Re: [netconf] FIXMEs in ietf-crypto-types and client/server models

Balázs Kovács <> Wed, 06 November 2019 14:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 028E91208AE for <>; Wed, 6 Nov 2019 06:27:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rjeQKA1DVqlX for <>; Wed, 6 Nov 2019 06:27:19 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4BFCF1200F9 for <>; Wed, 6 Nov 2019 06:27:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=QUy4FsLT3VyxuXvmjBvEBUVmCunk7coMMBNZ3SoBeST7BtNrt2IycIbKa0Hrbpk7xBJIrI6Nq/jQ7X60O80Dfgqo4wQK18H/jHlJV7Yaf1T+ZM00c8ST4KPZf8Xi2DcWWvv8kJ8IIpUXVlc/1WrdYy5CXicqb69LzaVGBesRRFZdkkevDpfpE06I00MLX4C/Rq2E6WhgjuQps1qLGrl8g6Lq0xy7S7SnzxqMtuo3gvochkUeaSMVcda4J199Fl/KyXmVZW3jVWQvns2KaXSaa/77VqxGQDEUZgH3Mew9vnf3H4LabwiqcbPTPAYG8S2d2fe4kDKPOTT7kVmM8INkcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ahXa1McKFQr6qS7sG0AYoDZWR68oYYdJD0n0q+SXnnM=; b=NDIoff/n8WnFGD9FXMGuLHoXsi86a9ot2YqscZKw3W08oQ7Owpab6HBVFJXM7Z7CczSIm4DyIWhPZFeYbZThFvhJox3OFUl9adW2Cixl+PF3rP6HFcHf1ggOqkdJdaOvNy9f4Rp821STHZ88Kn4urLmj3NeepGHjs2C1u3ICbxX2FoMCVWQ8Wz20VB5BsSLggNOqlU1Yz1Qhlr3Cxm8neEc2gv8xpp/0U1KjYiP+isDpPRw0/ysJtZXDvS+m/XM118IGnFF3tyFEIa4HKiE7JoAZEN8b7O264Qg/03YdAyL98W4o4pdqb+RtNQ2BYNgWIxzlnF6a9QDAvldX0JAxyg==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ahXa1McKFQr6qS7sG0AYoDZWR68oYYdJD0n0q+SXnnM=; b=Vmhzp2Rt+Rw3qerZPqqh/VkzVxvILj113zxikUhPLwkNY9EWLSjqqG1WfZmkzisvcjiNrpTnobA6GIVWN40gg1Atrscy/V7ukHvQXZb8IewdUVuHXldIU97HoX7C7dj8nwnRjMSZoY4KYAd5tR65T7N6zgZCxbtfbgOpEOiPYxw=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.13; Wed, 6 Nov 2019 14:27:16 +0000
Received: from ([fe80::f016:8dc4:2887:cacd]) by ([fe80::f016:8dc4:2887:cacd%3]) with mapi id 15.20.2430.013; Wed, 6 Nov 2019 14:27:10 +0000
From: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <>
To: Kent Watsen <>
CC: "" <>
Thread-Topic: FIXMEs in ietf-crypto-types and client/server models
Thread-Index: AdWT66zB5kr5iNWxQ6yg/MeI8i6GNgAaO58AABS9kxA=
Date: Wed, 6 Nov 2019 14:27:10 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e6cc8616-173e-49c5-f24c-08d762c568b5
x-ms-traffictypediagnostic: AM0PR07MB4673:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 02135EB356
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(346002)(396003)(376002)(136003)(366004)(189003)(199004)(52536014)(85202003)(606006)(6246003)(33656002)(81156014)(14454004)(66556008)(66476007)(74316002)(478600001)(6506007)(8936002)(446003)(476003)(11346002)(76116006)(81166006)(8676002)(561944003)(486006)(4326008)(66446008)(64756008)(790700001)(6116002)(2906002)(3846002)(14444005)(186003)(256004)(7736002)(102836004)(66946007)(26005)(66066001)(76176011)(7696005)(6436002)(316002)(55016002)(99286004)(71190400001)(5660300002)(85182001)(71200400001)(9326002)(229853002)(6306002)(236005)(86362001)(25786009)(54896002)(9686003)(170073001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4673;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8fkplE8pFtwkiD+znVJiTuHPsGO6ujCIjkAdcmihWi95qcUAH26v0PrGwqD+h5kD97NPlUnh0jSE1R57VwtbXiWTepKn8kazffEULYhLfFbPwRF72CApUu2Gi5FeKWFeiUPWd589KFZd0rzEgZd0YvR6Lzdv1f3Z+wPB1YBRd3Rcb5k/64S8UxhWFKGb9w2FKNPh46y9plFoO6H84gelXFYuIBv5ddrUoD0/BaXBq3HSmGkDei+nnIrhCgH/6qlWvhjxknmDcJg4HoNlKEA7V+5OgrGldk0srmCLIVKf/WbbYN+Sdy2e27hjog32XbzPEu+rECJi3ydopiaZxkUowFhPOOk057ZnaNEUaNasiczbEi2C7qw+m9eA7CA08xs1Sxzu/UqNpBuaYlfYXO8JnshCjTBrTY65pqKTRBBN9xyg9KacNEnuo3tquJfR63dYklF1KDVmDlv6lnEWGiBYiPm8RiTSoV3G3GLs4oJzGqM=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR07MB5187296C56CCE38DADE9EA1483790AM0PR07MB5187eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e6cc8616-173e-49c5-f24c-08d762c568b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2019 14:27:10.0278 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0ujycrVWFpfMIdCKVaiawVhKsrjpznZP1u7ueV3W08gsI/9dymablCpyhd4z/vNttdU2kEKp4LHD7oSbdS76A4Soimjn6PEm6VxEEzm6uLo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4673
Archived-At: <>
Subject: Re: [netconf] FIXMEs in ietf-crypto-types and client/server models
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Nov 2019 14:27:23 -0000

Hi Kent,

1.       Key-format (symmetric-key, public-key, asymmetric-key-pair)
I assume the idea here is to make it possible to have choices for the ASN.1 types holding the keys. If this flexibility for formats is necessary I don’t have any objection to them but having a single agreed type for these different use cases would also suffice.

I believe here you're referring to the 3 instances of lines like:

      leaf key {
        type binary;
        //must "../key-format";  FIXME: remove comment if approach ok

FWIW, the whole "key-format" leaf is still being sussed out (your opinion would be helpful on that thread as well) but, so far it seems promising.  The reason these lines are commented out is because 1) the WG hasn't committed to this path yet and 2) I didn't want to update all the examples in all the drafts (other than truststore and keystore) to add a "key-format" leaf until the WG had more consensus on the "key-format" leafs.

I don't understand your last comment/sentence.  Can you provide an example?

Balazs> Ok, then let’s wait for WG decision. Well, I just say that the earlier ways of communicating the key formats were adequate from my point of view, which was that in documentation it was said that for RSA use RSAPrivateKey and for EC use ECPrivateKey, and similarly for other types. I’m also ok with the key-format approach if preferred by the WG.

In earlier versions:

             "The value of the binary key.  The key's value is
              interpreted by the 'algorithm'.  For example, a DSA key
              is an integer, an RSA key is represented as RSAPrivateKey
              as defined in RFC 8017<>17>, and an ECC key is represented as
              ECPrivateKey as defined in RFC 5915<>."

2.       attributes in asymmetric-key-pair-with-cert(s)-grouping
I think attributes should be kept optional. If there is anything else besides subject seen mandatory maybe it should be extracted out from attributes and be spelled out a separate leaf, but I don’t think there is.

I believe here you're referring to the 2 instances of lines like:

        leaf attributes {
          type binary; // FIXME: does this need to be mandatory?

These are in the "generate-certificate-signing-request" actions found inside the asymmetric-key-pair-with-cert(s)-grouping.

Hmmm, are you claiming that "attributes" are not required in order to generate a CSR?  I think the CSR itself MUST have attributes (right?) so, if not specified, what default values are used?

Balazs> In RFC2986<> the attributes are said to be optional. We just need the subject DN as mandatory, don’t we?

        1. A CertificationRequestInfo value containing a subject

           distinguished name, a subject public key, and optionally a

           set of attributes is constructed by an entity requesting


3.       PSK and raw public keys
The use case of PSK and raw public keys are not the most urgent in my opinion which now slows a bit the progress of these drafts, but let’s make an attempt to finalize them.

Agreed, but they are legal for TLS and a WG member stated that they were needed in order to support another IETF WG's efforts.  A quick resolution would be best!

raw-public-keys: I see these were added due to RFC 7250 and 8446. I guess in truststore this is a separate container to distinguish from SSH host keys. For configuring the private part I think keystore already gives support for this case with the asymmetric key (w/o cert) and in the client/server drafts Kent’s proposal could be used (I replaced raw public key with existing type, shouldn’t that be useable straight away?)

                    container <client-identity or server-identity> {
                      choice auth-type {
                         uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
                         uses ks:local-or-keystore-asymmetric-key-grouping;

I would also prefer if these choices are in features, so that an implementation can choose.

