Re: [netconf] ietf crypto types - permanently hidden

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 21 March 2019 15:29 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0C9613123A for <netconf@ietfa.amsl.com>; Thu, 21 Mar 2019 08:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2sOLBDNP4heV for <netconf@ietfa.amsl.com>; Thu, 21 Mar 2019 08:29:25 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBA90131226 for <netconf@ietf.org>; Thu, 21 Mar 2019 08:29:24 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 09B593D; Thu, 21 Mar 2019 16:29:23 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id Tln-RdCrys41; Thu, 21 Mar 2019 16:29:23 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Thu, 21 Mar 2019 16:29:22 +0100 (CET)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by hermes.jacobs-university.de (Postfix) with ESMTP id E7C7A2009D; Thu, 21 Mar 2019 16:29:22 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10028) with ESMTP id 7PE9fjsB65_H; Thu, 21 Mar 2019 16:29:22 +0100 (CET)
Received: from exchange.jacobs-university.de (sxchmb03.jacobs.jacobs-university.de [10.70.0.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "exchange.jacobs-university.de", Issuer "DFN-Verein Global Issuing CA" (verified OK)) by hermes.jacobs-university.de (Postfix) with ESMTPS id 7373E2009B; Thu, 21 Mar 2019 16:29:22 +0100 (CET)
Received: from anna.localdomain (10.50.218.117) by sxchmb03.jacobs.jacobs-university.de (10.70.0.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.1591.10; Thu, 21 Mar 2019 16:29:21 +0100
Received: by anna.localdomain (Postfix, from userid 501) id 8BD9A300765526; Thu, 21 Mar 2019 16:29:20 +0100 (CET)
Date: Thu, 21 Mar 2019 16:29:20 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
CC: "netconf@ietf.org" <netconf@ietf.org>, Kent Watsen <kent@watsen.net>
Message-ID: <20190321152920.jdkny7szk7ik3sp4@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>, Kent Watsen <kent@watsen.net>
References: <VI1PR07MB4735863E79020AD84C4FDF9483420@VI1PR07MB4735.eurprd07.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <VI1PR07MB4735863E79020AD84C4FDF9483420@VI1PR07MB4735.eurprd07.prod.outlook.com>
User-Agent: NeoMutt/20180716
X-ClientProxiedBy: SXCHMB03.jacobs.jacobs-university.de (10.70.0.155) To sxchmb03.jacobs.jacobs-university.de (10.70.0.155)
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4n9Oi9ovNI3ADDwnZSn6CrzgfZk>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 15:29:28 -0000

I agree, I do not understand the second sentence either. My problem
is that I do not know what a 'real' private key is, are hidden keys
somewhat unreal? Or is "not hidden" = "real"?

The last sentence can probably be fixed; I think the intention was
to say that you can't backup and restore hidden keys by retrieving
configuration and restoring the configuration.

In general, I think we need a definition what a hidden key is. Is
something not exposed via a YANG interface a hidden key (but it may be
a regular key when using other device access methods)? Or do we
require that a hidden key is generally protected? I assume some people
want to have flexibility here but from the viewpoint of a security
administrator it matters a lot whether 'hidden' means 'generally not
accessible' or only 'not accessible via YANG protocols'.

The description of install-hidden-key seems to indicate a key is
already 'hidden' if it only exists in <operational>. Is this really a
'hidden' key or more an 'ephemeral' key?

/js

On Thu, Mar 21, 2019 at 02:23:27PM +0000, Balázs Kovács wrote:
> Hi,
> 
> The 'generate-hidden-key' action is meant for cases when the key must be generated in the device and not the operator is configuring it. The 'generate-hidden-key' is said to produce a 'permanently-hidden' asymmetric key. The description of 'permanently-hidden' is as follows:
> 
>                 "The private key is inaccessible due to being
>                   protected by the system (e.g., a cryptographic
>                   hardware module).  It is not possible to
>                   configure a permanently hidden key, as a real
>                   private key value must be set.  Permanently
>                   hidden keys cannot be archived or backed up.";
> 
> Th second sentence doesn't sound right. I can create a permanently hidden key any time by calling the 'generate-hidden-key' action, or if the device or the model allows I could even switch to non-hidden key, I believe, by providing the binary. So I find the second sentence irrelevant in this description.
> 
> More importantly, I find the "Permanently hidden keys cannot be archived or backed up" statement false. Isn't that implementation specific how archiving is done? If a device puts the hidden keys on some storage, it may still be possible to back them up. I would prefer to remove this sentence and leave backup considerations to implementations.
> 
> Could these changes be done?
> 
> Br,
> Balazs

> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf


-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>