Re: [netconf] crypto-types fallback strategy

"Salz, Rich" <rsalz@akamai.com> Mon, 07 October 2019 12:22 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 202C412084C for <netconf@ietfa.amsl.com>; Mon, 7 Oct 2019 05:22:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anvUs80TmwxQ for <netconf@ietfa.amsl.com>; Mon, 7 Oct 2019 05:22:14 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AD86120842 for <netconf@ietf.org>; Mon, 7 Oct 2019 05:22:14 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id x97CHJMj027561; Mon, 7 Oct 2019 13:22:08 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=BtdE+XyOdhcVHHmuB4O0WKd1KrP2GUYRp5O2heP4z7o=; b=gYPnqxVL4/ULDIYP9isLFsIKXTixrHhse8Vs4nPRqM/TgZRyJJJD8DyjWHE2ay+FTILv GWnr0qi3F0i8Kw3aQXSCKBlmpclZBLPhrpZ2nw3Le5r8nm4fk2ZMrv86ggQRwy5IB4SL NSrjB8H+H4bdQ8UjjdXljSW0e0zrLf2zg3CWEHpq8tLyy7LgOhXyEXupYJ0vjNQAlpfh Me88WRSme0Tvdy2zsCBpsbv6ov19CFApTjtqMXeWm81sPA0FxmGRECngmj5ikEz4KG3s DoV05x/NQSOZr5kKpMTbCLw6EKQGkcr0rQsu44+TKvuI0rUgqIX/MZrJ4ilMUBgSH4DY Kg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by m0050095.ppops.net-00190b01. with ESMTP id 2vejq4kcsy-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 07 Oct 2019 13:22:08 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x97CGqQe007574; Mon, 7 Oct 2019 08:22:07 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.34]) by prod-mail-ppoint1.akamai.com with ESMTP id 2vepgwymre-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 07 Oct 2019 08:22:06 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb2.msg.corp.akamai.com (172.27.123.102) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 7 Oct 2019 08:22:06 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 7 Oct 2019 08:22:06 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Mon, 7 Oct 2019 08:22:06 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>, Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxGVhFlbERW30moo9Q8WhnpJqcpkUCAgAU9agCAASLxgP//+5oAgABHL4D//+j+AIAARomA//+/BAAAKuwGgP//8LyAgABEJYCAABougP//w4kAgABloAD//8BRAIAdkVAA///9yIA=
Date: Mon, 07 Oct 2019 12:22:06 +0000
Message-ID: <F87DD88B-E73C-4A89-99E7-70247E9C5E62@akamai.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d3afa694e-ce58ee3a-792f-4c0e-89bb-83d0128a5194-000000@email.amazonses.com> <MN2PR11MB4366F63419F6BD4EF106766FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <8053FDA0-77EA-488F-B5A7-F203359105E0@akamai.com> <MN2PR11MB43669B3A47A39FD93B47292FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <6924CAD5-F740-4512-8689-E0307AF0BD88@akamai.com> <MN2PR11MB4366B5C09B4348FDAE33E2BCB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <99BFF357-6A2A-49E0-BB38-37C25DB04213@akamai.com> <MN2PR11MB4366F20EE2FD6DF04B965125B58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <EBE4757D-E99E-41EB-A52B-A25F023BF4BC@akamai.com> <MN2PR11MB4366E4ECE10DFB018941BA5FB58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d44bda220-51590a9a-0a15-4b63-a49d-47efe712e82e-000000@email.amazonses.com> <2614C1E8-A015-4816-AA3B-F75D02F5701C@akamai.com> <0100016d45447f68-68073ae2-3f96-4c6d-846d-7c661c1cdb0c-000000@email.amazonses.com> <7AE47512-8974-4A8C-9756-699CAE220EF9@akamai.com> <1c08a27c27ea4177b9cfc524c92042f0@huawei.com>
In-Reply-To: <1c08a27c27ea4177b9cfc524c92042f0@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191003
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.174]
Content-Type: multipart/alternative; boundary="_000_F87DD88BE73C4A8999E770247E9C5E62akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-07_02:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=943 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910070123
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-07_02:2019-10-07,2019-10-07 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 lowpriorityscore=0 phishscore=0 suspectscore=0 priorityscore=1501 bulkscore=0 adultscore=0 mlxlogscore=928 spamscore=0 clxscore=1015 impostorscore=0 mlxscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910070123
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/6mYUJW63pNbGerE04lR6YyOGZpw>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2019 12:22:24 -0000

>If I am not wrong, TLS 1.3 support to use raw public key between client and server.
I think TLS + Raw public key has been specified in RFC 7250 and later merge in RFC 8446 (TLS 1.3)

You are not wrong.  But public keys do not need to be encrypted or protected by other privacy means.  Private keys still do.  So “TLS with raw keys” does not change the security requirements compared to “TLS with certificates.”

My issue is that I do not think “TLS with raw keys” is used very much, and we do not have to support it in the first versions of these documents.