IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

Schönwälder, Jürgen <J.Schoenwaelder@jacobs-university.de> Wed, 18 September 2019 16:37 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E8BE120AC9 for <netconf@ietfa.amsl.com>; Wed, 18 Sep 2019 09:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxT0OtQMJJzb for <netconf@ietfa.amsl.com>; Wed, 18 Sep 2019 09:37:02 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30055.outbound.protection.outlook.com [40.107.3.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6614C120AEB for <netconf@ietf.org>; Wed, 18 Sep 2019 09:37:02 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QFc2rOQeGLO+wOZthkQ6tTKpV7aAc12tg2CPM0ghhrZDV0tgSmMWXLQKBNRQKg3Q0rKVdmSyqrj2IgrNsD3Tqg251i9zHQxyZUtbIb9dzGmyw5MIVEEh3V1nTcU6Ho8vdS2Zn9QgIutaYgQU4yJb20zyTAWyJqPOB4Sz1QjQvoDm4Io7/pmlrHbzBH2h2X3rgYj9PSDr8Iz90vGXvbyFP/26lACItaFYCcbDWboAGyxcEa8JntdzRzsNuxReo/LuxOwOJnSD41/eL4cXRxQ9p8dcaA+kP6dS6G2r2JDV0Fs/vV4dS98V4ZGMuQJfKwgZm0ENyc43uyI/OIjRp5QHZg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JaSvi6tVEiaRR7TOiEq72GU866WGnav7cNGUff1i49c=; b=aKVtm2z4DOPan8u0+rt50HoKx3xSm0/RHZySEo4uxcU2XGhAts5J6njXSkl58gH2X0q8Ac/clV75olCcXZyWP6b9DWK75aRcLpGfNo3pEguBBwsPbYO5bIYnzLWh4cHbNk2Q+1ktpkY3j0fYB5DD6OBCEmfIvdN7np9tU8SvOeVJHDVeYEpGBpbU7ab1Dw/+CzDDMAMbLTo8cg9wviQlF/N7nHQsVUJhrahvZe6dx6oMCqJEP2SP55TQAzyw6diW+6O1xa1NSTtTmfsGfs1dmEHG8NGTh5/LHaIj8Z3+M347z24696RSkZx+5OcalGyoXZR2x3x1f9OhsNZf/cpEHQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JaSvi6tVEiaRR7TOiEq72GU866WGnav7cNGUff1i49c=; b=lZre9h4fZrHswiCKv7tHfKU/BeBAe5fNTAtjNtlQrf1N5DtqaZs99KpNOa4EViSRjC61J7fBDKPpbu4mcwPnzQVB1xMP7oq9uHVq0/jPougneyn87Ca79b4cTLgVfWaONruMZbkuz1JXwuotnFhydJQiSK2MC2KrINUXJmL84Yc=
Received: from VI1P190MB0686.EURP190.PROD.OUTLOOK.COM (10.186.159.71) by VI1P190MB0622.EURP190.PROD.OUTLOOK.COM (10.186.159.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.17; Wed, 18 Sep 2019 16:36:59 +0000
Received: from VI1P190MB0686.EURP190.PROD.OUTLOOK.COM ([fe80::d48a:ffa3:4fff:141e]) by VI1P190MB0686.EURP190.PROD.OUTLOOK.COM ([fe80::d48a:ffa3:4fff:141e%2]) with mapi id 15.20.2263.023; Wed, 18 Sep 2019 16:36:59 +0000
From: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
CC: Kent Watsen <kent+ietf@watsen.net>, Russ Housley <housley@vigilsec.com>, "netconf@ietf.org" <netconf@ietf.org>, Sean Turner <sean@sn3rd.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVbjbxVhFlbERW30moo9Q8WhnpJqcxoiSA
Date: Wed, 18 Sep 2019 16:36:59 +0000
Message-ID: <20190918163657.4pxh5jddxgrir5oh@anna.jacobs.jacobs-university.de>
References: <8053FDA0-77EA-488F-B5A7-F203359105E0@akamai.com> <MN2PR11MB43669B3A47A39FD93B47292FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <6924CAD5-F740-4512-8689-E0307AF0BD88@akamai.com> <MN2PR11MB4366B5C09B4348FDAE33E2BCB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <99BFF357-6A2A-49E0-BB38-37C25DB04213@akamai.com> <MN2PR11MB4366F20EE2FD6DF04B965125B58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <EBE4757D-E99E-41EB-A52B-A25F023BF4BC@akamai.com> <MN2PR11MB4366E4ECE10DFB018941BA5FB58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d44bda220-51590a9a-0a15-4b63-a49d-47efe712e82e-000000@email.amazonses.com> <MN2PR11MB436617082A8308A7A8928DDFB58E0@MN2PR11MB4366.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB436617082A8308A7A8928DDFB58E0@MN2PR11MB4366.namprd11.prod.outlook.com>
Reply-To: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM0PR07CA0022.eurprd07.prod.outlook.com (2603:10a6:208:ac::35) To VI1P190MB0686.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12e::7)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:638:709:5::7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a0f25064-6a54-4080-f00a-08d73c566d25
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1P190MB0622;
x-ms-traffictypediagnostic: VI1P190MB0622:
x-ms-exchange-purlcount: 1
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <VI1P190MB0622091762D3DBAF6F4B4957DE8E0@VI1P190MB0622.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01644DCF4A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(136003)(346002)(39850400004)(396003)(199004)(189003)(51444003)(8936002)(2906002)(6246003)(6512007)(305945005)(7736002)(786003)(6306002)(486006)(316002)(446003)(54906003)(186003)(256004)(66446008)(64756008)(66556008)(66476007)(5660300002)(66946007)(102836004)(6916009)(45776006)(71200400001)(71190400001)(81166006)(46003)(86362001)(14454004)(6486002)(6116002)(76176011)(478600001)(52116002)(25786009)(3450700001)(386003)(6506007)(229853002)(476003)(99286004)(8676002)(4326008)(81156014)(11346002)(43066004)(6436002)(1076003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P190MB0622; H:VI1P190MB0686.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: TzS6niU+Dxnhh5q/vSHN4SIFxsQYZ9lrrbGiwFwln/Eq+jy+w23ygjOr4aihw4snTA33VDfDtiiY3xbAkCd22yOSo/qeeX70hgwdOMF1Ez3TjSmO3X4NsIzjm2rhSAY8MoV44B3tN6CpHqdtqTOyYJdWrwjx6OfzLGxxdyv7GpbRNrMHsY1xIR8QWd9GHMtdAbP49FUbhq2RBENSdJBusuEplm+XMrfvD7h1QyrLwik8yU2wm+rpC49Sj/LMNJvZjNZIxaPCIzuVYsR4WOBSfDBjZMdCtAbadWU+pYugILG5n5xrxkxiu5Ci5uGZqg5ydhSui8rp50zREwQJAArAN/lewtcxGbauY2pdAvQrKrZIz2OH/7mZeaDX2W25vzApSOPV1Fk8TO45zUFxo1+G4lrukw1/IbXEg8s5dngolbI=
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <9B2B95E8C2773A4E966ADD38E5542461@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: a0f25064-6a54-4080-f00a-08d73c566d25
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2019 16:36:59.3552 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: oxdKJ3z7WgSuUjjvJqoio0HeP3DycQ0hiRT3CBwV0PrjpigvFuUaTK1m5bqJFqggup3wB2A/5PTb/2HIFT7j/qW7VCFB6Wb99arBgN7fEww=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P190MB0622
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/EomcFPdA_xHODYbd10vWBBbnnZM>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 16:37:12 -0000

On Wed, Sep 18, 2019 at 03:37:14PM +0000, Rob Wilton (rwilton) wrote:
> >From the gist of the discussion, the punch list appears to be:
> 
> - revert back to using identities, as they were in the -08 revision.
> - only define base identities for what's needed immediately for TLS and SSH and keystore key-encryption.
> - define these base identities in distinct YANG modules
> - have each identity's description statement indicate what the binary key data is encoded.
> [RW]
> I think that this matches my view, except for "define these base identities in distinct YANG modules".  I don't feel particularly strongly about this, but I was thinking that the base identities would still be defined in crypto-types.yang, which might help keep the import references simple.

I tend to agree that sometimes less modules is more. For me, the
problem is likely more that I am not entirely sure what the proper
base types would be, which may depend on what exactly they are used
for. I guess I wait until I see the description text...
 
> A bit separate from the above, but still in mind:
> 
>   - specify that all TLS public-keys are a DER-encoded SubjectPublicKeyInfo structure
>   - specify that all SSH public-keys are a "ssh-public-key-type" type (see below)
>   - specify that all encrypted symmetric keys are a DER-encoded OneSymmetricKey structure
>   - specify that all encrypted asymmetric keys are a DER-encoded OneAsymmetricKey structure

I would check what is commonly used in existing configuration
interfaces. We are not inventing the wheel here. And whatever we
define better is usable with existing implementations and tools.

> The "ssh-public-key" type would be defined as:
> 
>      typedef ssh-public-key-type {
>          type binary;
>          mandatory true;
>          description
>            "The binary public key data for this SSH key, as
>             specified by RFC 4253, Section 6.6, i.e.:
> 
>               string    certificate or public key format
>                         identifier
>               byte[n]   key/certificate data.";
>          reference
>            "RFC 4253: The Secure Shell (SSH) Transport
>                       Layer Protocol";
>           }

The SSH implementations that I use have the binary key data rendered
in ASCII. In fact, the whole key record is rendered in ASCII. I
strongly suggest to use formats that are well established.

/js 

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email