Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
Kent Watsen <kwatsen@juniper.net> Mon, 31 July 2017 18:30 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E89D13276B; Mon, 31 Jul 2017 11:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id grqjql36gufI; Mon, 31 Jul 2017 11:30:24 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0123.outbound.protection.outlook.com [104.47.42.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14B24132751; Mon, 31 Jul 2017 11:30:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fK/2Zz6Si/l+y2h1Z1Ypuv7KiXwxe1FtvVZRoLJRiA0=; b=jkegXnLzBL9WCyYWwXx/ikbBxMCRK6flbGci/UDVQi7/2v3aIuzUzxd7XflkaJ51WD5SY2JgvO8yEI4k3o35NGNVw7bKY1lZsgpt6tGL/bTdAnrwuvFPz7fGEk4udIJWic+EtSf3PPErwNEuiVgSFiYxTiuvuPCgzinvHREXWt8=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1460.namprd05.prod.outlook.com (10.160.117.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.10; Mon, 31 Jul 2017 18:30:22 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1320.010; Mon, 31 Jul 2017 18:30:22 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Yangdoctors last call review of draft-ietf-netconf-keystore-02
Thread-Index: AQHS/tjFB6LSB6mMA0ixt1H16U9uU6Jbyb8AgAEruACAC1e7gIAAnl+AgAA4dACAAE3eAP//00kAgABFrwCABIqHgA==
Date: Mon, 31 Jul 2017 18:30:21 +0000
Message-ID: <7079A8FA-A8C6-4677-9DBA-2A00637AD023@juniper.net>
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net> <20170728073923.GA28870@elstar.local> <701F31A6-9941-4DE4-AE7E-00E859F103F8@juniper.net> <20170728154008.GA29865@elstar.local> <53886D3E-8A0C-4664-A7BD-1E708A80EE9D@juniper.net> <20170728170930.GA30054@elstar.local>
In-Reply-To: <20170728170930.GA30054@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1460; 6:a2bdmqkh9w+yQLzbsIhXfPPePVkZmDcKftd7uScRGSVPX8nMc8PJcj5y0VArREDh1X8AbcVDaQKZnAMjoMv+zd6ZcQuRL+d9oGU+fCqLhgekJwFn1vUjNf51/18ismx/ss3ryWbGI33ReYZKn6F8poqKkv+UiIA2r6yA+Jkvbnkf4TeaISGHP2wjleRu02JYmdZbZhQAAQTZtuSahY7bFjiWTI0LZHQexeBENqpSOGx4/D17DVK7pt5/iZBjEsvUGyN1pK6L+U8lyG/mhuH+NtCA1TKyp4VUswHmXMAP+bRWZYGwmXGU1yGti/57x3tJiwSi3wmPH6d1Fx7jhLwpEg==; 5:XRBtrS1Tshk24GYuGbwgQXAYcEPAV5Yke+tRep2HmDKPiXQLhoe3d2HyIpl5TPW0sobufBDjocwYUKpYiRP8whfVbejAI41b7pKF6wcIJ2wL+/4WqbiCquPVkHjA9mqsCacohr/O2aNdA2dj/iQt6A==; 24:yiBrwUppSH21Y5LaLJFf8cUVTo18Bri+9n2L51aVR3zsaGMTgUuvHtkXHLdmqN0TJAqMUJUKhD9Cs/qbJcQ/VpGIN+fLhwpsWqynVS1dnkQ=; 7:ve+nSed83loS7xuWpY9UFGFk8a1SC6BWVRWT8v7CMP/wim1uHkqzuXrQWzLgSZxHxBljIIu1qT2QUveAxZHOwLx1Uns3jdwj09I7A6QW5i7PO7zh//DgisMHQi3XMDJESLZRbY5if0zRUw7KM4E6xCc/wr/N+ZT0BImnhmGgPtd96zdatBGzN1J8imb1Gf7u6DMGdDOHOBJIIPjMe2bOYpKiwiLkUDEADIdLK4o73I4=
x-ms-office365-filtering-correlation-id: e9f41f82-fc04-4393-22b0-08d4d842342f
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1460;
x-ms-traffictypediagnostic: BN3PR0501MB1460:
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820);
x-microsoft-antispam-prvs: <BN3PR0501MB1460EA89E668FD453B7BD188A5B20@BN3PR0501MB1460.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(6055026)(6041248)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123560025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1460; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1460;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39840400002)(39860400002)(39410400002)(39450400003)(39400400002)(39850400002)(189002)(199003)(174864002)(52314003)(51444003)(43784003)(305945005)(36756003)(189998001)(6306002)(54906002)(6512007)(5660300001)(551544002)(2900100001)(478600001)(229853002)(86362001)(82746002)(6486002)(6506006)(3846002)(77096006)(6116002)(102836003)(83716003)(6916009)(68736007)(38730400002)(83506001)(2950100002)(6436002)(110136004)(4001350100001)(53936002)(2906002)(50986999)(76176999)(54356999)(3660700001)(3280700002)(101416001)(966005)(554214002)(7736002)(99286003)(6246003)(8676002)(33656002)(25786009)(4326008)(230783001)(97736004)(105586002)(8936002)(66066001)(106356001)(93886004)(81156014)(81166006)(14454004); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1460; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <EF506B73C8A61640A5FB460488729F4D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2017 18:30:21.9934 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1460
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/hmS4ujgZHMEVfn2xoCKG7rte-18>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 18:30:27 -0000
>> >> >> >> - I am not sure I understand trusted-host-keys. On systems that have >> >> >> >> multiple user accounts, you usually have a per account list of >> >> >> >> trusted host keys in addition to a global system wide list. Perhaps >> >> >> >> make it clear that this models the global known hosts list only? >> >> >> >> >> >> >> >> <KENT> it's a list of lists, so there can be many different >> >> >> >> sets a host-keys defined, with each application/use pointing >> >> >> >> to its own entry. The ietf-ssh-client module's grouping has >> >> >> >> a leafref to a specific entry. FWIW, this grouping is >> >> >> >> used by ietf-netconf-client module. At the moment, there >> >> >> >> no other uses of this grouping. I think that you may be >> >> >> >> getting confused between the key the server presents (the >> >> >> >> host-key) versus the key user presents. >> >> >> >> . >> >> >> > >> >> >> > I though these are the authorized host keys? Yes, I am confused. If >> >> >> > these are user public keys, they should not be called host keys. But >> >> >> > yes, I am confused (but I started to read the other documents). >> >> >> >> >> >> This leaf encodes an SSH public key (RFC4253, 6.6), same as used in >> >> >> /ietf-system/system/user/authorized-key/key-data (and I have changed >> >> >> this leaf's type to match it in my local copy already), but the uses >> >> >> are different. In ietf-system, the authorized-key is configured on >> >> >> a server in order to authenticate subsequent SSH-client connections. >> >> >> Here, we're taking about the key that that SSH-server presents to >> >> >> the client. These are the host keys that OpenSSL often puts into the >> >> >> ~/.ssh/known-hosts file. >> >> > >> >> > I understand what you are modeling is /etc/ssh/ssh_host_rsa_key.pub >> >> > and friends. Make sure it is described clearly. Or do you actually >> >> > mean the clients cache of authenticated keys that goes into an >> >> > account's known-hosts file? In this case, the keystore may be the >> >> > wrong place. >> >> >> >> /keystore/trusted-host-keys/trusted-host-key is in fact like the >> >> known-hosts file. That is, these are the host-keys that a client has >> >> "pinned" or "trusted". The ietf-ssh-client has a leafref to one of >> >> these entries. We could rename "trusted-host-key[s]" to >> >> "pinned-host-key[s]" if that helps. Ditto for trusted-certificate[s]) >> >> >> >> By contrast, /keystore/keys/key/name is referenced by ietf-ssh-server >> >> to identify the host-key(s) the SSH server presents to SSH clients. >> >> This is analogous to /etc/ssh/ssh_host_rsa_key.pub and friends. This >> >> node isn't called e.g. /keystore/keys/key/ssh-host-key because, AFAICT, >> >> the system should be able to generate its host-key from the private-key >> >> itself. Thus, referencing the name is equivalent. If there were a >> >> /keystore/keys/key/ssh-host-key node, it would be a gratuitous config >> >> false value that somehow encoded the host-key in a more SSH friendly >> >> format. But, it may have a subtler value in that, I think that your >> >> confusion may be because it was NOT there and so, in its absence, >> >> you may have thought that the "trusted-host-keys" must serve that >> >> function. Thoughts? >> >> >> >> BTW, "host key" has a specific meaning, defined in RFC4251#4.1, not to >> >> be confused with authorized keys. >> > >> > I do not really follow you. I think I do understand what a host key >> > (pair) is and that it is different from a users key (pair). >> >> Fine, but this is SSH architecture thing, not something specific to >> the draft - right? > > ??? I'm unsure about what you want here. A host-key is how the server authenticates itself to clients. It is the thing that, when an SSH client first connects to a server and is presented the fingerprint, is placed into the client's ~/.ssh/known-hosts file. Separately, user accounts can be configured to authorize a client based on a public-key (as opposed to a password). This public-key is the thing that is commonly placed in ~/.ssh/authorized_keys, and is configurable via ietf-system/system/user/authorized-key/key-data. >> > Yes, I did >> > not understand from reading the ID that the private SSH host key is to >> > be found in /keystore/keys/key/name (likely because of all the >> > certificate stuff around it that I have never seen used with SSH host >> > keys). >> >> Okay, then do you like having a /keystore/keys/key/ssh-host-key node? > > I guess what I am looking for is a more radical split between X.509 > stuff and SSH key stuff, the most radical split would be a module for > X.509 keys and certs and another module for SSH host keys. Or > alternatively, if there is really a strong reason to have all these > different keys in one list, then define the list such that > augmentations add X.509 stuff and SSH key