>> 1) drilling down on the mandatory-to-implement NC/RC protocols >> is somewhat missing the point. The important bit is that >> *all* protocols transporting YANG-modeled data *only* have >> secure transport layers. More specifically, YANG-modeled >> data may be transported over other protocols (e.g., coap), >> and also a protocols might have an insecure transport >> protocol (e.g., it doesn't much help to talk about HTTPS >> being mandatory-to-implement if RESTCONF allowed HTTP). > > RESTCONF says MUST use TLS. Making an open ended statement about > security properties of unknown protocols sounds risky.
I wasn't trying to make and open-ended statement, or even an assumption about those protocols. I was trying to say that 1) Benoit's text goes into the weeds talking about mandatory to implement aspects of a couple specific protocols and 2) the text should instead make general statements about the expectations of protocols transporting the YANG-modeled data. Of course, if a protocol sends data in the clear or doesn't require mutual authentication, then the entire Security Consideration is a somewhat pointless read. K. // contributor _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
