This is an update to netconf over TLS with mutual X.509 authentication.
In general, this looks fairly good.
I'd ask the security ADs to take a look at two things:
* The text on certificate validation in section 5.
Certificate validation has a number of options, none of which are
described or specified in this text.
Is that good enough for this application? (Probably)
In section 7, there is a description of how the netconf server finds the
username of the client.
It talks about a certificate fingerprint without a reference to a
specific algorithm.
I'm aware of multiple algorithms for fingerprints.
This text is probably too vague for interoperability.