Re: [netmod] x509c2n:cert-to-name problem

Martin Bjorklund <mbj@tail-f.com> Tue, 29 October 2019 20:14 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E3F61200E3 for <netmod@ietfa.amsl.com>; Tue, 29 Oct 2019 13:14:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StHR_B8VbSP7 for <netmod@ietfa.amsl.com>; Tue, 29 Oct 2019 13:13:58 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 8907F12007A for <netmod@ietf.org>; Tue, 29 Oct 2019 13:13:58 -0700 (PDT)
Received: from localhost (h-4-44.A165.priv.bahnhof.se [158.174.4.44]) by mail.tail-f.com (Postfix) with ESMTPSA id 7D7261AE047C; Tue, 29 Oct 2019 21:13:56 +0100 (CET)
Date: Tue, 29 Oct 2019 21:13:56 +0100 (CET)
Message-Id: <20191029.211356.1886721657930464996.mbj@tail-f.com>
To: kent+ietf@watsen.net
Cc: netmod@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <0100016e18283926-a00d7d13-4539-4ab0-afe8-9b9575659f6c-000000@email.amazonses.com>
References: <0100016e130d724c-9d02480e-901f-4e5a-90b4-6acd1095bb26-000000@email.amazonses.com> <20191029.105145.1576535683983216532.mbj@tail-f.com> <0100016e18283926-a00d7d13-4539-4ab0-afe8-9b9575659f6c-000000@email.amazonses.com>
X-Mailer: Mew version 6.8 on Emacs 25.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/M_jLUoq1-z4vjc83uwFr8mfUA48>
Subject: Re: [netmod] x509c2n:cert-to-name problem
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 20:14:01 -0000

Kent Watsen <kent+ietf@watsen.net> wrote:
> 
> Hi Martin,
> 
> > I have now filed an errata for this issue.
> 
> Ack.
> 
> > However, I remember that we had a discussion on whether we should
> > accept erratas on YANG modules or not.  The YANG module exist in
> > various places outside of the RFC, such as the IANA site, and it won't
> > be corrected there.
> 
> Yes, two thoughts:
>    - this erratum could marked as document update required.
>    - we may want to publish a -biz soon
> 
> 
> 
> >> In that case, there might be two issues:
> >> 
> >> 	1) the description statement excluding CA certs (mentioned before)
> >> 	2) `mandatory true` should be `mandatory false` ?
> > 
> > I don't understand 2), can you elaborate?
> 
> 
> First, let me demote (2) from a SHOULD to a MAY, since there is a
> workaround.
> 
> The thinking is that it may be common for deployments to use the same
> "cert-to-name" strategy everywhere (e.g., IDevID certificates), and
> hence there is no need to specify a "fingerprint" in order to lookup
> what strategy to use.  For these cases, it would be better to not
> specify a fingerprint at all.  If this remains "mandatory true", the
> best fallback would be to specify the fingerprint for the *root* CA
> certs spanning the end-entity certs connecting to that endpoint.

Are we still talking about the usage of cert-to-name in
ietf-netconf-server?  If so we have (as one example):

  +--rw netconf-server
     +--rw listen! {ssh-listen or tls-listen}?
        ...
        +--rw endpoint* [name]
           ...
           +--rw (transport)
              ...
              +--:(tls) {tls-listen}?
                 +--rw tls
                    ...
                    +--rw netconf-server-parameters
                       +--rw client-identification
                          +--rw cert-maps
                             +--rw cert-to-name* [id]
                                +--rw id           uint32
                                +--rw fingerprint  x509c2n:tls-fingerprint
                                +--rw map-type     identityref
                                +--rw name         string

[we can discuss if this is the best structure, but that's another
thread]

What would a "cert-to-name" entry mean if the fingerprint isn't present?

> New issue.  Why isn't "list cert-to-name" order-by user as opposed to:
>             
>           "The id specifies the order in which the entries in the
>            cert-to-name list are searched.  Entries with lower
>            numbers are searched first.";
> 
> I suspect that this is for SNMP compatibility, but then your earlier
> response on this thread said regarding "mandatory true" and empty
> fingerprint values suggested that more appropriate YANG-isms should be
> used, in general.  "ordered-by user" vs "ordered by id" seems like
> such a case.

Yes I agree.  I don't recall but I also suspect the motivation was
simple mapping to the MIB.  (mapping a zero-length string to/from an
optional leaf is straightforward).


/martin