IETF Logo Mail Archive

Re: [Netconf] PKCS7 --> CMS

Mahesh Jethanandani <mjethanandani@gmail.com> Wed, 14 February 2018 04:47 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 520351242F7 for <netconf@ietfa.amsl.com>; Tue, 13 Feb 2018 20:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eqHyP6qyHzUY for <netconf@ietfa.amsl.com>; Tue, 13 Feb 2018 20:47:19 -0800 (PST)
Received: from mail-pf0-x229.google.com (mail-pf0-x229.google.com [IPv6:2607:f8b0:400e:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4926F1200E5 for <netconf@ietf.org>; Tue, 13 Feb 2018 20:47:19 -0800 (PST)
Received: by mail-pf0-x229.google.com with SMTP id w83so3459174pfi.12 for <netconf@ietf.org>; Tue, 13 Feb 2018 20:47:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=A8ILl9gmgpOuIU9x6+Jfgid83nMcCxLyilyCWe7FPUQ=; b=MDZVzb8tamKFxIQMst30Dfg6caj13D2VM2bwzQYkkUBwYbkTRRgnZD/lC90+Ba4Cdd wtz4JsyHcQbgBIjv/Sjzt0O3myag3VtltyLp9rISl8SGSuB/W+ZX2T9zVJXpyZSUbptO lB4SsTxswjUSh1PgX5sr70smBjSRN2gYm3PzfVlN/UBD4r8nxhOzWlN9y9tHgw5hDAsY FKWdAhdp3Z3PEe8F6/yhSWl645y7dnLG+uVo7Dw6VKDhu4UI1sBD++vv3gnip5jEkPF4 qFQVl+EkCwgBWa2r5SlrQecPiRfTXLQJU8YaXwKIOhHXFXsUZZDvRPQcUE6raHCEKhIO T2aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=A8ILl9gmgpOuIU9x6+Jfgid83nMcCxLyilyCWe7FPUQ=; b=uEFoSPLotUJmr8jCUwEwqds4nT1Y7/hCFYMwjPNrqTKOe9kvJwn7SHPNLHhcxJBuOQ l02CEghAdfvwup2tsUWQmPfYQJ95YOLHYuS3rtj0Dlfig3oxcL9D4OEdjHiafbBcyaFN qxIhmfsagxQ5Ni95eSB6mFibGO1a0veZEkZba30X7/UBdlIGlzSEikmwo6LmblenjkyM IetprgissWm6HuvrYWUzuE0oA06EXo09oH10NxoBk9YVSMbO2NxFPyngmpNa++H021+P 736pfDHq1vDTT852rBwxQbISaaoNLKyh/mlhDWTwezkA2DvQTFYGlMrTM/IzYFsVr3To XKAg==
X-Gm-Message-State: APf1xPAZAc4N8GqNQuTZ3pV1fznIDlFbgKQMrsEzUSOhViXwH2GbyeW0 xAzJwFfPLAO7IWtAWVifrKcsHocG
X-Google-Smtp-Source: AH8x225MO/vTVFo/HX7PmIArRBJyUeJ0cB4hjbTZtg8ZUxNmBgVeLPFLXMJffFYwlJFMQrnGovqC7w==
X-Received: by 10.99.65.199 with SMTP id o190mr2938858pga.238.1518583638276; Tue, 13 Feb 2018 20:47:18 -0800 (PST)
Received: from ?IPv6:2601:647:4700:1280:4141:9867:7210:bfc9? ([2601:647:4700:1280:4141:9867:7210:bfc9]) by smtp.gmail.com with ESMTPSA id m83sm36795768pfk.107.2018.02.13.20.47.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Feb 2018 20:47:17 -0800 (PST)
From: Mahesh Jethanandani <mjethanandani@gmail.com>
Message-Id: <26E63C76-8928-461D-B331-97AFBF1334BC@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_31784430-B5B5-4182-B499-38EC89D7506E"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Tue, 13 Feb 2018 20:49:33 -0800
In-Reply-To: <D00C0834-397B-47B8-9868-54D5F6E64E20@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
References: <D00C0834-397B-47B8-9868-54D5F6E64E20@juniper.net>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/JBKVxetAWI9MvQnRhXe_chrHc9s>
Subject: Re: [Netconf] PKCS7 --> CMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 04:47:22 -0000

Dear WG,

Does anyone have objection to the proposal below for the envelope information to be JSON format only, for now, with the idea that if XML support is needed, it can be added later?

Barring any objections, we want to close on this issue and send the draft for publication.

