Re: [netmod] x509c2n:cert-to-name problem

Kent Watsen <kent+ietf@watsen.net> Tue, 29 October 2019 15:35 UTC

Return-Path: <0100016e18283926-a00d7d13-4539-4ab0-afe8-9b9575659f6c-000000@amazonses.watsen.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1999F120823 for <netmod@ietfa.amsl.com>; Tue, 29 Oct 2019 08:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1EPLMmmLr-T5 for <netmod@ietfa.amsl.com>; Tue, 29 Oct 2019 08:35:21 -0700 (PDT)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AE2D12087D for <netmod@ietf.org>; Tue, 29 Oct 2019 08:35:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1572363319; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=Gi7twQJg79+7pDjMnl8fvaD0ZCEKNgK3VGg0lsFHrfw=; b=QhX9WY+uOopr1FF69Nlhs2Z00zKRz6csFOstnaAF/O7Vqx2wOiC5bcvYRZcp9TsC hapeGu3t+6EkSQMfUxDuOa1s1rXMOK2bVPnrxZbnZe1PKhbwn6S2zQUEmfUFUtIgzDN 2wDUncHqgCP6QmaSOAM6SupQ1ApqbAuVpHKjlL8w=
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <20191029.105145.1576535683983216532.mbj@tail-f.com>
Date: Tue, 29 Oct 2019 15:35:19 +0000
Cc: "netmod@ietf.org" <netmod@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0100016e18283926-a00d7d13-4539-4ab0-afe8-9b9575659f6c-000000@email.amazonses.com>
References: <0100016e0416c312-13b65019-1c32-4fc8-b8b2-f2b7cc591a00-000000@email.amazonses.com> <20191028.102216.1541488608391720310.mbj@tail-f.com> <0100016e130d724c-9d02480e-901f-4e5a-90b4-6acd1095bb26-000000@email.amazonses.com> <20191029.105145.1576535683983216532.mbj@tail-f.com>
To: Martin Bjorklund <mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.10.29-54.240.8.96
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/Tv3HD9OCSv9WIvdlWK9-WJG6hZk>
Subject: Re: [netmod] x509c2n:cert-to-name problem
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 15:35:33 -0000

Hi Martin,

> I have now filed an errata for this issue.

Ack.

> However, I remember that we had a discussion on whether we should
> accept erratas on YANG modules or not.  The YANG module exist in
> various places outside of the RFC, such as the IANA site, and it won't
> be corrected there.

Yes, two thoughts:
   - this erratum could marked as document update required.
   - we may want to publish a -biz soon



>> In that case, there might be two issues:
>> 
>> 	1) the description statement excluding CA certs (mentioned before)
>> 	2) `mandatory true` should be `mandatory false` ?
> 
> I don't understand 2), can you elaborate?


First, let me demote (2) from a SHOULD to a MAY, since there is a workaround.

The thinking is that it may be common for deployments to use the same "cert-to-name" strategy everywhere (e.g., IDevID certificates), and hence there is no need to specify a "fingerprint" in order to lookup what strategy to use.  For these cases, it would be better to not specify a fingerprint at all.   If this remains "mandatory true", the best fallback would be to specify the fingerprint for the *root* CA certs spanning the end-entity certs connecting to that endpoint.


New issue.  Why isn't "list cert-to-name" order-by user as opposed to:
            
          "The id specifies the order in which the entries in the
           cert-to-name list are searched.  Entries with lower
           numbers are searched first.";

I suspect that this is for SNMP compatibility, but then your earlier response on this thread said regarding "mandatory true" and empty fingerprint values suggested that more appropriate YANG-isms should be used, in general.  "ordered-by user" vs "ordered by id" seems like such a case.


Kent // contributor