Re: [netconf] built-in trust anchors

Kent Watsen <> Wed, 13 January 2021 16:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0DF693A11A7 for <>; Wed, 13 Jan 2021 08:30:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.915
X-Spam-Status: No, score=-1.915 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Sxwf3BkJhrUi for <>; Wed, 13 Jan 2021 08:30:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24D2A3A11A3 for <>; Wed, 13 Jan 2021 08:30:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono;; t=1610555438; h=From:Content-Type:Mime-Version:Subject:Date:References:To:In-Reply-To:Message-Id:Feedback-ID; bh=VVkYqW66JICDMDJr8LpM47ojPRoHInJCZForOVc5G08=; b=Q3Rt901bchV5zlPLA0XTGHFsOOxK2aLL1YeBnU7xnB/mp0wGgiozTtIkUjg+cZVu KHLRFWMOMHMVh/I0RgFQ4mJHrK4HliS8HeH3/+HawOfkUn1Fo3WTHlQrTa+vciGOTtP 5ak//+wiV79bPQPI/qwPMDVaAbl48nn6PhsOmG2s=
From: Kent Watsen <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_96A736DE-CECF-491B-9A23-4A4DB7881931"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Wed, 13 Jan 2021 16:30:37 +0000
References: <> <> <> <> <>
To: "" <>
In-Reply-To: <>
Message-ID: <>
X-Mailer: Apple Mail (2.3608.
X-SES-Outgoing: 2021.01.13-
Archived-At: <>
Subject: Re: [netconf] built-in trust anchors
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2021 16:30:42 -0000

[Top-posting as this is a response to the entire thread, sans draft-ma-netconf-with-system, which I haven’t looked at yet].

Having "instance-required false” was an idea from before, but it didn’t make sense to disable validation for the 99% use-case to enable a 1% use-case.  There will only ever be a few built-in keys/certs (typically at most just one of each, to enable bootstrapping), whereas potentially many keys/certs will be configured over time (for normal ops).

Hiding all the descendent nodes except “name” for built-in keys/certs doesn’t work because the pubkey/cert is needed in order to encrypt data that only a device can decrypt, as needed to support RMA scenarios (see <> starting with the 4th paragraph).

The built-in keys/certs are envisioned to be forever; they never expire nor are affected by firmware updates.  For the example of a list of public CAs (trust anchors such as Verisign, RSA, etc.), these SHOULD be in <startup> and admins SHOULD be allowed (NACM permitting) to add/remove entries.

I agree that the “illusion” text Martin quoted is "weird special handling”, but this was the best that could be envisioned after several tries.  You might recall there were two or three other variations (inc. the "instance-required false” mentioned above) that we tried before landing on this approach.


> On Jan 13, 2021, at 10:09 AM, Juergen Schoenwaelder <> wrote:
> On Wed, Jan 13, 2021 at 12:26:55PM +0100, Martin Björklund wrote:
>> Juergen Schoenwaelder <> wrote:
>>> After sleeping over it, I think a device should ship with the keys
>>> listed in whatever is the equivalent of the factory default, i.e.,
>>> they are initially in <running>. Deleting them should be possible with
>>> the effect that no config can refer to these keys anymore (assuming
>>> strong references). Putting the keys back into running makes them
>>> available for config again.
>> This could work, but see below.
>>> I would be in favour to just have the names in runnning, not the
>>> key/cert details. This avoids issues with entries that do not match,
>>> and this then resembles hidden keys, for which details are also not
>>> known in <running>. In fact, <hidden> keys likely have the same
>>> property that they exist in the system (or a TPM), i.e., they are not
>>> config that can be arbitrary changed. I would assume that the same
>>> rules apply, if you delete a hidden key from <running>, it can't be
>>> referenced and used anymore. Perhaps the discussion in the I-D should
>>> be expanded to cover hidden keys as well.
>> I like the symmetry w/ hidden keys.  I assume that these entries would
>> be explicitly marked in the config as being "built-in" or "hidden".
>>> I also expect that these special keys may be part of the firmware,
>>> i.e., they may change with firmware updates. This can lead to stale
>>> special keys that do not exist anymore in the firmware and new keys
>>> that exist in the firmware but must be (manually) added to <running>
>>> in order to use them.
>> So then the question is what happens if a key is removed from the
>> firmware, but it exists (with just the name) in the config, and some
>> part of the config reference it?
>> I think that this leads to the same problem as a weak leafref would
>> do, so either solution would work.
> You will have a reference to a key that is not usable, which means you
> get runtime failures (as you would get with certs that have expired or
> other issues). Note that this is only becoming a problem if the
> firmware update renames keys/certs. If the update only ships a new
> keys/certs but keeps the names consistent, things will continue to
> work. I can't tell whether this brittleness is something to be
> concerned about or whether it falls into the usual 'things may go
> wrong after an update' bag of surprises.
> /js
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <>
> _______________________________________________
> netconf mailing list