Hi, Kent Watsen <[email protected]> wrote: > Andy, et. al., > > > >> I cannot find any RFC text that says <running> has only nodes created > >> by a client. > > > > Really? Interesting. Still, I know it’s a mantra we’ve held closely > > for many year, right? > > > > No. Quite the opposite. <snip> > > There was a brouhaha back when I proposed the "keystore” draft have an > “action” called “generate-private-key” that would insert the generated > key into <running>. Claims were made by prominent members of this > list that it’s bad form for anything but a client to edit <running>.
The problem with an action that is supposed to modify the running config is that it also has to be prepared to handle systems with <candidate>, handle locks etc. And if you don't have <candidate> you may want to add the private-key together with other data in one go; this is not possible if it was added by an action. For the purpose of adding "built-in list instances" (which seems to be the use case for the proposed solution), I think the factory-default datastore can be used. (this is actually better than the server "acting as a client"). /martin > > As a result, extensive effort was spent defining a mechanism enabling > the generated key to be returned in the RPC-reply in an encrypted form > (such that only the server that generated the key could decrypt it), > all so the client could immediately return it to the server via a > config push in order to preserve the sanctity of client read-backs. > > If current claims were true then, why didn’t someone just say it’s > okay since the server is acting like a client under the hood? > > K. > _______________________________________________ netmod mailing list [email protected] https://www.ietf.org/mailman/listinfo/netmod
