Re: [netconf] crypto-types fallback strategy

Kent Watsen <kent@watsen.net> Thu, 19 September 2019 14:04 UTC

Return-Path: <0100016d49d65155-25a0cf04-fafc-44b0-a563-c10f958dfa73-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BDF0120108 for <netconf@ietfa.amsl.com>; Thu, 19 Sep 2019 07:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l6ZGL5fHgaeh for <netconf@ietfa.amsl.com>; Thu, 19 Sep 2019 07:04:07 -0700 (PDT)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E90C6120047 for <netconf@ietf.org>; Thu, 19 Sep 2019 07:04:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1568901845; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=gaTL3oIR5o+2n60bsv60wBAjuXMQYqLerN31JcbzUxg=; b=Ol+44tU0Mn95ZLGu2sJsVX+BKslsIxmPHaD48PrG3SLNfahgkho/y5FwX3W588Mm YsDEaulwKVwAJ7pZLKtfN3dBTGTPtwG0FJdWWt9vLX8fOB/8rrSRuKBHkWlEFy+MBHT dd1FQg/jGTJcD4uH/a0k0GX4Er4cVEMQ2iVCOWMU=
From: Kent Watsen <kent@watsen.net>
Message-ID: <0100016d49d65155-25a0cf04-fafc-44b0-a563-c10f958dfa73-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BEEBDD30-E869-4502-AC28-050755159537"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 19 Sep 2019 14:04:05 +0000
In-Reply-To: <20190919.125358.892950440538953535.mbj@tail-f.com>
Cc: Juergen Schoenwaelder <J.Schoenwaelder@jacobs-university.de>, "netconf@ietf.org" <netconf@ietf.org>, rifaat.ietf@gmail.com
To: Martin Bjorklund <mbj@tail-f.com>
References: <20190918202928.mqxdsuh3by3c4usl@anna.jacobs.jacobs-university.de> <7ec3f404-9070-b0f7-7673-10093437121e@hedeland.org> <20190918211951.eznefdficdfjk6xz@anna.jacobs.jacobs-university.de> <20190919.125358.892950440538953535.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.09.19-54.240.8.88
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/IkPdr8f9-ohdE3iwiFIeugttlvA>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 14:04:10 -0000


> On Sep 19, 2019, at 6:53 AM, Martin Bjorklund <mbj@tail-f.com> wrote:
> 
> Here's a link to the discussion we had some five years ago:
> 
> https://mailarchive.ietf.org/arch/msg/netmod/I5it0TXGL4sL00529qZmz6jCCPs <https://mailarchive.ietf.org/arch/msg/netmod/I5it0TXGL4sL00529qZmz6jCCPs>


So apropos.    Yeah for email archives!

I noticed a discrepancy between the file format described in RFC 4716 and the one `ssh-keygen` produces by default.  In order to get the standard public key file format, I had to use the command `ssh-keygen -e -m RFC4716 -f <public-or-private-key-file>`.

We can define a type for this:

	typedef rfc4716-string {
	    type string;
	    description
	      "A string containing the contents of the file described by RFC 4716";
	    reference
	      "RFC 4716: The Secure Shell (SSH) Public Key File Format";
	}

And perhaps another for PEMs:

	typedef pem-string {
	    type string;
	    description
	      "A string containing the PEM encoding of an ASN.1 structure.";
	    reference
	      "TBD";
	}

And then put a union into the "public-key" leaf:

    leaf public-key {
      nacm:default-deny-write;
      type union {
          type rfc4716-string;
          type pem-string;
          type binary;
      }
      mandatory true;
      description
        "The value of the public key.  The interpretation of this value is
         defined by 'algorithm'.  For example, algorithms using SSH
         specific identities always use 'rfc4716-string', where algorithms
         using X.509 specific identities encode a SubjectPublicKeyInfo
         (RFC 5280) that may be a 'binary' (for DER encodings) or 
         'pem-string' (for PEM encodings).";
      reference
        "RFC 5280: Internet X.509 Public Key Infrastructure Certificate
                            and Certificate Revocation List (CRL) Profile";
    }


And similar for the private key?

AFAICT, that all are effectively strings doesn't matter.  Implementations can try to parse the options until something works.


Thoughts?

Kent // contributor