stuff. I am not a fan of > lists where the usage of leafs for different purposes is not clear. I just filed https://github.com/netconf-wg/keystore/issues/7 to track this. My current thought is to break the module up into a main module and two augmenting modules. This isn't quite what you want, but I'm hoping that the net-result is more readable, since nodes will be prefixed. If nothing else, it can be a first step to a larger break-up... >> > I guess I am not a big fan of bundling the way X.509 keys and certs >> > work together with how SSH keys work (because I am not used to this >> > and the systems I tend to use do not do this either). Anyway, if this >> > is the direction to go, I think this needs explanatory text somewhere. >> >> So then perhaps factoring out the x.509 and ssh stuff out into augmenting >> modules? > > I am not sure how much is left, other than a list with a key name leaf > and whether it is worth to have this common structure (and whether any > uniqueness constraints resulting from that are a benefit or not). Right, the remaining module would be pretty skinny - just a list of keys and an action to generate a new private key. I think the primary value is that everything is in one location, but maybe that doesn't matter here, since there is no human-in-the-loop, such as there is for desktop-oriented keystore mechanisms. Generally, the keystore is password-protected, but in this case there is no password, other than whatever the client used when connecting to the server. >> >> >> >> - Should the document title be aligned with other YANG module >> >> >> >> definitions, so it is easier to spot it? >> >> >> >> >> >> >> >> <KENT> I don't understand, what do you mean? >> >> >> > >> >> >> > We often use "[A] YANG Data Model for ....". >> >> >> > >> >> >> > https://en.wikipedia.org/wiki/YANG#Usage_in_Standards >> >> >> > >> >> >> > The current name does not say YANG (sometimes I search for YANG >> >> >> > in the RFC index) and Keystore is also pretty broad given the >> >> >> > related work we have. >> >> >> >> >> >> Gotcha, how about "YANG Data Model for Keystores"? >> >> > >> >> > Yes, except that 'keystores' leaves readers unclear about the scope. I >> >> > commented several times that the names of this module and the other >> >> > module for symmetric keys are unfortunate. Concerning the SSH keys, I >> >> > am still concerned that we would be better off to have a separate SSH >> >> > module that takes care about managing an SSH server's host keys and >> >> > then this module would be X509 certificate specific, i.e., a 'YANG >> >> > Data Model for Managing X.509 Keys and Certificates' would be a clear >> >> > and well defined scope. >> >> >> >> From a refactoring perspective, we could have a base module and then >> >> two augmenting modules, one for SSH and the other for X.509. I would >> >> think to define all three modules in the same draft, but that wouldn't >> >> help your draft-name issue. We could put each module into own draft >> >> (e.g. +2 drafts), but is it worth it for renaming sake? Maybe an even >> >> longer title? "YANG Data Model for Managing Asymmetric Private Keys, >> >> X.509 Certificates, and SSH Host Keys'? Naming aside, what do you >> >> think about the module-factoring idea? >> > >> > Perhaps it is simpler to have one data model to manage X.509 keys and >> > certs and another data model to manage SSH keys. I do not know how >> > much commonality there is. At the end, I also do not mind if >> > everything is lumped together as long as it is clear how to implement >> > things and key formats etc match with what implementations typically >> > do. >> >> Two modules, something like ietf-ssh-keystore and ietf-x509-keystore? >> Of course, there would overlap between them (e.g., both modules would >> have the /keys/key hierarchy, the ietf-ssh-client/server modules might >> need to import both keystores, since SSH can use X.509 certs too (per >> RFC6187). I don't know, this doesn't seem right. For instance, what >> is a server to do if it generates a private key that has not yet been >> associated with an X.509 cert or SSH host key, is the private key to >> appear in both keystores? > > Is this how systems work? My command line tools either create X.509 > keys or SSH keys. No, your system most likely does not use a keystore mechanism. For instance, OpenSSL's `ssh-keygen` utility just writes to a local file. We're doing something a little different here, which is a cause for careful review (thanks again). Taking a step back, one of the drivers for this keystore mechanism is to