Re: [netconf] ietf crypto types - permanently hidden

Kent Watsen <kent+ietf@watsen.net> Thu, 02 May 2019 16:19 UTC

Return-Path: <0100016a7957dd62-0c25451b-3a69-4a08-b4e6-d7ad22e5227d-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDACF120426 for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 09:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TR-f8fVLInz8 for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 09:19:28 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C655712042C for <netconf@ietf.org>; Thu, 2 May 2019 09:19:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556813962; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=YDuhKhbVclgFuGQ1KgACexAIbE4qAy+47nw1yb31iU8=; b=VVRxDMq38jPx1atjWKQo/OQI2ur3GRZ0+ZGRyASVxLpKasGgTHAUHLosJvUzeWUb CtcQP4ZSaRUVa3L9kAYJajWOLkbCVq00m8F3xtWI+cTh8nhldrkY5nw5BMlbXnqqADr c+BJe2qPVP7z+xZaqq7VDAiS+SgD+CRDeyuKyAzA=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016a7957dd62-0c25451b-3a69-4a08-b4e6-d7ad22e5227d-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_161F4D0A-F3F5-4399-8ABB-A7DA6BF8DA84"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Thu, 2 May 2019 16:19:22 +0000
In-Reply-To: <20190502.120944.41224357089248496.mbj@tail-f.com>
Cc: balazs.kovacs@ericsson.com, "netconf@ietf.org" <netconf@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@email.amazonses.com> <20190430.144930.844252169549242587.mbj@tail-f.com> <0100016a6f64a438-50e97747-d12b-429b-8147-8bf6ed82bdac-000000@email.amazonses.com> <20190502.120944.41224357089248496.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.05.02-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5xy1O3WvxYtIySc68dFmEWcyWow>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 16:19:31 -0000

>> In enum permanently-hidden:
>>  OLD:
>>       The private key is inaccessible due to being protected by the
>>       system (e.g., a cryptographic hardware module).
>>  NEW:
>>       The private key is inaccessible due to being protected by the
>>       system (e.g., a cryptographic hardware module).  Since hidden
>>       keys are only ever reported in <operational>, the value
>>       'permanently-hidden' never appears in <intended>.
> 
> Ok, but perhaps s/<intended>/conventional configuration datastores/?

Fixed in my local copy.


>> Note that this statement was added because Juergen asked about how
>> hidden keys could be removed/replaced.  We iterated towards not
>> wanting to support the "replace" case
> 
> But why?  If an operator wants to replace, why should the list entry
> first be deleted and then created and then the key can be generated?
> This seems like a CLR to me.

https://mailarchive.ietf.org/arch/msg/netconf/ZwXll9BtAv61EvVXtFDLLzTkljE <https://mailarchive.ietf.org/arch/msg/netconf/ZwXll9BtAv61EvVXtFDLLzTkljE>



> Ok, I see.  I think the text needs some clarification; make it more
> explicit.  It needs to say that if a "permanently-hidden" private key
> exists in <operational> under a parent config true node and this
> parent node is deleted, the private key is supposed to be (MUST be?)
> deleted from the system as well.

Added, with a MUST.


> A remove-hidden-key action can be problematic b/c if you forget to
> call this action and then delete the config, presumably you have
> lingering keys in the system that you can't remove.

I don't think this is true.  Even if an asymmetric key only exists in <operational> (i.e., the corresponding "config true" parent node is deleted), it seems that a 'remove-hidden-key' could still remove it.  In fact, this is the most consistent thing, to have an 'action' act on values in <operational>.


Kent // contributor