Hi Linda, Thanks for your support and comments. Let me try to address them:
On 28/4/25, 19:32, <[email protected]> wrote: * The draft is a bit general about where and how the provenance mechanism would be applied — is it just for device configurations? service models? operational data? It would be useful to add a section describing target deployment scenarios (e.g., device configurations only, network-wide service orchestration, telemetry data protection). While the draft was made intentionally general to make clear the proposed mechanisms could be applied in practically any situation YANG is used, you are right some target deployment scenarios would help a better understanding of the purpose of what is described in the draft, and even provide some ground for additional scenarios. We have added such a section to the version we are about to make available at the datatracker. * How are keys managed? What happens if a signature verification fails? Maybe have a section describing the key management assumptions (e.g., per-operator keys? per-device keys?) Key management, as much as key association with a particular KID, is assumed to be a deployment specific matter, but you are right is a relevant security issue. We have added some text on this in the security considerations section. In addition a specific mention that is up to the verifying application to decide what to do if signature verification fails is also added to the discussion on verification. * Suggest adding some description in the Security section to describe risks if private keys are compromised and replay attack considerations? As far as I can tell, I think the provision dealing with signature procedures in general made at the beginning of the section on security, referencing several RFCs, cover this. I think is preferable using those references than making incomplete considerations on these delicate matters. Be goode, -- “Esta vez no fallaremos, Doctor Infierno” Dr Diego R. Lopez Telefonica https://www.linkedin.com/in/dr2lopez/ e-mail: [email protected]<mailto:[email protected]> Mobile: +34 682 051 091 --------------------------------- On 28/4/25, 19:32, <[email protected]> wrote: AVISO/WARNING: Este correo electrónico se originó desde fuera de la organización. No haga clic en enlaces ni abra archivos adjuntos a menos que reconozca al remitente y sepa que el contenido es seguro / This email has been originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. The draft presents a compelling approach to securing YANG data through COSE signatures. I support the WG adoption, with the following questions and suggestions to the draft: * T Linda From: Benoit Claise <[email protected]> Sent: Thursday, April 24, 2025 2:53 AM To: opsawg <[email protected]> Subject: [OPSAWG]Call for adoption:Applying COSE Signatures for YANG Data Provenance, draft-lopez-opsawg-yang-provenance Dear all, The IPR poll has concluded (no known IPR has been disclosed), and we would like to start a two weeks adoption poll for draft-lopez-opsawg-yang-provenance-07<https://datatracker.ietf.org/doc/draft-lopez-opsawg-yang-provenance/>. Please respond on-list with support and especially comments. Getting the authors support is kind of obvious (at least we hope), so non authors feedback is really welcome. The adoption call will run till May 8th. Regards, Joe and Benoit ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is confidential and privileged information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
_______________________________________________ OPSAWG mailing list -- [email protected] To unsubscribe send an email to [email protected]
