Re: [netconf] Move generate key actions? (pulling on a string unravels all)

Kent Watsen <> Mon, 10 February 2020 21:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B4AB12086C for <>; Mon, 10 Feb 2020 13:46:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TkLiTvNHr5wo for <>; Mon, 10 Feb 2020 13:46:49 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 669A912086B for <>; Mon, 10 Feb 2020 13:46:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw;; t=1581371208; h=From:Content-Type:Mime-Version:Subject:Date:References:To:In-Reply-To:Message-Id:Feedback-ID; bh=wdE5cLqebiQWbsKPUnMG3mtmIfP4f2oow9OKrcsecNQ=; b=c/GHpBdG35kPlON3CXRVX7ZIJPoFye9ZNARjMWE5M6Nn2Km1BCuoFcbbEkmxjRCk q3gTr3Wr8lEgWuXQGb4CORULmi65gB8692+iduiP51GH3mGsvmjjZcKG8nXklZoGOmV zpBEWvkkthNAxlL7hso/FB32wrQqQi8I9IfZdjnE=
From: Kent Watsen <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_940BD73E-410C-4B61-9211-F45E66459248"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 10 Feb 2020 21:46:48 +0000
References: <>
To: "" <>
In-Reply-To: <>
Message-ID: <>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.02.10-
Archived-At: <>
Subject: Re: [netconf] Move generate key actions? (pulling on a string unravels all)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Feb 2020 21:46:52 -0000

I completed moving the key-generating actions from keystone (KS) to crypto-types (CT).  The diffs can be seen here:

For CT: <>For KS: <>

More importantly, the issue raised below disappeared, as I realized that we were only planning to move the “config false” supported algorithm lists (not the alg enums) to the SSH and TLS drafts, thus there was/is no need to introduce any base identities.

Kent // contributor

> On Feb 10, 2020, at 12:27 PM, Kent Watsen <> wrote:
> All,
> This is worse than it seems, so please dig in!
> 1) currently the "generate-symmetric-key" and “generate-asymmetric-key” actions are defined in ietf-keystore, primarily so another keystore-key can be leafref-ed so that the output (i.e., the generated key) can be encrypted.
> 2) however, it seems wrong that only servers implementing ietf-keystore should be able to generate keys.  Thus I was thinking to move the generate-* actions to ietf-crypto-types as RPCs (not actions).   
> i) Them not being actions is not an issue as the only reason they were actions originally is because we were thinking that they would be like object-oriented methods, adding the generated key to the parent node’s list of keys.  But now that the generated keys are returned in the output, it no longer matters if it is an action or RPC.
> ii) In order to retain the ability to encrypt the generated key, the ietf-keystore module can augment the ietf-crypto-types RPCs with the "encrypt-with” inout parameter.
> 3) I started to make this change in my local copy to see how it would play out, and immediately ran into the seemingly unrelated issue that the “algorithm” input parameter is of type "iasa:asymmetric-algorithm-type” or  "isa:symmetric-algorithm-type”, depending on the kind of key that is being generated.  Mind you, the “iasa” and “isa” prefixed lists of supported keys are exactly that which we said we’d split/move to the ssh-client-server and tls-client-server drafts (PS: still waiting for someone to send a Pull Request for this change).  That is, the 3 lists of supported algorithms becomes 6 lists (i.e., 3 for SSH and 3 for TLS).
> 4) But we can’t really move these algorithms to the SSH and TLS modules because the "public-key-grouping” and "symmetric-key-grouping” groupings have an “algorithm” leaf that leafref's these lists…so the move would cause an unresolved referenced and fail YANG validation.   FWIW, this issue exists regardless if we move the actions from keystore to crypto-types…it is only in my trying to do it that this issue was revealed...
> 5) this issue suggests using “identities” rather than “enumerations” for the lists of supported algorithms.  That is, base identities in ietf-crypt-types enable identityrefs…. But if we use identities (instead of opstate-lists of supported algorithm enumerations), we could instead either have a “module” or “feature” per identity, which would still produce an opstate list (i.e., ietf-yang-library), but there would be many of either modules or features, which may be off-putting…
> Options:
> module per identity (many modules, use YL to determine which algs server supports)
> module per alg-type (e.g., SSH/TLS * symmetric/assymetric/hash) with a feature per identity (many features!)
> module per alg-type + a separate runtime opstate list of supported algorithms (unnecessary lists?)
> Suggestions?
> Kent // contributor
> _______________________________________________
> netconf mailing list