Thanks

> On Feb 12, 2018, at 10:09 AM, Kent Watsen <kwatsen@juniper.net> wrote:
> 
> 
> Hi all,
> 
> Line 1704 of the commit here [1] shows both XML and JSON content types being registered.
> 
> 	id-ct-zerotouchInformationXML
> 	id-ct-zerotouchInformationJSON
> 
> 
> But the ANIMA Voucher draft only defines a single content type for JSON.  Their rational for supporting just one was that it would promote interoperability, though XML support could be added at any time.
> 
> But having one artifact (zerotouch-information) support two encodings while the other (ownership-voucher) can only support one doesn't seem helpful either.  What to do?
> 
> To be clear, this decision has no impact on if the bootstrap server supports XML or JSON, or even what the bootstrapping device's NETCONF/RESTCONF protocols support.  But it does mean that, in the worst case, a native-XML server may need to process a JSON document during the bootstrapping process.
> 
> [1] https://github.com/netconf-wg/zero-touch/commit/3d938e4d539407c8bb2b4e162dca497b01d8315c#diff-ac14b4845b3be918b874f2d3564d5d09R1704 <https://github.com/netconf-wg/zero-touch/commit/3d938e4d539407c8bb2b4e162dca497b01d8315c#diff-ac14b4845b3be918b874f2d3564d5d09R1704>
> 
> Thoughts?  - should we again go back to only supporting JSON?   - or should we go ahead and define both now, with the assumption and the ownership voucher will someday support XML too?
> 
> Kent // contributor
> 
> 
> 
> [moving Russ to BCC]
> 
> All,
> 
> The PKCS7 --> CMS change is reflected here:
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_netconf-2Dwg_zero-2Dtouch_commit_3d938e4d539407c8bb2b4e162dca497b01d8315c&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=A-qDS0CYdeZjFh3qD4jW4CyOwFIr_KmezgiLDovTZbw&s=YcPdTFTtK-LwGeIHtUMmazXzme-WkaIpGzibJMVdVHQ&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_netconf-2Dwg_zero-2Dtouch_commit_3d938e4d539407c8bb2b4e162dca497b01d8315c&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=A-qDS0CYdeZjFh3qD4jW4CyOwFIr_KmezgiLDovTZbw&s=YcPdTFTtK-LwGeIHtUMmazXzme-WkaIpGzibJMVdVHQ&e=>
> 
> I plan to automatically merge this branch into -20, as already the shepherd asked for this update.
> 
> Kent // author
> 
> 
> 
> ===== original message=====
> 
> I think that defining the two content types would be better.  If you use id-data, then you need another way to figure out what content type is embedded.
> 
> Russ
> 
> 
>> On Feb 6, 2018, at 8:44 PM, Kent Watsen <kwatsen@juniper.net> wrote:
>> 
>> Hi Russ,
>> 
>> Drilling down a little, I can imagine us defining a couple content types:
>> 
>> 	id-ct-zerotouchInformationXML
>> 	id-ct-zerotouchInformationJSON
>> 
>> But, in both cases, the "content" would be just an octet string (i.e.,
>> an XML or JSON encoded document).  In particular, we would not define
>> an ASN.1 structure to represent the "zerotouch information" structure.
>> 
>> Is defining two types such as above the expectation or, since it's
>> just an octet string, perhaps we should use "id-data"?  RFC 5652
>> section 4 says this about the 'data' type (I added the quotes):
>> 
>>  "The 'data' content type is intended to refer to arbitrary octet
>>  strings, such as ASCII text files; the interpretation is left to the
>>  application.  Such strings need not have any internal structure
>>  (although they could have their own ASN.1 definition or other
>>  structure)."
>> 
>> Or, do you think we should look to do something even more generic,
>> such as:
>> 
>> 	id-ct-YangEncodedData
>> 
>>     YangEncodedData {
>>       moduleName           string        // e.g., "ietf-zerotouch-information"
>>       moduleRevision       string        // e.g., "2017-12-09"
>>       encoding             enum          // XML, JSON, etc.
>>       data                 octet string  // the YANG-encoded data
>>     }
>> 
>> Which would allow for the brokering of any YANG data.  Such a type 
>> could've, for instance, also been used by the ANIMA voucher draft.
>> 
>> Thoughts?  - anyone?
>> 
>> Kent
>> 
>> 
>> 
>> ===== original message =====
>> 
>> Kent:
>> 
>> Yes.  This is the approach takes for signed firmware packages in RFC 4108.
>> 
>> Russ
>> 
>> 
>>> On Feb 6, 2018, at 3:40 PM, Kent Watsen <kwatsen@juniper.net> wrote:
>>> 
>>> Russ,
>>> 
>>> I like it.  I didn't know that it was possible to set the top-level content
>>> type value like that.  Is the net-result still considered a CMS structure?
>>> 
>>> Thanks,
>>> Kent
>>> 
>>> 
>>> ===== original message =====
>>> 
>>> I suggest that ContentInfo is always present, then for the signed case:
>>> 
>>>    ContentInfo {
>>>      contentType          id-signedData, -- (1.2.840.113549.1.7.2)
>>>      content              SignedData
>>>    }
>>> 
>>>    SignedData {
>>>      version              CMSVersion, -- always set to 3
>>>      digestAlgorithms     DigestAlgorithmIdentifiers, -- Only one
>>>      encapContentInfo     EncapsulatedContentInfo,
>>>      certificates         CertificateSet, -- Signer cert. path
>>>      crls                 CertificateRevocationLists, -- Optional
>>>      signerInfos          SET OF SignerInfo -- Only one
>>>    }
>>> 
>>>    SignerInfo {
>>>      version              CMSVersion, -- always set to 3
>>>      sid                  SignerIdentifier,
>>>      digestAlgorithm      DigestAlgorithmIdentifier,
>>>      signedAttrs          SignedAttributes, -- Required
>>>      signatureAlgorithm   SignatureAlgorithmIdentifier,
>>>      signature            SignatureValue,
>>>      unsignedAttrs        UnsignedAttributes -- Optional
>>>    }
>>> 
>>>    EncapsulatedContentInfo {
>>>      eContentType         <your-netconf-content-type>
>>>      eContent             OCTET STRING
>>>    }                            -- Contains the content
>>> 
>>> The unsigned case:
>>> 
>>>    ContentInfo {
>>>      contentType          <your-netconf-content-type>
>>>      content              -- Contains the content
>>>    }
>>> 
>>> Russ
>>> 
>>> 
>>>> On Feb 6, 2018, at 11:53 AM, Kent Watsen <kwatsen@juniper.net> wrote:
>>>> 
>>>> Hi Russ,
>>>> 
>>>> I'm looking into switching from PKCS7 to CMS change in the NETCONF
>>>> zerotouch draft.  This update would be similar to the change to the
>>>> ANIMA voucher draft.  However, I noticed that RFC 5652 says in 
>>>> Section 5.2:
>>>> 
>>>> "In the degenerate case where there are no signers, the
>>>> EncapsulatedContentInfo value being "signed" is irrelevant.  In this
>>>> case, the content type within the EncapsulatedContentInfo value being
>>>> "signed" MUST be id-data (as defined in Section 4), and the content
>>>> field of the EncapsulatedContentInfo value MUST be omitted."
>>>> 
>>>> Note, this text is similar to the last paragraph in RFC 2315 Section 
>>>> 9.1, though there it is just a "recommendation" that the value be
>>>> omitted.
>>>> 
>>>> This is a problem for the NETCONF zerotouch draft, where we currently
>>>> have a PKCS7 object that is sometimes signed.  We choose this approach
>>>> because then, in all cases, a PKCS7 object is being communicated.  But
>>>> it's no longer allowed in CMS?
>>>> 
>>>> Questions:
>>>> 
>>>> 1) Can the zerotouch draft explicitly allow the "eContent" field 
>>>> again for the degenerate case?
>>>> 
>>>> 2) If having a eContent value for the degenerate case is no longer
>>>> allowed, can we use it as grounds for not migrating to CMS?
>>>> 
>>>> 3) Are there any other generic "envelop" structure that can be 
>>>> "sometimes signed"?
>>>> 
>>>> 
>>>> Thanks,
>>>> Kent
>>>> 
>>>> 
>>>> 
>>> 
>>> 
>>> 
>> 
>> 
>> 
> 
> 
> 
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org <mailto:Netconf@ietf.org>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=A-qDS0CYdeZjFh3qD4jW4CyOwFIr_KmezgiLDovTZbw&s=o18ndrwnbD62ZZH5zVUoH7nk1Y0SPkdaxROvPs3_wrc&e= <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=A-qDS0CYdeZjFh3qD4jW4CyOwFIr_KmezgiLDovTZbw&s=o18ndrwnbD62ZZH5zVUoH7nk1Y0SPkdaxROvPs3_wrc&e=>
> 
> 
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org <mailto:Netconf@ietf.org>
> https://www.ietf.org/mailman/listinfo/netconf <https://www.ietf.org/mailman/listinfo/netconf>
Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email