IETF Logo Mail Archive

Re: [Netconf] regarding keystore and related drafts

Kent Watsen <kwatsen@juniper.net> Sat, 17 March 2018 23:37 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDC8312D87F for <netconf@ietfa.amsl.com>; Sat, 17 Mar 2018 16:37:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnuVsOzdMQcm for <netconf@ietfa.amsl.com>; Sat, 17 Mar 2018 16:37:38 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FE431201FA for <netconf@ietf.org>; Sat, 17 Mar 2018 16:37:38 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2HNZVdA015066; Sat, 17 Mar 2018 16:37:35 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=yfi/D6xVTbu4xukl6TdiBTXWo3bMoCORi8DXOkRYf8E=; b=UFkLwE6qRlEY8T1EUYd09cNvvBCbq15wqTQ/iR/6+L1vsknn84W4LMUqWC3/NBi5QbWa ate+yR4mT6JFzQuVKvza2Fosbr/zFfHyLDWpMypejiZR1vLma38m0uIw15a44ujVUXPv Nivq181DVOGPKJb2XHy4JwjMD0njZlp3bIYwA2GWFncftstIa2Je7GuVPOvIGAuKuCoP BMvNsjZChynlQgeOpgyK91M/nO1ThsW76jnwgc3UFGdl/TjfeCd2b8ouYmziO3a8B7N6 mUaxX4qZfYiRZ6XLhM5mRv8Zndc9iwBfOJ0l5BFxmlYQvkd8V8nRbecG1zBlNJxM6CEb ew==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp0020.outbound.protection.outlook.com [216.32.180.20]) by mx0a-00273201.pphosted.com with ESMTP id 2gs29jgnw3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sat, 17 Mar 2018 16:37:34 -0700
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB2827.namprd05.prod.outlook.com (10.168.175.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.6; Sat, 17 Mar 2018 23:37:32 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f%2]) with mapi id 15.20.0609.007; Sat, 17 Mar 2018 23:37:33 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Qin Wu <bill.wu@huawei.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: regarding keystore and related drafts
Thread-Index: AdO+OCaUcIWNVVYcTS+T0pgsBgEM0wAEMTQA
Date: Sat, 17 Mar 2018 23:37:32 +0000
Message-ID: <A74B2C26-A165-4C79-B574-835623DE4E27@juniper.net>
References: <B8F9A780D330094D99AF023C5877DABA9AD8C910@nkgeml513-mbs.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABA9AD8C910@nkgeml513-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [193.110.55.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB2827; 7:8rgtpMzqZ6knVBQQBvAnk/RWpXzAIakLrxEKidWyYucs/MjCey6ayO6p9yNsvdI83uVo9mtIId02WVQaznkyt53bLJTk3LlGjh8dVZFbzMQDwouLHJhdxLxad8AgYO4E2K4IvyDt3/YcWMzEqzr9G/gh2TLKOi4ICch15x4ZA324H904hsxRzTOcNcnZJHc7Z5d+EsSmblXiQM15h8cNsV0zbot4zyQHAE6VXQriFD3wxaDPAEUvuBGXJEFmAuZq
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: d30c96bf-c549-45bc-9e16-08d58c600e73
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR05MB2827;
x-ms-traffictypediagnostic: DM5PR05MB2827:
x-microsoft-antispam-prvs: <DM5PR05MB2827E382E8676A451F0EB8B3A5D60@DM5PR05MB2827.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231221)(944501300)(52105095)(3002001)(93006095)(93001095)(10201501046)(6055026)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR05MB2827; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB2827;
x-forefront-prvs: 06141B80DC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(39380400002)(39860400002)(346002)(396003)(366004)(199004)(189003)(5250100002)(6116002)(3846002)(106356001)(82746002)(2950100002)(68736007)(81166006)(81156014)(8936002)(105586002)(58126008)(2501003)(2906002)(3660700001)(3280700002)(83716003)(8676002)(102836004)(229853002)(186003)(2900100001)(26005)(86362001)(14454004)(36756003)(33656002)(66066001)(6506007)(110136005)(99286004)(316002)(25786009)(478600001)(6512007)(6246003)(6436002)(6486002)(53936002)(76176011)(5660300001)(7736002)(305945005)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB2827; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: CYMdHzuOx7uKmnfxGGYZYllmQwrH2yRFh4VYLvUlZQEF/i2VAuOZls+/NyDeVAqVhpPJbyMuq9lH0qz4lq1+Eko3IKXd6lk6gXQUeC2AC2LTPVXYBP6pzplCe/hiYuM6b6+/NWdSjR3iGmbPB6RM7WynbUrHCLhTXofbM2809B4W1xnvTyLeOpIK6/HvunovTJ59E87birItNJJYfBQoyKM/XpgfH0OcGkrG1VtdFFX787m3jsio2tkpBb4ZsAInW977OyuIW/Gkkpwqee/2YDCCUVWCT93qucWCVVHiTJ0bWq9lTzBLIm4vO52BDxmP51ik6EM1pq+Xq09vL5N3pg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0C4DEDAF2F5B2F4F9B4F457A7765D399@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: d30c96bf-c549-45bc-9e16-08d58c600e73
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2018 23:37:32.9289 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB2827
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-17_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803170296
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5WQRSAXgue6JFAk3U5VqS9LYcKk>
Subject: Re: [Netconf] regarding keystore and related drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Mar 2018 23:37:40 -0000

Hi Qin,



> Would it be great to see crypto types covers all application requiring 
> asymmetric key.

What do you mean by "all application"?

[Qin]: My impression, the application is SSH specific application, please correct me if I am wrong.

<KENT> the immediate need is to support both SSH and TLS, as they are the transports for NETCONF and RESTCONF, but the hope is that the crypto types could be used for other purposes as well.





> For trust anchors, I think this draft is more related to certificates

It will likely be used mostly for certificates, but the model SSH host keys can be configured as well.

[Qin]: So SSH host keys are not mandatory parameter, correct?

<KENT> there is a list of pinned certificates and there is a list of pinned host-keys (see below for the tree diagram).  Neither of which are mandatory on their own, but something would need to be configured if using one of the SSH or TLS based client or server modules (e.g., ietf-tls-client), as those modules have leafrefs to the trust anchors.  Makes sense?


   module: ietf-trust-anchors
     +--rw trust-anchors
        +--rw pinned-certificates* [name]
        |  +--rw name                  string
        |  +--rw description?          string
        |  +--rw pinned-certificate* [name]
        |     +--rw name    string
        |     +--rw data    binary
        +--rw pinned-host-keys* [name]
           +--rw name               string
           +--rw description?       string
           +--rw pinned-host-key* [name]
              +--rw name    string
              +--rw data    binary

Kent

v2.23.0 | Report a Bug | By Email