Re: [Last-Call] Secdir last call review of draft-ietf-netconf-sztp-csr-11
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 25 November 2021 14:02 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B97F3A089E; Thu, 25 Nov 2021 06:02:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pL7TuIegQ2OC; Thu, 25 Nov 2021 06:02:42 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C8F3A089A; Thu, 25 Nov 2021 06:02:42 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id w22so7672519ioa.1; Thu, 25 Nov 2021 06:02:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:date:from:subject:thread-topic:in-reply-to:message-id :references:to:cc:content-transfer-encoding; bh=DOvITYLZYi4w4gH4c5/lY0QYRZbREdDso+ud1jh1Qb0=; b=TWg0hRj+g9WvibgPS3uHMfzp+lU9wXe/ZDuzTUNKv/reswsu9NNN7LT8uvvhUs99/F IwB2SGspWgiMed+0hxUxB9XS1RyGyC/omK5n+RlDWravrzqxWbSJ9xGxmQB8gMILyBMr VxLXocVSbmuGCfjtQYoO8AoVep7CY1gKRLDGxRnpufYWMDK5rp1GsopOpJ02IJ2M/zOG ksTmgqF4gRIQO6wFTViZHDoD9bxg8BoOEnWLAvsVP22gKS1TVZiAq0x0EiPgB4UcuIMz IOU3w15dom6ioMNouHBaqALko52/iLPjjIAopYZssMZ9vTS2UQeFB6FusapHw2QkiBL6 SsQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:date:from:subject:thread-topic :in-reply-to:message-id:references:to:cc:content-transfer-encoding; bh=DOvITYLZYi4w4gH4c5/lY0QYRZbREdDso+ud1jh1Qb0=; b=2l2XBpsID+R9cO9eimSe+WVAFNpq+PDAwghQHEtikQqJjDj+eveVvaZrsh3gowq/MG H3Yjm7LNXcx3QAC0RptIyvWSNURKeuxHC5x4uiUwih/Hek0qrQ3uDl3BBPB0Z6bK4jmt AGnrjRag9B1rAF+fKddeIhJk4izim3CtdgjxX+cLAzCOF8JFxbQW1ym1vG6qD44TqJ2g c5EPsAft2DLMdA+DgBg9XhcOLaLwGWvoQuJw2SV0JiDB/0LuSC1XNNOcMPY5la6EBS5Z kyT0kqfZ5i93VBu1WSJ6Drz1JsOwuEYci//XoOBsRhIN/a2iu4xicpZ6xd5G6iP0A8d4 8neQ==
X-Gm-Message-State: AOAM533g8Ozs5Jf8uZnvWDKoQnwdgr1fLvzP3QoRL1Ch7YX4w5K729kv 19HT5Gd7Fc1KFLR66CIC7oQJa9dXm30=
X-Google-Smtp-Source: ABdhPJyGgMf26d038o+mu29aH2nuAmTc7Mnbboo4IjWDDx3+E8Kes1dgD1SHGbQT4sF818xaitcQeg==
X-Received: by 2002:a05:6638:2178:: with SMTP id p24mr29235348jak.142.1637848960508; Thu, 25 Nov 2021 06:02:40 -0800 (PST)
Received: from MacBook-Pro.local (IGLD-84-229-147-189.inter.net.il. [84.229.147.189]) by smtp.gmail.com with ESMTPSA id x5sm1515537iov.50.2021.11.25.06.02.38 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Nov 2021 06:02:39 -0800 (PST)
MIME-Version: 1.0
Date: Thu, 25 Nov 2021 16:02:32 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Re: Secdir last call review of draft-ietf-netconf-sztp-csr-11
In-Reply-To: <0100017d49a045e3-d1919799-0247-4fb5-abe6-d0c661f80f6a-000000@email.amazonses.com>
Message-ID: <D87EF8A3-D81B-E84E-9B87-EBFE775A2A7D@hxcore.ol>
References: <163717559932.18384.2156774121641934785@ietfa.amsl.com>, <0100017d49a045e3-d1919799-0247-4fb5-abe6-d0c661f80f6a-000000@email.amazonses.com>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-netconf-sztp-csr.all@ietf.org" <draft-ietf-netconf-sztp-csr.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/x037jJQ_X0kwn2DTXApWcL61OhY>
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-netconf-sztp-csr-11
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Nov 2021 14:02:48 -0000
Hi Kent,
Thank you for addressing my comments, I am happy with most of your responses but I do have a few remaining questions:
- The commit that removes the dependency on IDevID and LDevID does not fix the issue of non-orthogonality. There is very detailed description for CMP and CMC, but nothing for PKCS #10 (p10-csr). Does it mean “use PKCS#10 out of the box and it’ll just work”? Or does it mean “the usage of PKCS#10 for these certs is still TBD”?
- I suggest to add the following reference to the paragraph on quality randomness, as a strong proof that this is a real world concern:
Heninger, N., Durumeric, Z., Wustrow, E., and J. Halderman, "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices", Proceedings of the 21st USENIX Security Symposium , August 2012, <https://factorable.net/" rel="nofollow">https://factorable.net/>.
- I understand that key generation is out of scope and maybe this needs to be a separate work item, but recommending periodic replacement of the certs without recommending a suitable mechanism leaves this solution with a big hole.
- It is really annoying that 21 years after PKCS #10, we still cannot provide a reference that would enable implementers to find out all available, non-deprecated AlgorithmIdentifier values. (And I realize there’s little you can do about it.)
Thanks,
Yaron
From: Kent Watsen <kent+ietf@watsen.net>
Date: Monday, November 22, 2021 at 23:49
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: secdir@ietf.org <secdir@ietf.org>, draft-ietf-netconf-sztp-csr.all@ietf.org <draft-ietf-netconf-sztp-csr.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, netconf@ietf.org <netconf@ietf.org>
Subject: Re: Secdir last call review of draft-ietf-netconf-sztp-csr-11
Hi Yaron,
Thank you for your valuable comments. My co-authors and I have the following
responses to your comments.
On Nov 17, 2021, at 1:59 PM, Yaron Sheffer via Datatracker <noreply@ietf.org> wrote:
Reviewer: Yaron Sheffer
Review result: Has Issues
This draft defines a mechanism for a device, when it first starts, to generate
a CSR to get itself provisioned with one or more certificates it needs to
identify itself during its normal operation.
* I was confused that the document starts out describing a generic cert request
mechanism. Then deep into the YANG modules, it turns out that there is guidance
(only?) for very specific types of certs, namely LDevID and IDevID. And the
choice is non-orthogonal: it is unclear what is the guidance for other certs
when using CMC and CMP, and conversely, whether these two certs can be
generated with a PKCS#10 CSR.
We updated the YANG module to greatly remove references to IDevID/LDevID.
Specifically:
1) s/IDevID/initial device identity certificate/g
2) s/LDevID/local device identity certificate/g
3) manually rewrap lines to col 69 as required
4) removed the terminology-disclaimer block at top
The diff is here: https://github.com/netconf-wg/sztp-csr/commit/ac35f96eec96528dddf5798d528d9874a85c604b" rel="nofollow">https://github.com/netconf-wg/sztp-csr/commit/ac35f96eec96528dddf5798d528d9874a85c604b
Good?
* I suggest adding a Security Considerations section about the need for strong
randomness, which is often unavailable to small embedded devices at the early
stages of provisioning. I wish we were more successful with:
https://datatracker.ietf.org/doc/html/draft-sheffer-dhc-initial-random-00" rel="nofollow">https://datatracker.ietf.org/doc/html/draft-sheffer-dhc-initial-random-00
OLD:
It is RECOMMENDED that a new private key is generated for each CSR
described in this document.
NEW:
It is RECOMMENDED that a new private key is generated for each CSR
described in this document.
This private key MUST be generated using a quality random source. The
use of inadequate pseudo-random number generators (PRNGs) to
generate private keys can result in little or no security. An attacker may
find it much easier to reproduce the PRNG environment that produced
the private key, searching the resulting small set of possibilities, rather
than brute force searching the whole private key space. The generation
of quality random numbers is difficult. BCP 106 [RFC4086] offers
important guidance in this area.
and we added an Informational reference to RFC 4086.
Good now?
* Negotiation (?) of the CSR format and supported algorithms is unclear in Sec.
2.2: is it the client that provides the values it supports and the server picks
one? Alternatively, is the list conveyed by the server in the error-info and so
the client knows exactly what is supported? IOW, why include these values at
all in error-info?
Section 2.1 states the sequence of exchanges, but we went ahead and added more context to the examples for additional clarity. The diff is here: https://github.com/netconf-wg/sztp-csr/commit/7ed4f5b1daee539dc9071061e4d427e843467d02" rel="nofollow">https://github.com/netconf-wg/sztp-csr/commit/7ed4f5b1daee539dc9071061e4d427e843467d02
Better?
* It is not clear from Sec. 2.2 how exactly the client is supposed to associate
one of possibly multiple received certificates to the CSR it just sent out.
Surely it is not expected to grep for the string "Newly-Generated"?
There doesn’t have to be any logic on the client to detect the signed certificate or, for that matter, to ensure that the server sent one at all. The point of the bootstrap process is to *configure* the SZTP-client, and the client's only post-update logic is to “run as configured”, whatever that might be.
That said, it wouldn’t be hard for a client to, e.g., search a “keystore" mechanism for a key having the key used in the CSR and then search certificates associated with that key for that cert having the matching attributes (e.g., the “Subject” attribute) as in the CSR.
Makes sense? [No update to the draft was made to address this comment]
* 2.3: the description of "error-info" still does not specify if the server
should list all CSR format and algorithms it supports.
Section 2.1 indicates that the client’s message lists all of the key-algorithms and csr-formats it supports and the server’s message merely selects the specific algorithm/format it wishes the client use. This comment is nearly identical to one of your earlier comments, for which we added more context around the examples. Good enough?
* Is there really need to support 3 different CSR formats?
Yes and, FWIW, the PKI world has even more formats; we actually restricted them to just those that are most widely implemented.
* Where does the client indicate which cert is wants to receive based on this
CSR, e.g. "this CSR is for a LDevID"? Is this information embedded in the CSR
itself?
The CSR is always for an LDevID. It can never be for an IDevID, which can (effectively) only be generated/installed by the vendor during the device’s manufacturing process.
Makes sense? [No update to the draft was made to address this comment]
* Is RFC 2986 (published Nov. 2000) the best reference for an
AlgorithmIdentifier? Is there no IANA registry we could reference instead?
There is not an IANA registry for AlgorithmIdentifiers. RFC 2986 is the reference for the PKCS#10 CSR.
[No update to the draft was made to address this comment]
* When talking about algorithm matching, I suggest changing "It is an error
if..." into normative text, "The recipient MUST reject...".
OLD:
It is an error if the 'AlgorithmIdentifier' field
contained inside the 'SubjectPublicKeyInfo' field
does not match the algorithm identified by the
'selected-algorithm' node.";
NEW:
If the 'AlgorithmIdentifier' field contained inside the
certificate 'SubjectPublicKeyInfo' field does not match
the algorithm identified by the 'selected-algorithm' node,
then the client MUST reject the certificate and raise an
error.";
Good?
* "Details for how to generate a new private key and associate a new identity
certificate are outside the scope of this document." - This is rather
disappointing, since we just RECOMMENDED to regenerate certs periodically (and
given that IOT devices often lack HSMs).
Understood, but key-generation is indeed outside the scope of this document.
[No update to the draft was made to address this comment]
Thanks again,
Kent (and Sean and Russ)
- [Last-Call] Secdir last call review of draft-ietf… Yaron Sheffer via Datatracker
- Re: [Last-Call] Secdir last call review of draft-… Kent Watsen
- Re: [Last-Call] Secdir last call review of draft-… Yaron Sheffer
- Re: [Last-Call] Secdir last call review of draft-… Russ Housley
- Re: [Last-Call] Secdir last call review of draft-… Yaron Sheffer
- Re: [Last-Call] Secdir last call review of draft-… Russ Housley
- Re: [Last-Call] Secdir last call review of draft-… Yaron Sheffer
- Re: [Last-Call] Secdir last call review of draft-… Russ Housley
- Re: [Last-Call] Secdir last call review of draft-… Yaron Sheffer
- Re: [Last-Call] Secdir last call review of draft-… Kent Watsen
- Re: [Last-Call] Secdir last call review of draft-… Yaron Sheffer