[netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Tue, 30 January 2024 16:47 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: netconf@ietf.org
Delivered-To: netconf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE58C1CAF4D; Tue, 30 Jan 2024 08:47:34 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-trust-anchors@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org, bill.wu@huawei.com, mjethanandani@gmail.com, bill.wu@huawei.com
X-Test-IDTracker: no
X-IETF-IDTracker: 12.4.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <170663325496.44925.1682814616077470749@ietfa.amsl.com>
Date: Tue, 30 Jan 2024 08:47:34 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/-QENe1MEPyTbOjoJCN0ALD7dRPU>
Subject: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jan 2024 16:47:35 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-netconf-trust-anchors-23: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- ** Section 5.1 In order to satisfy the expectations of a "truststore", it is RECOMMENDED that implementations ensure that the truststore contents are protected from unauthorized modifications when at rest. Similar feedback to draft-ietf-netconf-keystore. If this recommendation is NOT followed how would this expectation be satisfied? Shouldn't ensuring that the truststore is protected be mandatory? ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you to Yoav Nir for the SECDIR review. ** Clarifying that certificates are actually certificate chains in the node descriptions. YANG. typedef central-certificate-ref description "This typedef defines a reference to a specific certificate in a certificate bag in the central truststore. This typedef requires that there exist a sibling 'leaf' node called 'certificate-bag' that SHOULD have the typedef 'central-certificate-bag-ref'."; YANG. list certificate description "An arbitrary name for this certificate."; ** YANG. Typo. s/inlucging/including/ ** YANG. list certificate-bag "A bag of certificates. Each bag of certificates SHOULD be for a specific purpose. For instance, one bag could be used to authenticate a specific set of servers, while another could be used to authenticate a specific set of clients."; Since normative language is used here, can additional guidance be provided on qualifying “specific purpose”. For example, can one put different applications for the same server in the same bag? What is the consequence of incorrectly binning the certificate chains? More generally, I’m wondering about the significance of where certificates are binned. Because of natural language describing the purpose of these bags, I don’t see an obvious, interoperable, general purpose way to automatically parse this structure to know which certificate to use for a server beyond checking subjectAltNames in the certificate against a domain name (which precludes the need to even organize these certificates into bins beyond readability). ** Section 3. Built-in bags of trust anchors and/or specific trust anchors, that are referenced by configuration (e.g., a "leafref"), MUST be present in a datastore in order for the datastore to be valid. Built-in bags and/or their trust anchors MAY be copied into other parts of the configuration but, by doing so, they lose their association to the built-in entries and any assurances afforded by knowing they are/were built-in. As with netconf-keystore, I’m having trouble with the guidance for built-in keys, more specifically, the guidance around a data-store. -- If something is “built-in”, isn’t it by definition in some kind of datastore already. Are there now multiple data stores? -- What does “copying” into a different part of the configuration mean? Aren’t we talking about an XML file? Does this imply keys are moved from one data-store (the built-in?) to another one (e.g., a OS or application specific one)? ** Section 4.3 None of the readable data nodes defined in this YANG module are considered sensitive or vulnerable in network environments. The NACM "default-deny-all" extension has not been set for any data nodes defined in this module. Doesn’t read-access to this module provide insight into which other resources/applications/servers this particular server communicates with by virtue of having their end-entity certificates or SSH keys? Wouldn’t this provide an attacker insight into potential targeting? or business relationships?
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Roman Danyliw
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen