Re: [netconf] crypto-types and keystore comments
Martin Bjorklund <mbj@tail-f.com> Thu, 14 November 2019 13:02 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0384F12012E for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 05:02:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y1GwZy_RuKoO for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 05:02:07 -0800 (PST)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 4A77412001A for <netconf@ietf.org>; Thu, 14 Nov 2019 05:02:07 -0800 (PST)
Received: from localhost (unknown [173.38.220.41]) by mail.tail-f.com (Postfix) with ESMTPSA id DEC011AE0312; Thu, 14 Nov 2019 14:02:05 +0100 (CET)
Date: Thu, 14 Nov 2019 14:01:35 +0100
Message-Id: <20191114.140135.2027227966816173737.mbj@tail-f.com>
To: kent+ietf@watsen.net
Cc: netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <0100016e69e99e3c-893fbfb4-3dc8-4725-b7ef-87bbf491dc2c-000000@email.amazonses.com>
References: <0100016e66c9b02d-382d9d6e-6d88-47ec-a117-5f38a3699fb1-000000@email.amazonses.com> <20191114.100558.1371995383202419404.mbj@tail-f.com> <0100016e69e99e3c-893fbfb4-3dc8-4725-b7ef-87bbf491dc2c-000000@email.amazonses.com>
X-Mailer: Mew version 6.8 on Emacs 25.2
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KHzntu9MHtm8J1m2rtBu8F2v2ig>
Subject: Re: [netconf] crypto-types and keystore comments
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 13:02:09 -0000
Kent Watsen <kent+ietf@watsen.net> wrote: > Hi Martin, > > > > Suppose I want to configure a ssh host-key as the server-identity for > > my NETCONF server. Is the intention that a client can pick either > > "ssh-public-key-format" or "subject-public-key-info-format", and the > > server must support both? > > It's assumed that the client would set the public key using > "ssh-public-key-format" (per RFC 4716, as that is the only > standards-based public key format that `openssh` is able to export). > While it's possible to convert the public key to a > SubjectPublicKeyInfo structure, doing so is unlikely. In either case, > the same data is conveyed. > > The issue presents itself when configuring the "server-identity" in > ietf-ssh-server, whether a local definition or a reference to a key in > the keystore. A "must" expression could be used to constrain the > supported key-formats allowed. Our modules could hardcode this for > all implementations Ok. This is worth exploring imo. > or, if wanting to provide flexibility, we could > let implementations augment-in their own 'must' expression. > > > > >> Yes, well, this is a known problem (e.g., > >> https://github.com/netmod-wg/yang-next/issues/82 > >> <https://github.com/netmod-wg/yang-next/issues/82>). > > > > That is quite different. > > How so? Features are effectively opstate lists too and, in both > cases, YANG fails to support granular discrimination. > > > You're using a normal config false list for this (which is fine), but > > I don't think you can use a single global list like this. > > I don't understand this statement. My point is really just that a single global list like this is not sufficient. It doesn't matter if "feature" has problems; a single global config false list is not sufficient for what you're trying to do. > >> I will say that the definition above was given because it is the only > >> *standards* based key that `openssh` can output (i.e., `ssh-keygen -e > >> [-m RFC4716] -f <private-key-file>`). > > > > With my proposal you can take the output of this openssh command and > > copy & paste the base64-encoded data from this output to a YANG node > > using ssh-public-key-format. > > > > With your proposal you have to copy the entire output, base64 encode > > it *again*, and then copy & paste that result to the YANG node. > > Not true or, rather, the intention is to support native encoding > formats, including DER vs PEM, and CMS vs multi-part PEM. But that would be different key-format identities, right? The issue here is about what the specfic format is for ssh-public-key-format. The format I suggest is also already used in RFC 7317, as was pointed out before by someone else. > That a > text-based format is base64 encoded is not an issue and, IMO, a > feature as it escaping concerns when the content is placed in an XML > or JSON document. > > > > >> That said, if you refer to the link I provided at top, it is my belief > >> that the "key-format" node may be extended to support alternate > >> encodings (e.g., DER vs PEM and, potentially, CMS vs multi-part PEM). > >> To this end, perhaps we could support both the 4716 and 4253 formats. > > > > Do we really want to go there? This is already quite complex, and > > having a multitude of optional formats for the same thing may make > > things even more complex, to understand and get right. > > Binary formats (e.g., DER) are fundamental, but some raised usability > concerns Do you have a pointer to this? > , hence the exploration. As for complexity, how do we know > until we try? I think we _are_ trying now... /martin > >>> o subject-public-key-info-format > >>> > >>> The crypto model has: > >>> > >>> identity subject-public-key-info-format { > >>> base "public-key-format"; > >>> description > >>> "A SubjectPublicKeyInfo (from RFC 5280)."; > >>> } > >>> > >>> Should this be "DER encoded"? > >>> > >>> (this and other defintions have references to RFCs in the > >>> description; they should be moved to proper "reference" statements) > >> > >> Yes. I put together these definitions in as a test/protocol to gauge > >> viability with the plan to enhance the definitions if the WG committed > >> to the approach. I just added some "FIXME" comments to my local copy. > > > > Ok. > > It helps immensely when folks can provide spec-text, either on list or > as a pull request. > > > > Kent // contributor > >
- [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund