1OYHanjG7M8krxiYTCbm0efoWopI9HiQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a3f90e7e-7ec3-440f-3137-08d7abe8a918
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2020 16:13:25.3092 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: eVdpsZpVzQXXaYiU/sNDWr0iCzREpz8QcVH5wmzxrlmfIQMRan/86dxeDywEdlKHAVgPn50+h9JzSPwMF3tW1ASGsJCTRHVUdIrUkYZMdns=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB5811
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/tKj5K5D4DkHQMh_Zn11ImDaMAGA>
Subject: Re: [netconf] Truststore: bags, sets, or other?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Feb 2020 16:13:32 -0000
Hi, I agree that bag is an appropriate term in the certificate management or crypto-domain. So +1 for that. Br, Balazs -----Original Message----- From: netconf <netconf-bounces@ietf.org> On Behalf Of Kent Watsen Sent: Monday, February 3, 2020 9:22 PM To: Rob Wilton (rwilton) <rwilton@cisco.com> Cc: Russ Housley <housley@vigilsec.com>; netconf@ietf.org Subject: Re: [netconf] Truststore: bags, sets, or other? Searching online for “bag”, I found definitions vary (even amongst university CS sites) regarding if duplicates are allowed. FWIW, this variation also exists in IETF RFCs, as CMS uses the ASN.1’s "SET OF” syntax (duplicates not allowed) whereas PKCS#12 uses ASN.1’s “SEQUENCE” syntax (duplicates allowed). In any case, if duplicates are present, they have no impact on processing behavior (e.g., a certificate isn’t somehow more trusted if it appears more than once). Of course, YANG only has ‘list’ and ‘leaf-list’ statements for collections. So perfect mappings aren’t always possible. As Martin noted in his message, the substring "set” is used in published modules (e.g., module-set). Interestingly, lists generally allow for duplicates, but YANG lists don’t, due to being keyed, unless the scope is reduce to the non-key fields, e.g., assuming certificate ‘C’, both {key1, C} and {key2, C} could be in the Truststore at the same time. I still feel that “bag” is the best term to use here due to it being a distinctive crypto-domain term used for set-like collections. I’m assuming that this (using “bag”) is okay since no real objection has been voiced yet, but please let me know if that is a misunderstanding on my part. Kent // contributor > On Feb 3, 2020, at 9:51 AM, Rob Wilton (rwilton) <rwilton@cisco.com> wrote: > > +1 > > This would also be my normal interpretation of a structure described as a "bag", although they don't seem to be that commonly used. > > Thanks, > Rob > > > -----Original Message----- > From: netconf <netconf-bounces@ietf.org> On Behalf Of Schönwälder, > Jürgen > Sent: 01 February 2020 08:09 > To: Kent Watsen <kent+ietf@watsen.net> > Cc: Russ Housley <housley@vigilsec.com>; netconf@ietf.org > Subject: Re: [netconf] Truststore: bags, sets, or other? > > A common interpretation in various data structure libraries is this: > > set: unordered collection of something, duplicates not allowed > bag: unordered collection of something, duplicates allowed > > /js > > On Fri, Jan 31, 2020 at 10:06:10PM +0000, Kent Watsen wrote: >> Hi Martin, >> >>>> NEW: >>>> +--rw <thing>-bags {<thing-feature>}? >>>> +--rw <thing>-bag* [name] >>>> +--rw name string >>>> +--rw <thing>* [name] >>>> +--rw name string >>>> … >>>> >>>> Better, right? Any other ideas? >>> >>> We have current published modules with both "-list" and "-set". No >>> "-bag" so far. >>> >>> For example: >>> >>> "list rule-list" in ietf-netconf-acm >>> >>> "list module-set" in ietf-yang-library >> >> True. >> >> >>> There are some examples of "s" as well, but these are plural "s" for >>> a normal list of singletons, and should have been named w/o the >>> plural "s" (if we were to be consistent). >>> >>> I would try to avoid "s" for a "list-of-lists", but then pick the >>> suffix that feels most natural in the domain. (For example, rather >>> "list access-control-list" than "list access-control-set”). >> >> Agreed. >> >>> Perhaps you can argue that "-list" works better for ordered >>> sequences, and "-set" and "-bag" for unordered. But then there are >>> "ordeded sets" and "unordered lists" (and even apparently "ordered >>> bag", in UML). >> >> Perhaps. >> >>> The plural "s" is better for a surrounding container (if one exists). >> >> Agreed. >> >> >> I also received a private response from Russ, who rather not join the netconf list, but said: >> >> 1) “bag” was originally created to deal with issues with ASN.1 the SET and SEQUENCE types, and since have entered general crypto parlance outside the PKCS#12 context. >> >> 2) “bag” is the ideal term for when conveying a unordered collection of X.509 certificates. >> >> 3) “bag” is not known to be used in the context of SSH host keys or RPKs, but there isn’t anything wrong or bad with doing so either. >> >> All said, I believe the best course is to use “bag” and, more specifically, to use the "/x-bags/x-bag/…” structure that is present at the top of this message. Assuming there are no objections, this change will be in the next update. >> >> >> Kent >> > >> _______________________________________________ >> netconf mailing list >> netconf@ietf.org >> https://www.ietf.org/mailman/listinfo/netconf > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf _______________________________________________ netconf mailing list netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf
- [netconf] Truststore: bags, sets, or other? Kent Watsen
- Re: [netconf] Truststore: bags, sets, or other? Martin Bjorklund
- Re: [netconf] Truststore: bags, sets, or other? Kent Watsen
- Re: [netconf] Truststore: bags, sets, or other? Schönwälder
- Re: [netconf] Truststore: bags, sets, or other? Rob Wilton (rwilton)
- Re: [netconf] Truststore: bags, sets, or other? Kent Watsen
- Re: [netconf] Truststore: bags, sets, or other? Russ Housley
- Re: [netconf] Truststore: bags, sets, or other? Randy Presuhn
- Re: [netconf] Truststore: bags, sets, or other? Ladislav Lhotka
- Re: [netconf] Truststore: bags, sets, or other? Balázs Kovács