Re: [netconf] truststore usage in ietf-ssh/tls-client/server
Schönwälder, Jürgen <J.Schoenwaelder@jacobs-university.de> Wed, 09 October 2019 07:03 UTC
Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6248B12010C for <netconf@ietfa.amsl.com>; Wed, 9 Oct 2019 00:03:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rNabcM9zoQZ for <netconf@ietfa.amsl.com>; Wed, 9 Oct 2019 00:03:38 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150044.outbound.protection.outlook.com [40.107.15.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36282120108 for <netconf@ietf.org>; Wed, 9 Oct 2019 00:03:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GqsRD1tTdzs64orNS69lfMQteoyRg2kyawC3xWY50+moMw0YozIdnPRuipMTDzVSiW67AMeViR8qZZiYp8WoJJFMlZGq9ufOwFURAD7VOo75TIwOXJx5m46DAYupcbr8bszSIhrbxwFJSn5mKBAJClaBg99yft9hC9e6Q6lP7WIArVqG1EmzMN3p2ORCXj9iGUpQSzaEr4SHAE+iGCUoypeQPhTrYP2qGtIBNYwf18E7kuCfy+5k3xgDxTxKRRZd+FsauUf501Cla4dQnGCJb0Ygrd+IvOOsiRDOFLmsYPRYXDqvzuH5cRqfJYCFpF6KAHJkStbmMuSmPUTSb7eueA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A5scfhNXd+qJGZCJ0p+VlOT50fmgcDZj1qjdkbMhu4E=; b=F3eCaWhXaJJhOpj2b2QEhVZJ6jR6LsmgVeJb48SBgQ1gEFSz5iRrc7nAK1Gez1Wj8PVZCzcV9K6aYI5t5i2RlnUI1swKnCXqboeYPDxQcXpj2+axnUdwRi9GQpOMq7Jnbms2KhH00vPJdNlzQLIIrwd8JK7NtwrH87Xb5OpLltVSvx+MLbhj/6f0V2Q8HEOA5jVqXc5vbq14uVqMCuc/9pwxt8VvQPeYvMYdNTaA18aCYOn1gXgL9DMF6x6nmgbJ75+FdMxxtM+y+cPH7aKNhtl8hGhiNTPXV43JgU0NiD7/LcULh3P+Gs4S1jBoeZiwOXQ6G9ri9Cv5Q5cWc44OvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A5scfhNXd+qJGZCJ0p+VlOT50fmgcDZj1qjdkbMhu4E=; b=bAUas6PwNHoJP6WUO6RTrgSaMfMMISqTUmNVqi3tZ91cXwEhPrdfgcBBUquM205nUXcLoLt9Gcuycg4757ymVuqkNwfZpbbTN3L1s6grNti4+sNv9HXlVqHHoXayWIKkHDpzK26TVsw4BhHF4HR3xxXPo2sPlHZ/a2jirrrBbAs=
Received: from AM4P190MB0179.EURP190.PROD.OUTLOOK.COM (10.172.220.12) by AM4P190MB0035.EURP190.PROD.OUTLOOK.COM (10.172.215.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.24; Wed, 9 Oct 2019 07:03:36 +0000
Received: from AM4P190MB0179.EURP190.PROD.OUTLOOK.COM ([fe80::e1ed:15cb:ad74:db5c]) by AM4P190MB0179.EURP190.PROD.OUTLOOK.COM ([fe80::e1ed:15cb:ad74:db5c%7]) with mapi id 15.20.2327.026; Wed, 9 Oct 2019 07:03:36 +0000
From: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
To: Balázs Kovács <balazs.kovacs=40ericsson.com@dmarc.ietf.org>
CC: "Salz, Rich" <rsalz@akamai.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] truststore usage in ietf-ssh/tls-client/server
Thread-Index: AdV6qssoOPhu3prpR26CPrmHv0Da1QCjJP6AADXTaaAAAweZAAAAK1yAABR5ZIAAAJMFAA==
Date: Wed, 09 Oct 2019 07:03:35 +0000
Message-ID: <20191009070334.tzpxb6wfvlwvyvks@anna.jacobs.jacobs-university.de>
References: <AM0PR07MB51879334FAD36D55675307E3839E0@AM0PR07MB5187.eurprd07.prod.outlook.com> <0100016da755ddce-18e94501-441b-471d-af1e-03ba88fde0ba-000000@email.amazonses.com> <AM0PR07MB51877236CE073078C5B90F9A839A0@AM0PR07MB5187.eurprd07.prod.outlook.com> <0100016dad284c4d-821b1403-49d4-41bb-87bf-275f611e6fe1-000000@email.amazonses.com> <E2A52BEB-FDA0-4F3B-A11F-052BD7A68120@akamai.com> <AM0PR07MB51875014434A6F0676198C7283950@AM0PR07MB5187.eurprd07.prod.outlook.com>
In-Reply-To: <AM0PR07MB51875014434A6F0676198C7283950@AM0PR07MB5187.eurprd07.prod.outlook.com>
Reply-To: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM0PR06CA0034.eurprd06.prod.outlook.com (2603:10a6:208:ab::47) To AM4P190MB0179.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:63::12)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:638:709:5::7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3ba00091-eba1-4f75-c8bd-08d74c86cdbf
x-ms-traffictypediagnostic: AM4P190MB0035:
x-ms-exchange-purlcount: 2
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <AM4P190MB00357991B30C2003C50AAC07DE950@AM4P190MB0035.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:2958;
x-forefront-prvs: 018577E36E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(346002)(366004)(39850400004)(396003)(189003)(199004)(446003)(6116002)(229853002)(6306002)(786003)(966005)(6512007)(76176011)(316002)(1076003)(6436002)(6246003)(71200400001)(71190400001)(6486002)(54906003)(102836004)(85202003)(46003)(85182001)(256004)(66476007)(478600001)(25786009)(66556008)(305945005)(5660300002)(3450700001)(7736002)(66446008)(43066004)(386003)(66946007)(64756008)(6506007)(4326008)(8676002)(186003)(486006)(2906002)(99286004)(8936002)(81166006)(81156014)(14454004)(52116002)(86362001)(476003)(11346002)(777600001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4P190MB0035; H:AM4P190MB0179.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k5HJkr8EAZTLrIrWnlWK+wqZEk13RiW7tzFRc0HmR2ZDT0J2Z5q9NC0Q4s3I84tR9eO0msS2pXwn/kiI/l1jWYqUZJQ2YHp0IDTZ/BFuN8Rf7olKvpCrX1u0bZ3OZgsTG9L/gXdCHaXFvSKDFwx3BxVGOqrYD/b3Hqq+Xx6OdZRY92rrIpVMKeN9/4uJnlQfAO8NyVnmN+vq2E2Oy39GyxisgujaAMHl2NU1yDUsbSp06Abbq92CjgSEF/1rETUsXLB3L+BBX+Zc1XU/Wh8QZx3IpKtR/G2W1d9/9s4QkXhRZ9q5nGsUfYBoov3BnUmeh2xrM2wJ5Xoxb4mQ9M+1Ob0J7rFLocZuwcTr/LDdV3VlsQXT/GiPNHbLbI7/Ae2cNVcbfweGhK8Lh39NK5fAB3vMwbRpy6XZl2OK/uqFZecP2215C0hsWt/e5Xy3AVtyIlNIJuRhpdzYADqdkk3Skg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <DA36A1CF9ECC6E4B9BEA13ECAFD86034@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 3ba00091-eba1-4f75-c8bd-08d74c86cdbf
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2019 07:03:35.9990 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +7T/fBZuK9LnvO8iqtX5szfg3yhrE/xpPp/tpZ5U5uzAWtManZn5vue5nOLbvYneufFy2OWUnfAJxi9/49MH3fUzY8rsoPxPktozn5VuMWE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0035
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/GIoIrb6scEHN18nFJN579QjCJEE>
Subject: Re: [netconf] truststore usage in ietf-ssh/tls-client/server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 07:03:42 -0000
Hi,
it may help to adopt terminology defined in RFC 4949. RFC 4949 for
example says:
$ trust anchor certificate
(I) A public-key certificate that is used to provide the first
public key in a certification path. (See: root certificate, trust
anchor, trusted certificate.)
/js
On Wed, Oct 09, 2019 at 06:52:18AM +0000, Balázs Kovács wrote:
> Hi,
>
> The “trust anchor” is the rootmost CA in a chain of certificates.
>
> (RATS/EAT has other definitions of the term, but for X509 certificates and TLS configuration, this correct.)
>
> I think this means that you should use the term “CA”
>
> I’m also rather in favor of ca-certs, especially if “trust anchor” means the root CA. Also in development the term CA certificate is much more understandable. I think the type allows a CA chain or one could use these leaves for partial chain validation too.
>
> Regarding the presence containers, if local-or-truststore-* have mandatory choice then I think you need to make the local-or-keystore-* containers also presence.
>
> Br,
> Balazs
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [netconf] truststore usage in ietf-ssh/tls-client… Balázs Kovács
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Kent Watsen
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Balázs Kovács
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Kent Watsen
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Salz, Rich
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Balázs Kovács
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Schönwälder
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Henk Birkholz
- Re: [netconf] truststore usage in ietf-ssh/tls-cl… Kent Watsen
- [netconf] "trust-anchor" usage (was: truststore u… Kent Watsen