Re: [netconf] ietf crypto types - permanently hidden

Martin Bjorklund <mbj@tail-f.com> Wed, 01 May 2019 21:06 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED63120094 for <netconf@ietfa.amsl.com>; Wed, 1 May 2019 14:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sr6ldoBvsh7Q for <netconf@ietfa.amsl.com>; Wed, 1 May 2019 14:06:25 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 886E4120021 for <netconf@ietf.org>; Wed, 1 May 2019 14:06:25 -0700 (PDT)
Received: from localhost (h-4-215.A165.priv.bahnhof.se [158.174.4.215]) by mail.tail-f.com (Postfix) with ESMTPSA id A96D41AE0451; Wed, 1 May 2019 23:06:22 +0200 (CEST)
Date: Wed, 01 May 2019 23:06:22 +0200 (CEST)
Message-Id: <20190501.230622.158012882760210627.mbj@tail-f.com>
To: j.schoenwaelder@jacobs-university.de
Cc: kent+ietf@watsen.net, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <20190430161223.cwqfsyyxbtnkqbl7@anna.jacobs.jacobs-university.de>
References: <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@email.amazonses.com> <20190430.144930.844252169549242587.mbj@tail-f.com> <20190430161223.cwqfsyyxbtnkqbl7@anna.jacobs.jacobs-university.de>
X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=utf-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KcGs59Cag7-JQsIMjWqUFlz-A-I>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 21:06:28 -0000

Hi,

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>; wrote:
> On Tue, Apr 30, 2019 at 02:49:30PM +0200, Martin Bjorklund wrote:
> > Kent Watsen <kent+ietf@watsen.net>; wrote:
> > > 
> > > Correct, as I didn’t think there was consensus yet.  Perhaps there is
> > > rough-consensus, and it may be that the only way to gauge that is to
> > > try and see how much push back there is.
> > > 
> > > Okay, so how about this, based on this thread, there appears to be
> > > support to add a flag to control if a key should be “permanently
> > > hidden” or not, in which case configuration is created.
> > 
> > I (still) object to this.  Actions shouldn't create config.  We
> > already have generic protcol operations to do this.  We go from a
> > document-oriented configuration model towards a command-oriented
> > model.  Not good.  In RESTCONF, the generic methods support things
> > like ETags, which I suspect you don't want to replicate in this
> > action?   Will the action support all error-options of edit-config,
> > like rollback-on-error?
> >
> 
> Martin,
> 
> do you have any proposal how to support the requirement to generate a
> key on the device that is workable with a document-oriented
> configuration model? Do you propose that the action/rpc returns the
> public key information as result data that then needs to be written
> back to the server and somehow matched to the key that is cached on
> the device? Perhaps you have other ideas I can't think of?
> 
> I think I would be happy to not have this special hack but then we
> need a workable alternative. Key generation on devices is something
> that is being used - and may be even more used in the future the more
> we get special hardware support for storing keys.

So the current draft supports two use cases:

  1.  The client configures the private and public keys explicitly
      (simple case).  Both keys are availible in the config and
      operaional state.

  2.  The client asks the device to generate a "hidden" key which may
      be a key in special TPM hardware.

For 2, the client configures the name of the key (in <running>).  Then
the client invokes the action (in <operational>).  The device
generates a new key pair (perhaps in tpm-hw).  In <operational>, the
public key is now visible and the private key has the special enum
"permanently-hidden".

A device that doesn't have special hardware can still implement 2, but
store the keys in the filesystem.  Perhaps this info needs to be
visible for the client, or even controlled by the client.

What I object to is a third use case, where the action would modify
the config with the generated keys.


/martin