Re: [yang-doctors] [Anima] Yangdoctors early review of draft-ietf-anima-brski-async-enroll-03
Reshad Rahman <reshad@yahoo.com> Wed, 18 August 2021 21:01 UTC
Return-Path: <reshad@yahoo.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 31E163A1D97
for <yang-doctors@ietfa.amsl.com>; Wed, 18 Aug 2021 14:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.077
X-Spam-Level:
X-Spam-Status: No, score=-2.077 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
T_KAM_HTML_FONT_INVALID=0.01, T_SPF_PERMERROR=0.01,
URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id GcGDDqp55kGi for <yang-doctors@ietfa.amsl.com>;
Wed, 18 Aug 2021 14:01:48 -0700 (PDT)
Received: from sonic316-12.consmr.mail.bf2.yahoo.com
(sonic316-12.consmr.mail.bf2.yahoo.com [74.6.130.122])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 97A7F3A1D93
for <yang-doctors@ietf.org>; Wed, 18 Aug 2021 14:01:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
t=1629320507; bh=GnPSt6wO96v7pXBFcE9EdrCc66uEPQtdhDeiVXDlyhg=;
h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To;
b=dgVVUKws8eX3D34XTxrcNzqhhdisCIk0eI9SwJK3H8mEA4PDNJzcVB2YxxCOc7y906xpB/t8g+1Z6J9FbfLvgNx29WCjiJk7p6pJfZ9rv1ISDCeBcmvNZIRtGahRrzwfVll0wip+gN94YUic/aMZPkIeORR+giiHn7z1AxtwPT+Ply0Z8h+VW+ez6vqR/QIxeKupgd1Nw97RmoxbcVJUhyJ0l269hZ8bQTGICc9W5Gczs2jSQPZ0YzLrwGl3IRneoKaZr+/XW0ZGA2U1Dr0NgSrPtkdB/aqluDdr5XdR31nWB9WJ8EpmsjufDEgi0sKC69kB4KkIiBdcYahxUWdU/Q==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048;
t=1629320507;
bh=wYplFC4+iYygsLnWRCOxhAraz6s1L/32HdWO7Rw44kb=;
h=X-Sonic-MF:Date:From:To:Subject:From:Subject;
b=cruMyO8Vr7CInu07F36hvkSJJQzS9XqepQQMlVkxh+dJ+emgBR7+hyy1sNw8pPAeZWlRNcBnOWq+s/MFUWUPIy9qr66f1DGWPcZkoloX/C34hL90B33s0tREIkeAzsj8allMuXu29deAXgp72EbdFZ6jIiVdQz4TvL5PYj5QfGmkCcjyEfgI+qo32ockpvDNl1+RsqWY7uIW5KqCXxIkum4Q49YqEsEpdfUPjkLPsxk6kM13/Wf7wEMmt/nWzbPUgL66geVYBklAPPXvOTVDLV+xtDfu6RMABB/bgWhTPQdcNmPDkQlwBIXDTCctA0CjgcqycNr8rAd/CGRWZ3P/1Q==
X-YMail-OSG: lgLgQdsVM1nLaY2CB7GNjal2Wv4ZZOux_jXYK3RS5X7ygw6eI4yF_yN5j2am6H5
CosOZTEk.bLc2aZCGjbJsYUlHf2T2qM1NTHtSZwP3LMPIlXNfuPsuyMaRQsNSeA8v7d0yxG.b600
iwybGG.xY.y5iuhvquaWyBlUiHhFW9hwsn3zGToFULPHvy5UZ23wPpndmQXixVJ7Duy8QNmyV7yA
LRgETMGq4BBc3gizys1ZiWs1rTLAG9qqEFYqVTJHhLWsRxkBxytIDdkHDhwt_CG5IKTBi5oXKMfc
jexNRoF7LckBF_9xZRUl9Kl.GagHdVmRwdgb74X_OQrDX8ETpCSuHaNeJupRRv6cQLrY_1Q4KDlu
31EV7FUYi_2V5_.Z376K1bUcWQdLgwqZBJP9FxuukGhJDg23QTkmZy9cbAonpsnw5vT6An1Ko_ea
UYNtHUZVVHMaLTPDR2fY2qYKG7iaBORhxmTMurT8B8ESOOBS.Xhcuvzy5pa9cXBwarhHbk6v9BZB
BrBDJLmh1XZkTBCcG.6574jHZav2kI.GQBv31lau5ZTaSjlrSooXuVD20FzD5Zld6aP.ealulpsl
RSxWda1CKAuDV4Vzi4mMP3JGvL3X1RZK5VcYHuR8e7ukpQGA_MUpJD0_rpbnvOP5nCm8zrJjGMab
uBKoyFBrM096UQbnpcGxs65HncDDqB0XW2kBUP3xgcD5dWle1.DnMBmptE7QVF6tn7f6zyIvXmiA
9Evj.b..7siI5mBkUBwWIqAmCk9CzhACRCeu.tscSe_WkALLG4dc.yhUDKNrfaXyymRjfHFHAjIN
o3kL.aoYcYNKRH3hVxzcKDHag2FSX45xAitIg7BBnNbq1AhKZmTNsQ0.Lnh5CXXSg42qmS9X5d.M
Nvc_ysIrGV1D43Rateh6hStuMNXd6TqS9uYxooA9FGa9tYu1C1v_DQpqld54p3aOgJIbO2kNnhgh
ZnCFC0mfMSGadJSDGzK.adfPvhkkuaq3HSn1dn5C6ARCNGf83Uo1E.9SpOK4_ab6zTVJ5wSJQViT
oL5qJHh43GeJrZrWS_U3.s62IhYbfKIY2w.0vMNDHsMWGd8iabpLD6BsnyMbkaNPUyjwGC63LpQm
srtHYf_d.sSbp7cR5B4EML6os6zqaC7ClLwC5EbBevHv5Sm6irSggOAVPJrw9bo_FcRZVDKzvL1T
7ydG9OgBItAKDRchiwVl0NaSRJtLhbtsNvk2.DnIQOMa_Lv8FlIaCIR7GbXh.ZSK2H5iFXXT0X5k
tKLJUvg7JnJAdsvIaNgRtVZV.UkK8Iqg4z2oKAnsLOHnkIS7XMbjLQDFUMD0vvL8vGCYtFfI.U1s
1jZ4WobodKMlpZdkZ3R0AyxkOrENKrSHxv9MdXMovA7gGe9zaDFDspJh7RK9PqP29E451Owkxp2Y
BHbLVO_RIsq0mRqK7KMu88PKAnHuEiQ0KjfhRr83hxcVxAgJia6VJ3iyMXODSTzlc02H4zlXJ3Oi
RfdncvAp3uTAlwHzZRKV71lO7LCxdeNcbEgpf.98ciL9_gzUryt8mHp7b1rzyeG24o3_Hu6EgCZz
HqF_tmqOIY7jIr8rbU5XjfBEqQTl53m8d8rzoXj0Qbi.G1Z.ze6aRJ3038c4qfKN962DkEKHc3D6
Bsl_k8Vt18PHM.gF9hCQ_Kqad0ulWFzFCjgN1wiZYy3v1vIU9_1fpUI6gBpWBwyTMpg9z01.jC9r
iZCymbm5doqZqsClYG_uUs2PXpjeKdTF0Bn4o8fwgcl8PU4qRkCrc0IFlINKPYbkrtl2mky_2_d5
a2ISNmFBTr_UJBvk1y8OiGwi8Z6iwQM7gmtq4fsqWtp2ItCeJQTQdElv0oqS.7oA28a5FVClXGEC
VVFvo_VIQDGZvxoNNoO8kR8NZ57eopX0RbENJrHYfn4KjOLiCMRn7zwkHJg1Tt4M4RW65Q2uBdtj
eRk28jXDMWbLLg56E9X7Q8QSkJqQG8tFZhxPZ47V8ly7ucqwNdaOBOK4CWPB4pvWt5qefz4hUFgM
k1fDvSDVkq6NpZqczuSUBM4FMMRGVxcALpfo3z1haBii1swz2CumgYYaAuop_cPObBbNYDnfzgFA
FMqwpBgHsJwUEOpr9YhcLuqg3dWOoLrUZjNlMiRX..LO37X6d8IXsjScousAiq6fRAKR4YMA0a2_
2hAPZIwIZdBX9lBngYpkTA.Hl45hiPn1KhCnlWV2obQU74vZw4SuCy8fwucdA5tBioFbVoBXsJNU
_dQ_WZGP5y0VHV4Rri9Wdg_XwfXKXrGL8907eXS.eh6gzXxY2Hfx5sVId13ElzwJXJjlicZX4n79
D_yDLaN9hmtscTpGE6ZnKiSKxM0CeUMgKkcQX9zqvFRXHWLQOUf3LxhUbbhf1OW9jAKiGFU9PiiT
fV1zdN9MNA6B50OLRUvhewTZfXe3932kJjaPH
X-Sonic-MF: <reshad@yahoo.com>
Received: from sonic.gate.mail.ne1.yahoo.com by
sonic316.consmr.mail.bf2.yahoo.com with HTTP; Wed, 18 Aug 2021 21:01:47 +0000
Date: Wed, 18 Aug 2021 21:01:43 +0000 (UTC)
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: "yang-doctors@ietf.org" <yang-doctors@ietf.org>,
"Fries, Steffen" <steffen.fries@siemens.com>
Cc: "draft-ietf-anima-brski-async-enroll.all@ietf.org"
<draft-ietf-anima-brski-async-enroll.all@ietf.org>,
"anima@ietf.org" <anima@ietf.org>
Message-ID: <1664672227.1182554.1629320503924@mail.yahoo.com>
In-Reply-To: <ed4b0aca6c8743529875c5af956b4d63@siemens.com>
References: <162904097601.26892.13230706221222180793@ietfa.amsl.com>
<ed4b0aca6c8743529875c5af956b4d63@siemens.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_Part_1182553_722333097.1629320503919"
X-Mailer: WebService/1.1.18850 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/S7q1S8nj__MdjU9mNujf426gvFk>
Subject: Re: [yang-doctors] [Anima] Yangdoctors early review of
draft-ietf-anima-brski-async-enroll-03
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>,
<mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>,
<mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Aug 2021 21:01:55 -0000
Hi Steffen,
On Wednesday, August 18, 2021, 04:44:01 AM EDT, Fries, Steffen <steffen.fries@siemens.com> wrote:
Hi Reshad,
Thank you for the review. I will address the points in the next update of the draft.
I took over the proposed changes you made and will provide the tree diagram and the enhancement to the security considerations as suggested. In the ANIMA design team we will discuss the recommendations for RFC 8366bis
I have some remarks to the other comments:
> See below for the modified YANG module which
> is valid, please check whether it is correct. Changes consist of removing extra ";
> in author list, adding a revision date and replacing augment "voucher-request"
> by augment voucher.
I'm not sure about the last statement, as we would like to enhance the existing voucher-request definition from RFC 8995 in BRSKI-AE. Does this comment means we cannot augment the voucher-request as it already augments the voucher and therefore have to use the voucher and only describe the leafs added?
<RR> The document currently has the following uses ivr:voucher-request-grouping {
augment "voucher-request" {
There is no node "voucher-request" in voucher-request-grouping in RFC8995 (unless I missed it). So I assumed it's the "voucher" node which is intended to be augmented. Disclaimer: I don't fully understand the intent here.
If it is the voucher-request-artifact from RFC8995 which is to be augmented, I believe that can't be done because yang-data doesn't allow for augments. // Top-level statement
rc:yang-data voucher-request-artifact {
uses voucher-request-grouping;
}
> Other comments:
> - rc:yang-data (RFC8040) is used. While this seems to be fine, if the voucher-
> request-async-artifact template needs to be extended in the future, my
> understanding is that it is not possible with yang-data. However, you could use
> "structure" and (eventually) "augment-structure" from RFC8791 for this.
We will discuss this point. Currently there is no explicit need for enhancements.
<RR> My understanding is that people are being encouraged to use "structure" instead of "yang-data", but I'll fer this to the AD (Rob).
>- Prefix
> "ivr" is used for ietf-voucher-request although RFC8995 has "vcr". While this is
> valid, I am curious why.
Changed to match the definition in RFC 8995. Also changed for the "uses" statement in the grouping.
<RR> Ack.
Regards,Reshad.
Best regards
Steffen
- Please take a look at
> Error during processing.
> ker.ietf.org%2Fdoc%2Fhtml%2Frfc8407%23appendix-
> B&data=04%7C01%7Ccef9763c-149c-4881-b9c2-
> 5fedc277663a%40ad011.siemens.com%7C7e6d34307a3642d99cd208d9600095
> 14%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637646377883265
> 554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oyAUYIKQZSQxxURiRc
> j0RTlM6kiupsa6PqRs0hb86jg%3D&reserved=0 for a module remplate.
> e.g. data definition statements usualy go after grouping definitions.
>
> Valid YANG module:
>
> module ietf-async-voucher-request {
> yang-version 1.1;
>
> namespace
> "urn:ietf:params:xml:ns:yang:ietf-async-voucher-request";
> prefix "constrained";
>
> import ietf-restconf {
> prefix rc;
> description
> "This import statement is only present to access
> the yang-data extension defined in RFC 8040.";
> reference "RFC 8040: RESTCONF Protocol";
> }
>
> import ietf-voucher-request {
> prefix ivr;
> description
> "This module defines the format for a voucher request,
> which is produced by a pledge as part of the RFC8995
> onboarding process.";
> reference
> "RFC 8995: Bootstrapping Remote Secure Key Infrastructure";
> }
>
> organization
> "IETF ANIMA Working Group";
>
> contact
> "WG Web:
> <Error during processing.