To your first sentence, yes, "psk" (and "raw-public-key") are top-level nodes in truststore, as can be seen here (   Note, the trust-anchors draft accidentally doesn't include the ietf-truststore.yang module.

The body of your comment above seems to be about supporting the secret-half of the PSK and RPK within the Keystore.  I've raise this question a couple times previously to Henk (who's asking for the PSK/RPK add), but he's not responded yet as to if doing so is important (though I can only imagine that it does).   With that said, I think your YANG snippet is meant to be in ietf-tls-server and ietf-tls-client modules (right?).  I'm having a hard time following the "I replaced raw public key with existing type, shouldn’t that be useable straight away?" comment.

Balazs: You had an example earlier in an email from 10/8/2019, which is about the TLS client/server models. Below, you are referring to some possibly new groupings that you wanted to propose. I don’t understand though why you mentioned these new groupings since ‘ks:local-or-keystore-asymmetric-key-grouping’ (RPK) and something new that just refers to a keystore symmetric key, such as ‘ks:local-or-keystore-symmetric-key-grouping’ (PSK) should be good. This latter I think would be a new grouping, but with existing terminology.

All, looking at ietf-tls-client.yang and ietf-tls-server.yang, adding the ability to configure the "private" half of a PSK or raw public key would be something like:

                    container <client-identity or server-identity> {
                      uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
                    container <client-identity or server-identity> {
                      choice auth-type {
                         uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
                         uses ks:local-or-keystore-raw-public-key-grouping;
                         uses ks:local-or-keystore-pre-shared-key-grouping;

To your last sentence regarding features, could you provide an example of what you mean?

container <client-identity or server-identity> {
    choice auth-type {
        mandatory true;
        case certificate {
            if-feature x509-certificate-auth;
           uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
        case raw-public-key {
            if-feature raw-public-key-auth;
           uses ks:local-or-keystore-asymmetric-key-grouping;
        case psk {
            if-feature psk-auth;
           uses ks:local-or-keystore-symmetric-key-grouping;

I assume these features would then need to be defined in the TLS client/server draft.

PS: none of this goes to the FIXME in the ietf-crypto-types.  I had previously asked Henk to provide some text here as well but, apparently, like all of us at this time, he's been busy!

 psk: given that the asymmetric keys without certs were covered by host keys and raw public keys, I think psk should only be symmetric keys. Symmetric keys are then sensitive/secret data and as such I believe they should only be referenced from keystore. Seeing them in truststore was unexpected for me. When it comes to their use, clients and servers should be extended with following configuration (and I assume we talk of TLS clients and servers only):

                    container <client-identity or server-identity> {
                      choice auth-type {
                         uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
                         uses ks:local-or-keystore-asymmetric-key-grouping;
                       uses ks:local-or-keystore-symmetric-key-grouping;

Latter grouping would be a new one, but it would use existing constructs and terms from keystore. I don’t think we need new ones. Selected cipher suites will need to have PSK in them for using symmetric key (similar match needed for the others). Note that symmetric keys can be used for other cases than TLS PSK, for example SNMPv3 USM. Again, features would be necessary (those could be saying x.509 or raw-public-key or psk).

Correct, I said the same (that PSKs are essentially symmetric keys) before as well.  Regarding only being referenced to keystore, why not also support them being local-definitions too?  Certainly not a problem if encrypted and, even when not encrypted, then they can be "protected" by NACM-like mechanisms, right?

Balazs> Local definitions are ok too that’s why I used a hypothetical grouping name  ks:local-or-keystore-symmetric-key-grouping.

  Why was/is seeing them in truststore a surprise, perhaps because they're not encryptable there?

Balazs> When PSKs are used then both communicating ends use the shared key for signing and verifying messages. Then one configuration seems enough that is either local or from keystore, why would it be necessary to set it up yet another time for verification from local or truststore? This would mean there is no need for a PSK option when configuring how to  verify the peer.

container <client-authentication or server-authentication> {
    choice auth-type {
        mandatory true;
        case certificate {
            if-feature x509-certificate-auth;
            container ca-certs {

                uses ts:local-or-truststore-certs-grouping
            container server-certs {

                uses ts:local-or-truststore-certs-grouping
        case raw-public-key {
            if-feature raw-public-key-auth;
                uses ks: local-or-truststore-raw-pub-keys-grouping

No need for PSK config since it is already configured in client/server-identity.

Or what is the reasoning why it is necessary to configure a PSK from truststore?

 I agree that symmetric keys can be used beyond PSK (and encryption of the asymmetric keys, the original use case).  Regarding features, again, please provide a YANG-snippet so it is clear to me (and all) what you mean.