Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-keystore-30: (with DISCUSS)
Kent Watsen <kent+ietf@watsen.net> Fri, 02 February 2024 16:46 UTC
Return-Path: <0100018d6ab71c20-86eb941d-aad5-4f0e-bde5-7f40f4e60318-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E8ABC151717; Fri, 2 Feb 2024 08:46:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BQdz6sGhzveR; Fri, 2 Feb 2024 08:46:43 -0800 (PST)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8BEDC151701; Fri, 2 Feb 2024 08:46:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1706892401; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=SaCCjpdYSFsv2dGqg53ntVdWt6g3rkZNPjr8/mKwjDU=; b=gj8Wk7a4UiqlHSaAHLQcE1Fbnuw09Dsn//1ha3i60hq/5dBYA+QpIFKZbe3EgqWX +DWa5ViAKaRh1mtvVqt9apmCv6aFNIbkN9e4Q8wi7FdUnlrPvkjle3eWyVCkA7wZo+N ZcpEYh65rbPt3A2X9+cCR+C9oLC1bx8U8VZhsEq8=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d6ab71c20-86eb941d-aad5-4f0e-bde5-7f40f4e60318-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4528C1CB-23BE-4561-8470-4535EA7C26EA"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Fri, 02 Feb 2024 16:46:41 +0000
In-Reply-To: <170675630080.23323.7814071664943481478@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-keystore@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
References: <170675630080.23323.7814071664943481478@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.02-54.240.48.92
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/FgDCV80TP0mX68kr8ezjdTEyaEY>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-keystore-30: (with DISCUSS)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2024 16:46:47 -0000
Hi Paul, Thank you for your review. Please find responses below. Kent > On Jan 31, 2024, at 9:58 PM, Paul Wouters via Datatracker <noreply@ietf.org> wrote: > > Paul Wouters has entered the following ballot position for > draft-ietf-netconf-keystore-30: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-keystore/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I support Roman's discuss with respect to the backup/restore procedure. Perhaps > limit it to say that a global KEK could be used to facilitate this, but not go > into details on how this would work with diagrams? I’m hoping that my response to Roman was convincing. I think that this section can be fixed by adding text to provide any clarifications needed. > Similar to draft-ietf-yang-crypto-types: > > | +--rw certificates > | | +--rw certificate* [name] > | | +--rw name string > > Certificate identity is either done by entire DN, The Common Name (CN) RDN, > or by a list of subjectAltName (SAN) entries. Can the latter be expressed > here? Should a type be introduced? ("CN", "DN", "SAN") ? Should the type be > a list as 1 certificate can have multiple identities via multiple SAN entries. > > See also: > > +--rw end-entity-cert-with-key* [name] > +--rw name > | string The same comment was made by Éric. I’m trying to not require the “name” be any particular value found in a cert. The documentation could suggest cert-values as good candidates, but maybe that’s too obvious? > Section 4.1: > > A server MUST possess (or be able to possess, in case the KEK has > been encrypted by yet another KEK) a KEK's cleartext value so that > it can decrypt the other keys in the configuration at runtime. > > Perhaps "MUST possess access to KEK or API using the KEK"? A server might > be using a TEE and not really have the KEK itself, but it can send a decryption > job to an API inside the TEE that could use the KEK and return the decrypted > key. In this case, the server does sort of "possess" the key but never its > "cleartext value". Completely agree - great suggestion! OLD: - <t>A server MUST possess (or be able to possess, in case the KEK has - been encrypted by yet another KEK) a KEK's cleartext value so that it - can decrypt the other keys in the configuration at runtime.</t> NEW: + <t>A server MUST possess access to the KEK or an API using the KEK, + so that it can decrypt the other keys in the configuration at runtime.</t> > Section 4.2: > > Implementations SHOULD provide an API that simultaneously generates and > encrypts a key (symmetric or asymmetric) using a KEK. > > Should that say "(symmetric or private asymmetric)" ? It could, but I found the result more confusing. e.g., do we refer to the generated-key or the KEK that may be symmetric or asymmetric? I found that removing that text allowed for a better flow without losing much; that any kind of key can be encrypted by any other kind of key is defined in the YANG module. So this is what I came up with: OLD: <t>Implementations SHOULD provide an API that simultaneously generates - and encrypts a key (symmetric or asymmetric) using a KEK. Thus the cleartext value of the newly generated key may never be known to the administrators generating the keys.</t> NEW <t>Implementations SHOULD provide an API that simultaneously generates + a key and encrypts the generated key using a KEK. Thus the cleartext value of the newly generated key may never be known to the administrators generating the keys.</t> Good? > Section 5.1: > > In order to satisfy the expectations of a "keystore", it > is RECOMMENDED that implementations ensure that the keystore > contents are encrypted when persisted to non-volatile memory. > > I would probably add "and ensure keystore contents that have been decrypted in > volatile memory are zeroized when not in use". Hmmm, but the section title is "Security of Data at Rest”… Okay, I changed the title to “Security of Data at Rest and in Motion”. I also added your text, and dropped the middle paragraph. The diff is convoluted, but the final result is this: <section title="Security of Data at Rest and in Motion"> <t>The YANG module defined in this document defines a mechanism called a "keystore" that intends to protect its contents from unauthorized disclosure and modification.</t> <t>In order to satisfy the expectations of a "keystore", it is RECOMMENDED that implementations ensure that the keystore contents are encrypted when persisted to non-volatile memory, and ensure that the keystore contents that have been decrypted in volatile memory are zeroized when not in use.</t> </section> Fixed? FYI, zeroisation is also discussed in the "crypto-types" draft here: https://datatracker.ietf.org/doc/html/draft-ietf-netconf-crypto-types-29#section-3.9 Thanks again, Kent
- [netconf] Paul Wouters' Discuss on draft-ietf-net… Paul Wouters via Datatracker
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Kent Watsen
- Re: [netconf] Paul Wouters' Discuss on draft-ietf… Paul Wouters