On Apr 20, 2021, at 12:02 PM, Joe Clarke (jclarke) <jcla...@cisco.com> wrote: > Agreed on the point that the current payload is obfuscated. The choice > element in the YANG module seems to want to be future-proof, too, such > that when true encryption is added, it could be augmented in as another > choice (instead of shared-secret obfuscation).
We can't use this field for TLS, as TLS PSK has been deprecated in TLS 1.3 (outside of resumption). Would we want to use the same "key" field for a 1997-era ad hoc obfuscation as for (say) AES? That suggests to me that failure modes are (a) using simple ASCII words for AES keys, or (b) using AES keys with 1997-era obfuscation. Either failure mode is worrying. > If a single term was used for the choice and obfuscation was called out > in the description of the shared-secret leaf, would that be sufficient? I would lean towards to leaving this as "obfuscation". And, suggesting that any newer security methods use entirely different fields in the YANG model. Alan DeKok. _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