> .org%2Fwg%2Fanima%2F&data=04%7C01%7Ccef9763c-149c-4881-b9c2-
> 5fedc277663a%40ad011.siemens.com%7C7e6d34307a3642d99cd208d9600095
> 14%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637646377883265
> 554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7BDzJ4MjL%2BaCAAh
> v4A2PZLl2pB0b7WoNM19qAEGVICU%3D&reserved=0>
> WG List: <mailto:anima@ietf.org>
> Author: Steffen Fries
> <mailto:steffen.fries@siemens.com>
> Author: Hendrik Brockhaus
> <mailto: hendrik.brockhaus@siemens.com>
> Author: Eliot Lear
> <mailto: lear@cisco.com>
> Author: Thomas Werner
> <mailto: thomas-werner@siemens.com>"t;";
> description
> "This module defines an extension of the RFC8995 voucher
> request to permit a registrar-agent to convey the adjacency
> relationship from the registrar-agent to the registrar.
>
> The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
> 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY',
> and 'OPTIONAL' in the module text are to be interpreted as
> described in RFC 2119.";
> revision 2021-08-13 {
> description
> "Initial version";
> reference
> "RFC XXXX: Voucher Request for Asynchronous Enrollment";
> }
> rc:yang-data voucher-request-async-artifact {
> // YANG data template for a voucher.
> uses voucher-request-async-grouping;
> }
> // Grouping defined for future usage
> grouping voucher-request-async-grouping {
> description
> "Grouping to allow reuse/extensions in future work.";
> uses ivr:voucher-request-grouping {
>
> augment voucher {
> description "Base the constrained voucher-request upon the
> regular one";
> leaf agent-signed-data {
> type binary;
> description
> "The agent-signed-data field contains a JOSE [RFC7515]
> object provided by the Registrar-Agent to the Pledge.
>
> This artifact is signed by the Registrar-Agent
> and contains a copy of the pledge's serial-number.";
> }
>
> leaf agent-provided-proximity-registrar-cert {
> type binary;
> description
> "An X.509 v3 certificate structure, as specified by
> RFC 5280, Section 4, encoded using the ASN.1
> distinguished encoding rules (DER), as specified
> in ITU X.690.
> The first certificate in the registrar TLS server
> certificate_list sequence (the end-entity TLS
> certificate; see RFC 8446) presented by the
> registrar to the registrar-agent and provided to
> the pledge.
> This MUST be populated in a pledge's voucher-request
> when an agent-proximity assertion is requested.";
> reference
> "ITU X.690: Information Technology - ASN.1 encoding
> rules: Specification of Basic Encoding Rules (BER),
> Canonical Encoding Rules (CER) and Distinguished
> Encoding Rules (DER)
> RFC 5280: Internet X.509 Public Key Infrastructure
> Certificate and Certificate Revocation List (CRL)
> Profile
> RFC 8446: The Transport Layer Security (TLS)
> Protocol Version 1.3";
> }
>
> leaf agent-sign-cert {
> type binary;
> description
> "An X.509 v3 certificate structure, as specified by
> RFC 5280, Section 4, encoded using the ASN.1
> distinguished encoding rules (DER), as specified
> in ITU X.690.
> This certificate can be used by the pledge,
> the registrar, and the MASA to verify the signature
> of agent-signed-data. It is an optional component
> for the pledge-voucher request.
> This MUST be populated in a registrar's
> voucher-request when an agent-proximity assertion
> is requested.";
> reference
> "ITU X.690: Information Technology - ASN.1 encoding
> rules: Specification of Basic Encoding Rules (BER),
> Canonical Encoding Rules (CER) and Distinguished
> Encoding Rules (DER)
> RFC 5280: Internet X.509 Public Key Infrastructure
> Certificate and Certificate Revocation List (CRL)
> Profile";
> }
> }
> }
> }
> }
>
>
>
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> Error during processing.
> .org%2Fmailman%2Flistinfo%2Fanima&data=04%7C01%7Ccef9763c-149c-
> 4881-b9c2-
> 5fedc277663a%40ad011.siemens.com%7C7e6d34307a3642d99cd208d9600095
> 14%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637646377883265
> 554%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiL
> CJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BBO%2FhGYnqAUtGF
> 3Jc5KBxe53v3jF%2BpyWdukQSAmp9x8%3D&reserved=0
|
|
|
| | |
|
|
|
| |
Error during processing.
|
|
|
uses ivr:voucher-request-grouping {
Fries, et al. Expires December 26, 2021 [Page 49]
Internet-Draft BRSKI-AE June 2021
augment "voucher-request" {
|
|
|
| | |
|
|
|
| |
Error during processing.
|
|
|
|
|
|
| | |
|
|
|
| |
Error during processing.
|
|
|
- [yang-doctors] Yangdoctors early review of draft-… Reshad Rahman via Datatracker
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Fries, Steffen
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Michael Richardson
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Fries, Steffen
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Reshad Rahman
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Reshad Rahman
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Fries, Steffen
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Fries, Steffen
- Re: [yang-doctors] [Anima] Yangdoctors early revi… Reshad Rahman