IETF Logo Mail Archive

[netconf] draft-ietf-netconf-trust-anchors and unconstrained public keys

Carl Wallace <carl@redhoundsoftware.com> Mon, 25 April 2022 13:36 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 457183A1978 for <netconf@ietfa.amsl.com>; Mon, 25 Apr 2022 06:36:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWD47HqTSyde for <netconf@ietfa.amsl.com>; Mon, 25 Apr 2022 06:36:41 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66AA43A1972 for <netconf@ietf.org>; Mon, 25 Apr 2022 06:36:41 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id s4so10783903qkh.0 for <netconf@ietf.org>; Mon, 25 Apr 2022 06:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:message-id:thread-topic :mime-version:content-transfer-encoding; bh=D+Cag1iLAIV1Pa/LZtProM5BHjU/OyDRH01G5sJ5I+8=; b=qoYyW8FvFnQ9zWCnelNsQYUttO/+Io92tzMiwPNf6ZI9YQkvVNKm1wjXYkyqsWfVQ+ UmmFVG7IdEr9wCezm9/5VGUq0UPXTpG4rS9AizLVcSxjD4RLus5KgMgt+CGCGtpJe0vI Fu2yNaBKGBSjFz38TRuzRwnko1MB4BuAAw05Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:message-id :thread-topic:mime-version:content-transfer-encoding; bh=D+Cag1iLAIV1Pa/LZtProM5BHjU/OyDRH01G5sJ5I+8=; b=cP7kYQBBSdfz4vndUi8W9+aWXlHNR2nwUJLK4PTH2UPYSvgq+8Vru6SWJHmXCgtkwr ji6hSukGPW7pIUc2RvaOPBGJk2eTCj17yMwi10VSMlFeo0oIOwcJoX2II1BYtvxKnpDp bkNujuW+QEr2E8xqaqANQu2OVszZKRLm5MKeX/U9tht4OdWEIagc7i6rq3PB5Zs6NZtS xJAm3zlU3k5Si4nJnAr61S2D6pTrkLF+MmR7w+ezQLIqGMRmqGVAsOnJOrK1oTHwF4vE AEdmXXvKD1FSebJ8JxPNhc1DRn5OISfnV0VB4V9KPV8m6xJa5tT5/Vmkrxs5mJyTSi7H isjg==
X-Gm-Message-State: AOAM530azyt9gEGd6ANV7aO+qdwLDN3R4KBLnypLQZprureue5IGDJVr 6FncNqF6jsoEAVZfa5SGvQe7g7npJVVwhA==
X-Google-Smtp-Source: ABdhPJwqD2kcAOIG6kwkQ4EN8Uy2Wciw3zx5WZkT/EgT5dCatLoqi8wfR927yUsCkZMV5Cdvq3G4pQ==
X-Received: by 2002:a05:620a:2943:b0:69e:80ba:4a18 with SMTP id n3-20020a05620a294300b0069e80ba4a18mr9748401qkp.301.1650893800003; Mon, 25 Apr 2022 06:36:40 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-88-168.washdc.fios.verizon.net. [173.66.88.168]) by smtp.gmail.com with ESMTPSA id p4-20020a05620a132400b0069e9d8697b4sm4946457qkj.46.2022.04.25.06.36.39 for <netconf@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Apr 2022 06:36:39 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.60.22041000
Date: Mon, 25 Apr 2022 09:36:38 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <B2403E78-407C-4DDA-A089-7A7F4DC45DEC@redhoundsoftware.com>
Thread-Topic: draft-ietf-netconf-trust-anchors and unconstrained public keys
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/9Jhp1ojt7aWYvKleu3IvHtEhO0c>
Subject: [netconf] draft-ietf-netconf-trust-anchors and unconstrained public keys
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 13:36:47 -0000

Section 4.2 states:

	This module also enables the configuration of certificates, where each certificate may constrain the usage of the public key according to local policy.

Assuming local policy means relying party defined policy, this won't work unless the signature on the certificate is ignored. Defining or using a structure in this draft that supports local application of constraints may help avoid reliance on public keys that are unnecessarily broad. RFC 5914 defines a structure that allows for associating constraints with raw public keys or certificates. The default representation of the TA structure in 5914 is simply a certificate, so it'd fit here pretty easily. Historically, trust anchors have been essentially unconstrained but that may not always be the case going forward.

v2.23.0 | Report a Bug | By Email