Re: [netconf] ietf crypto types - permanently hidden
Balázs Kovács <balazs.kovacs@ericsson.com> Fri, 03 May 2019 06:10 UTC
Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64EE312006D for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 23:10:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X76EXo4xpRua for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 23:10:05 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10068.outbound.protection.outlook.com [40.107.1.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B389120059 for <netconf@ietf.org>; Thu, 2 May 2019 23:10:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZvU54oRMGYmsb1ZGM6GyDoQLsRq4+fNFRcEXG6eZ4Os=; b=WJnzJptgt5Clu5KHn/qSCL4nQaKJOim5lds44wFfBS6L2lQISB152RH4C3Bih/VS5+EnM5QKwExcoEd4pq3jYGY7qGCUE1EctsU6QeJ2aQoGZzOZgVo0gE0B+MOFAftd54EM/1mcI69i1Cu9mPqkNcTU7NrW9z6VlljI/Mglq1U=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB5568.eurprd07.prod.outlook.com (20.178.80.94) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1878.11; Fri, 3 May 2019 06:09:57 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::dc72:dfff:beb3:3b47]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::dc72:dfff:beb3:3b47%7]) with mapi id 15.20.1856.008; Fri, 3 May 2019 06:09:57 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] ietf crypto types - permanently hidden
Thread-Index: AdTf8DCbvspujhISQkyURJOX9ReFpALufsOAAAVM5oADthG5oAAICCMAAAQfJ4AABQvugADqJOIAAAiERYAAKAZY4AABZSwAAAGYSwAACr5PgABUQnkAAAzoyAAAHLnpkA==
Date: Fri, 03 May 2019 06:09:57 +0000
Message-ID: <VI1PR07MB473550063330EE25D65642E083350@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@email.amazonses.com> <20190430.144930.844252169549242587.mbj@tail-f.com> <0100016a6f64a438-50e97747-d12b-429b-8147-8bf6ed82bdac-000000@email.amazonses.com> <20190502.120944.41224357089248496.mbj@tail-f.com> <0100016a7957dd62-0c25451b-3a69-4a08-b4e6-d7ad22e5227d-000000@email.amazonses.com>
In-Reply-To: <0100016a7957dd62-0c25451b-3a69-4a08-b4e6-d7ad22e5227d-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [2a02:ab88:2cb8:5600:149b:bf3c:db30:aae6]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 47bde480-27fe-47c5-254e-08d6cf8df80c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:VI1PR07MB5568;
x-ms-traffictypediagnostic: VI1PR07MB5568:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <VI1PR07MB55688B79EAF5D05EF4D6F12683350@VI1PR07MB5568.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0026334A56
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(136003)(376002)(346002)(39860400002)(199004)(189003)(71200400001)(486006)(8936002)(4326008)(53936002)(6436002)(54896002)(6306002)(81156014)(81166006)(74316002)(71190400001)(8676002)(316002)(478600001)(9686003)(476003)(25786009)(5660300002)(7736002)(46003)(2906002)(606006)(236005)(11346002)(9326002)(86362001)(446003)(76176011)(110136005)(7696005)(55016002)(66476007)(66946007)(33656002)(6246003)(66574012)(53546011)(6506007)(14454004)(68736007)(45776006)(102836004)(14444005)(186003)(52536014)(6116002)(256004)(966005)(229853002)(73956011)(790700001)(99286004)(66556008)(64756008)(66446008)(76116006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB5568; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: XEyxCOJ7kpBY4tkUS3rF5tNqtpHdkqcxTvrMzMqZpi5ABUvfd5/Ux6RosJaq5+kvIc0kdSUlpXK1FZlAv9jhhUG0BOGMGaZJqz9/Xpb8SsGJEtq5rs+d9r6IB797OjKM5JAwRbVOM0q6OhUp2xcrd7qjlDomZalT7MWQ+FExYiEDUw0a/9MUSVldxuGTFFjMsqIMmyJkrTmk/A+L5UGJw8BzmViriJAJRxo3x2lbDCObEvohNCJxR4TKkagDFdzuuk/nOGHQyETGl5B8Ffb0/JxFq/Qzi1LI7aEeTpqbpuFRForMNhF8p8c2oR5tbq/p+dbupFlLt9TYJ/whCbZQGEBSZTKev8Ja1RMVtKLZUZQOnL8O0F3DBQnu5rjZ8xduo1HtJRjyAzBCLU9jASVovxBCOUGrmdx/1/nFzSbOH9w=
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB473550063330EE25D65642E083350VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47bde480-27fe-47c5-254e-08d6cf8df80c
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2019 06:09:57.7468 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB5568
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/pIBK-B60rcDX9dguEn8DIoCjynk>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 06:10:09 -0000
Hi, But why? If an operator wants to replace, why should the list entry first be deleted and then created and then the key can be generated? This seems like a CLR to me. https://mailarchive.ietf.org/arch/msg/netconf/ZwXll9BtAv61EvVXtFDLLzTkljE I might back off from this one. I guess mismatched key pairs can occur with regular configuration case too, so it all depends on the operator to provide the right pair, and it should be the operator's decision to do a graceful key switch by creating a new key instance or do an instant renewal on the same instance. If the peer device does not have to be reconfigured, the renewal on same instance could be a better choice. Br, Balazs From: Kent Watsen <kent+ietf@watsen.net> Sent: Thursday, May 2, 2019 6:19 PM To: Martin Bjorklund <mbj@tail-f.com> Cc: Balázs Kovács <balazs.kovacs@ericsson.com>; netconf@ietf.org Subject: Re: [netconf] ietf crypto types - permanently hidden In enum permanently-hidden: OLD: The private key is inaccessible due to being protected by the system (e.g., a cryptographic hardware module). NEW: The private key is inaccessible due to being protected by the system (e.g., a cryptographic hardware module). Since hidden keys are only ever reported in <operational>, the value 'permanently-hidden' never appears in <intended>. Ok, but perhaps s/<intended>/conventional configuration datastores/? Fixed in my local copy. Note that this statement was added because Juergen asked about how hidden keys could be removed/replaced. We iterated towards not wanting to support the "replace" case But why? If an operator wants to replace, why should the list entry first be deleted and then created and then the key can be generated? This seems like a CLR to me. https://mailarchive.ietf.org/arch/msg/netconf/ZwXll9BtAv61EvVXtFDLLzTkljE Ok, I see. I think the text needs some clarification; make it more explicit. It needs to say that if a "permanently-hidden" private key exists in <operational> under a parent config true node and this parent node is deleted, the private key is supposed to be (MUST be?) deleted from the system as well. Added, with a MUST. A remove-hidden-key action can be problematic b/c if you forget to call this action and then delete the config, presumably you have lingering keys in the system that you can't remove. I don't think this is true. Even if an asymmetric key only exists in <operational> (i.e., the corresponding "config true" parent node is deleted), it seems that a 'remove-hidden-key' could still remove it. In fact, this is the most consistent thing, to have an 'action' act on values in <operational>. Kent // contributor
- [netconf] ietf crypto types - permanently hidden Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… tom petch
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… tom petch
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Balázs Lengyel
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Andy Bierman
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… Andy Bierman
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Andy Bierman
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… tom petch
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… tom petch
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… tom petch
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… tom petch
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… Martin Bjorklund
- Re: [netconf] ietf crypto types - permanently hid… Rob Wilton (rwilton)
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Juergen Schoenwaelder
- Re: [netconf] ietf crypto types - permanently hid… Balázs Kovács
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen
- Re: [netconf] ietf crypto types - permanently hid… Kent Watsen