IETF Logo Mail Archive

Re: [netconf] The maintenance of the algorithm identifiers in draft-ietf-crypto-types

Kent Watsen <kent@watsen.net> Thu, 25 April 2019 16:15 UTC

Return-Path: <0100016a554785f6-a0f918fc-5396-4410-8320-701f65abf6c0-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6F50120289 for <netconf@ietfa.amsl.com>; Thu, 25 Apr 2019 09:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vy7ZosNifbg6 for <netconf@ietfa.amsl.com>; Thu, 25 Apr 2019 09:15:14 -0700 (PDT)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06CEC120400 for <netconf@ietf.org>; Thu, 25 Apr 2019 09:15:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556208912; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=E2oQyomusubDoAKUcn/g+fqrsZhFsDM9Af6U5kca3i4=; b=OYfwq+EnqO8QVpYChfiLB12/3vzIPOZAvjbcv0kWKG5uEZSEeoCT+Aw8FZGUfutr 91nVJxFhfc6DlqzlBAzGtPaV0ZQsfTtscGSJO6yOBv745S5gckLqJXxGy2XdK52wmFA 5OZQImiE2PKcwJx/msMB1x+nDSsMRdSODXr0J9Lg=
From: Kent Watsen <kent@watsen.net>
Message-ID: <0100016a554785f6-a0f918fc-5396-4410-8320-701f65abf6c0-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BA02C17D-7AF5-439D-BB8F-4CCB2E865EB5"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Thu, 25 Apr 2019 16:15:11 +0000
In-Reply-To: <20190425064201.lfuwspbkkwatbg6h@anna.jacobs.jacobs-university.de>
Cc: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>, "netconf@ietf.org" <netconf@ietf.org>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
References: <0AE05CBFB1A6A0468C8581DAE58A31309E3CB0F5@SINEML521-MBX.china.huawei.com> <20190425064201.lfuwspbkkwatbg6h@anna.jacobs.jacobs-university.de>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.04.25-54.240.8.96
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/HFrdYnI9ltMrXCBj6vaEgxuE45s>
Subject: Re: [netconf] The maintenance of the algorithm identifiers in draft-ietf-crypto-types
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2019 16:15:27 -0000


> This issue touches on an open issue that we never managed to solve:
> Given an arbitrarily extensible set of identifiers, how does an
> implementation announce the subset actually supported? And related to
> that, can a YANG module define a subset that is expected to be
> supported (i.e., a conformance requirement)? I am not sure we have
> a YANG next issue for this, but we should.

Just submitted https://github.com/netmod-wg/yang-next/issues/80 <https://github.com/netmod-wg/yang-next/issues/80>.

Perhaps YANG Library be used for this?



> 
>> 2.       Some deprecated algorithm are needed by their draft.
>> 
>> a.       Some expert suggested to define those identifiers by them own within their draft. I think this is a feasible solution.
>> 
> 
> This sounds a bit like hiding deprecated crypto somehow under the
> carpet. What if multiple technologies need the same deprecated crypto
> algorithm? They create multiple identifiers for the same thing or they
> get interesting module dependencies? Crypto algorithms come and go and
> ietf-crypto-types will sooner or later have identities that will need
> to be deprecated because the crypt algorithm is not considered secure
> enough anymore. So in the long term, hiding deprecated crypto
> algorithms in some corners "under the carpet" will not work. My point
> is that "we only have good crypto algorithms defined in
> ietf-crypto-types" is not going to work for long.

Agreed.  It would seem that crypto-types should define the universe of all known algorithms, even it deprecated or obsoleted, and let the solution to Issue #80 enable implementations identify the subset they support.


>> For the above issue, I think we can add some text in draft-ietf-crypto-types to guide users from other group how to handle the above two issues.
>> 
>> Beside that,  in the future, some new algorithms might be added and some algorithms will be deprecated, we have to figure out how to made the algorithm list defined by crypto-types flexible.
> 
> The obvious way of dealing with this is to deprecate the identities
> when algorithms are considered to be not secure enough anymore.

Yes, the identity takes "status" as a substatement, so this can be done.   

This discussion makes me wonder if the module should be called iana-crytpo-types and have IANA maintain the module.

Kent // contributor

v2.23.0 | Report a Bug | By Email