centralize the /trusted-host-keys and /trusted-certificates, as these lists are referenced from many locations. Less important to centralize are the private keys, as the keys (always?) have a single use. The only reason for centralizing the private keys is to give keys created via the generate-private-key action a place to be listed before they are used for some purpose... >> >> >> >> - Since the certs of a key do not contain a signature, where are signed >> >> >> >> certificates stored or are they outside the scope of the model? >> >> >> >> >> >> >> >> <KENT> I'm confused, certificates are signed structures already... >> >> >> > >> >> >> > Well, the description of certificates/certificate/value says: >> >> >> > >> >> >> > An unsigned PKCS #7 SignedData structure, as specified >> >> >> > by Section 9.1 in RFC 2315, containing just certificates >> >> >> > (no content, signatures, or CRLs), encoded using ASN.1 >> >> >> > distinguished encoding rules (DER), as specified in >> >> >> > ITU-T X.690. >> >> >> > >> >> >> > Yes, I am confused how this works. >> >> >> >> >> >> Okay, now I understand your confusion. I believe the text is >> >> >> accurate. Think of the PKCS#7 structure being a little like a >> >> >> TAR file that contains a directory structure like this: >> >> >> >> >> >> pkcs7: >> >> >> /signed-info >> >> >> /signature - this sig is only over 'signed-info' ... >> >> >> /extra-certificates >> >> >> /extra-revocation-objects >> >> >> >> >> >> So, in this case, we're using a degenerate form of the pkcs7 >> >> >> structure that has no content (signed-info), signature, or CRLs >> >> >> (revocation-objects), it only contains the certificates. Perhaps >> >> >> my use of the word "unsigned" isn't clear enough? >> >> > >> >> > So why pkcs7, is this what implementations use? The certificates >> >> >> >> Why pkcs7 is because each certificate may have an associated chain >> >> of certificates leading to a trust-anchor CA certificate. For instance, >> >> a vendor might have a CA called "foo-root" that signs an intermediate >> >> CA called "foo-intermediate" that signs the "foo-entity" certificates. >> >> So, a given foo-entity certificate (a single X.509 structure) is >> >> commonly presented along with its chain of CA certs (more X.509 >> >> structures), in this case, the "foo-intermediate" and "foo-root" CA >> >> certs. The pkcs7 structure is commonly used for this purpose in the >> >> PKI world. Yes, it could be just a TAR file having a flat list of >> >> certs, but then we'd have to define that structure, whereas its >> >> already defined in pkcs7. >> >> >> >> > I find in /etc/ssl/certs on my Debian system seem to be in PEM format. >> >> >> >> PEM and DER are interchangeable formats. PEM is essentially the base64 >> >> encoding of the DER surrounded by the "===== BEGIN/END CERTIFICATE >> >> =====" header/footer. >> >> >> > >> > DER encoded certificate or pkcs7? I thought PEM is just a base64 >> > encoded version of the DER encoded certificate, no pkcs7 involved. >> >> Both PKCS7 and X.509 or ASN.1-encoded structures, and all ASN.1 structures >> can be encoded using PEM, DER, or even BER. Your debian system's "certs" >> directory undoubtedly only contains root certs, hence there is no cert-chain >> to staple to them, and hence a single X.509 structure (either PEM or a DER) >> is perfect. As soon as you step into needing more than one cert, then >> either PKCS7 or PKCS12 (both of which could be PEM or DER encoded), or a >> very special multi-part PEM (one that contains more than one of the "=====" >> BEGIN/END blocks) could be used. BTW, all this was discussed a while back >> related to https://github.com/netconf-wg/keystore/issues/1. What's written >> in the GitHub issue tracker should be ignored, search instead the list-archive >> on issue #1... >> > > What matters is that the I-D is clear and captures the important > reasons etc. You can't expect implementors to read github issues > or mailing list archives. Sorry for my ignorance. Okay, I rewrote the description. Actually. I just removed the word "unsigned", as the rest seemed okay: A PKCS #7 SignedData structure, as specified by Section 9.1 in RFC 2315, containing just certificates (no content, signatures, or CRLs), encoded using ASN.1 distinguished encoding rules (DER), as specified in ITU-T X.690. Kent
- [yang-doctors] Yangdoctors last call review of dr… Jürgen Schönwälder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Mehmet Ersue
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Kent Watsen
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen