Acee, This is something we ran into with ietf-keystore model also. The thoughts are that key strings should never leave the device. If anything most devices have tamper proof capability (FIPS 140-2) to wipe the keys out if tampered with or exported. So exporting the string, encrypted, even with NACM would defy that.
> On Nov 30, 2016, at 1:37 PM, Acee Lindem (acee) <[email protected]> wrote: > > In the days of MIBs, we used to omit key strings from the data that would be > returned. This was ostensibly done for security purposes. We did the same for > the operational state returned for keystring in key-chain-entries. I’m now > thinking this was a mistake. Rather, it would seem that one could use RFC > 6536 rules to accomplish this at a more granular level. > > Note that the model also support keystring encryption as described in RFC > 5649. > > Thanks, > Acee > > _______________________________________________ > netmod mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/netmod Mahesh Jethanandani [email protected]
_______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
