Re: [netmod] x509c2n:cert-to-name problem

Kent Watsen <> Tue, 29 October 2019 15:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1999F120823 for <>; Tue, 29 Oct 2019 08:35:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1EPLMmmLr-T5 for <>; Tue, 29 Oct 2019 08:35:21 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2AE2D12087D for <>; Tue, 29 Oct 2019 08:35:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw;; t=1572363319; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=Gi7twQJg79+7pDjMnl8fvaD0ZCEKNgK3VGg0lsFHrfw=; b=QhX9WY+uOopr1FF69Nlhs2Z00zKRz6csFOstnaAF/O7Vqx2wOiC5bcvYRZcp9TsC hapeGu3t+6EkSQMfUxDuOa1s1rXMOK2bVPnrxZbnZe1PKhbwn6S2zQUEmfUFUtIgzDN 2wDUncHqgCP6QmaSOAM6SupQ1ApqbAuVpHKjlL8w=
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Kent Watsen <>
In-Reply-To: <>
Date: Tue, 29 Oct 2019 15:35:19 +0000
Cc: "" <>
Content-Transfer-Encoding: quoted-printable
Message-ID: <>
References: <> <> <> <>
To: Martin Bjorklund <>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.10.29-
Archived-At: <>
Subject: Re: [netmod] x509c2n:cert-to-name problem
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Oct 2019 15:35:33 -0000

Hi Martin,

> I have now filed an errata for this issue.


> However, I remember that we had a discussion on whether we should
> accept erratas on YANG modules or not.  The YANG module exist in
> various places outside of the RFC, such as the IANA site, and it won't
> be corrected there.

Yes, two thoughts:
   - this erratum could marked as document update required.
   - we may want to publish a -biz soon

>> In that case, there might be two issues:
>> 	1) the description statement excluding CA certs (mentioned before)
>> 	2) `mandatory true` should be `mandatory false` ?
> I don't understand 2), can you elaborate?

First, let me demote (2) from a SHOULD to a MAY, since there is a workaround.

The thinking is that it may be common for deployments to use the same "cert-to-name" strategy everywhere (e.g., IDevID certificates), and hence there is no need to specify a "fingerprint" in order to lookup what strategy to use.  For these cases, it would be better to not specify a fingerprint at all.   If this remains "mandatory true", the best fallback would be to specify the fingerprint for the *root* CA certs spanning the end-entity certs connecting to that endpoint.

New issue.  Why isn't "list cert-to-name" order-by user as opposed to:
          "The id specifies the order in which the entries in the
           cert-to-name list are searched.  Entries with lower
           numbers are searched first.";

I suspect that this is for SNMP compatibility, but then your earlier response on this thread said regarding "mandatory true" and empty fingerprint values suggested that more appropriate YANG-isms should be used, in general.  "ordered-by user" vs "ordered by id" seems like such a case.

Kent // contributor