Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
Kent Watsen <kent+ietf@watsen.net> Wed, 31 January 2024 20:52 UTC
Return-Path: <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19141C14F61A; Wed, 31 Jan 2024 12:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3BoHVwd2p7X0; Wed, 31 Jan 2024 12:52:05 -0800 (PST)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C20BC14F618; Wed, 31 Jan 2024 12:52:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1706734323; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=uDqhsnnHmpUSar6gsawoBv/jRxw9vYBaEWFqIS5bwN4=; b=jHlkvbuEFI3XQ6vJ3vz7RNjSFFqI1G/4TpVHXw/oCsix61G2JQEjK2FginZN4Ta/ Y31JOixlvQkZ7jZ21QmSdg8w5YPRhT2kK8B/MKjaaOf6G3bEKNHu+LW8Ngjvjkc6MSU nos4Ve+60M7HEuXMWwM4GGeeE/O54GzmVjzq9ufM=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D0411A77-573D-49D6-8801-63842BE13822"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Wed, 31 Jan 2024 20:52:03 +0000
In-Reply-To: <170663325496.44925.1682814616077470749@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-trust-anchors@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
To: Roman Danyliw <rdd@cert.org>
References: <170663325496.44925.1682814616077470749@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.01.31-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/RVEagNLbSLmyTCFvcuDuZ47swOY>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2024 20:52:06 -0000
Hi Roman, Thank you for your valuable comments. Please find responses below. Kent > On Jan 30, 2024, at 11:47 AM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-netconf-trust-anchors-23: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** Section 5.1 > In order to satisfy the expectations of a "truststore", it is > RECOMMENDED that implementations ensure that the truststore contents > are protected from unauthorized modifications when at rest. > > Similar feedback to draft-ietf-netconf-keystore. If this recommendation is NOT > followed how would this expectation be satisfied? Shouldn't ensuring that the > truststore is protected be mandatory? Yes, one might think so. Unlike my response for Keystore, stating that the API is the Security-boundary doesn’t relieve the server from preventing unauthorized modifications when at rest. OLD: it is RECOMMENDED that implementations NEW: server implementations MUST > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Yoav Nir for the SECDIR review. > > ** Clarifying that certificates are actually certificate chains in the node > descriptions. YANG. typedef central-certificate-ref > > description > "This typedef defines a reference to a specific certificate > in a certificate bag in the central truststore. This typedef > requires that there exist a sibling 'leaf' node called > 'certificate-bag' that SHOULD have the typedef > 'central-certificate-bag-ref'."; It is true that each “certificate” YANG container has a descendant node “cert-data” that is a CMS, which means the “certificate” (singular) could actually be a chain certs (plural), which leads to some confusion. However, renaming the YANG node from “certificate” to, e.g., “certificate-chain” would be correct sometimes and incorrect other times. I don’t have a good answer for this. > YANG. list certificate > description > "An arbitrary name for this certificate."; OLD: "A trust anchor certificate."; NEW: "A trust anchor certificate or chain of certificates."; > > ** YANG. Typo. s/inlucging/including/ Fixed - thanks! > ** YANG. list certificate-bag > "A bag of certificates. Each bag of certificates SHOULD > be for a specific purpose. For instance, one bag could > be used to authenticate a specific set of servers, while > another could be used to authenticate a specific set of > clients."; > > Since normative language is used here, can additional guidance be provided on > qualifying “specific purpose”. For example, can one put different applications > for the same server in the same bag? Technically possible, yes. > What is the consequence of incorrectly binning the certificate chains? A misconfiguration, possibly leading to trusting something in an undesirable context. > More generally, I’m wondering about the > significance of where certificates are binned. Because of natural language > describing the purpose of these bags, I don’t see an obvious, interoperable, > general purpose way to automatically parse this structure to know which > certificate to use for a server beyond checking subjectAltNames in the > certificate against a domain name (which precludes the need to even organize > these certificates into bins beyond readability). Each bag has a “name” and “description” fields. From https://datatracker.ietf.org/doc/html/draft-ietf-netconf-trust-anchors-23#section-2.2.1: <certificate-bag> <name>trusted-server-ca-certs</name> <description> Trust anchors (i.e. CA certs) used to authenticate server certificates. A server certificate is authenticated if its end-entity certificate has a chain of trust to one of these certificates. </description> So it seems very easy for clients to know a bag’s purpose without having to look at, e.g., the SAN. Does this resolve your comment? > ** Section 3. > Built-in bags of trust anchors and/or specific trust anchors, that > are referenced by configuration (e.g., a "leafref"), MUST be present > in a datastore in order for the datastore to be valid. > > Built-in bags and/or their trust anchors MAY be copied into other > parts of the configuration but, by doing so, they lose their > association to the built-in entries and any assurances afforded by > knowing they are/were built-in. > > As with netconf-keystore, I’m having trouble with the guidance for built-in > keys, more specifically, the guidance around a data-store. > > -- If something is “built-in”, isn’t it by definition in some kind of datastore > already? Are there now multiple data stores? Built-in certs (and keys) are expected to be in the “system” datastore, where <system> is defined in https://datatracker.ietf.org/doc/html/draft-ietf-netmod-system-config. There are multiple datastores (https://datatracker.ietf.org/doc/html/rfc8342). Importantly, the “configuration” datastores include <startup>, <running>, and <candidate>. > -- What does “copying” into a different part of the configuration mean? Aren’t > we talking about an XML file? Does this imply keys are moved from one > data-store (the built-in?) to another one (e.g., a OS or application specific > one)? The NETMOD WG had a Virtual Interim last week. Point #2 in the minutes [1] regards if these datastores MUST be complete, or is it okay for some referenced system-defined objects (including built-in certs and keys) to be not copied into, e.g., the <running> datastore. [1] https://datatracker.ietf.org/doc/minutes-interim-2024-netmod-01-202401231400/ That said, Rob Wilton, in his Ops AD review, was very keen that this draft not reproduce any text better found in the "system-config” draft mentioned above (to be a DRY as possible). Looking at the paragraphs you quoted, I concede that I didn’t remove enough. I have now removed both of those paragraphs, plus the next paragraph, and the artwork that follows. Stated another way, I removed everything to end of the section. > ** Section 4.3 > None of the readable data nodes defined in this YANG module are > considered sensitive or vulnerable in network environments. The NACM > "default-deny-all" extension has not been set for any data nodes > defined in this module. > > Doesn’t read-access to this module provide insight into which other > resources/applications/servers this particular server communicates with by > virtue of having their end-entity certificates or SSH keys? Wouldn’t this > provide an attacker insight into potential targeting? or business > relationships? Good point. Hmmm, but can you clarify, is the concern limited to just the “cert-data” node (i.e., the CMS), or does it include also, e.g., the bag’s “name” and “description” nodes too? Thanks again! Kent
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Roman Danyliw
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen