IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 19 September 2019 10:45 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C840120803 for <netconf@ietfa.amsl.com>; Thu, 19 Sep 2019 03:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=DZr6pTi0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=x6xBPD/f
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a1mD_DDx-d5X for <netconf@ietfa.amsl.com>; Thu, 19 Sep 2019 03:45:49 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D7AA1201E4 for <netconf@ietf.org>; Thu, 19 Sep 2019 03:45:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11356; q=dns/txt; s=iport; t=1568889949; x=1570099549; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=6M69MRI9s1AqYtTRMTsAI0jf+8158c97gcbg6wFQpnI=; b=DZr6pTi0sHFvMqB7fv71zEmFz3rSnNx7TyyXt9A3MPmkKeRANWpKJd8U fxxlYq5tGyrYLcjshd9xj50RyaqlyHyE/M5Y4NbXot4LsdnFbipF2qQqM PAL3hqz8H3HUM1Pt4pLDB6l4dOUl4tegYAAmMjGKpQGagd7vRyNPWDy8B 4=;
IronPort-PHdr: 9a23:+pvqaxLIPEZ8Iup6LtmcpTVXNCE6p7X5OBIU4ZM7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUgMdz8AfngguGsmAXFfkLfr2aCoSF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJAAClW4Nd/5hdJa1lGgEBAQEBAgEBAQEHAgEBAQGBUwUBAQEBCwGBFS9QA21WIAQLKgqEGINHA4RShimCXIlmiTCEXYEugSQDVAkBAQEMAQEtAgEBhD8CF4JsIzQJDgIDCQEBBAEBAQIBBQRthS0MhUoBAQEEEhEKEwEBNwEPAgEIEQQBASsCAgIfER0IAgQOBQgagwGBHU0DHQECowoCgTiIYXOBMoJ9AQEFhQ0NC4IXCYE0AYpFgSUBHRiBQD+BV4JMPoIaghQYgwkygiaPWIUpl0hBCoIikQiEG5kjmC+OeAIEAgQFAg4BAQWBUjiBWHAVgydQEBSBToNyilNzgSmOKgGBIgEB
X-IronPort-AV: E=Sophos;i="5.64,523,1559520000"; d="scan'208,217";a="334900552"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Sep 2019 10:45:48 +0000
Received: from XCH-RCD-014.cisco.com (xch-rcd-014.cisco.com [173.37.102.24]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x8JAjmMD025083 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Sep 2019 10:45:48 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-014.cisco.com (173.37.102.24) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 05:45:47 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 06:45:47 -0400
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Sep 2019 06:45:47 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ID+XsmBD8Cw5Lw6Pb8WraRdGFEiZdFeiAAiy4P0BZE5s9lLzYbkOIUpevmJk1uW/mLJRN4zwD9pr8yRpy092JVFm/mMxdm0rAR7yyeXpDhQu9DETOJZmZDzngNlXhL11XLPxZcEna+FVnsL8nYtrUOZ0uc3HRJP4Y8NeHPMEROnAmttPbhjW5Y8VuG5GpxomTqKV3SjSMtyH+PU2R4JI6vy3ajG+U1cNWW2XR4YNzm6AFzEZDTSaUW9oJwn4LkhzujCV3KevczG9wgwF679KhwtluWxxGgqpeBV1FCnISw39HCdlxrIQE9W3c+BNREYnFXYydNQlI8hHajR5wTdO3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6M69MRI9s1AqYtTRMTsAI0jf+8158c97gcbg6wFQpnI=; b=frIdVWBZ0Ct/Gj1c7My3eLZ781R5VAIfhivhmvTjr7TdtqiSdIlkjoC0BlQQQcdH7hrTqwTn99nkiCsoatRhEW2pmht2XgraZgvr1nWF1YPRe1BGZTCTkTqrwxuUOUlDlIQf2kv6Eu4Q2wGs3w2rd5e94h334Vm3opQ1cxjmxXG8OAy1N7dSvSsR2MZ08llliC1lEpUpV36o5ms12HCQjbZcDfBYcI2k4YJ0fKjXKavVfViGCGWHvW1rpNUhGF1RcjRhFmrrOyqe0+5tW/GS+lpDnB2dVu0dnMDt5QU2JEMEkcQHpZ0XqlIL/DKOU51xIE/02flYIMzYzBq8XKFuEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6M69MRI9s1AqYtTRMTsAI0jf+8158c97gcbg6wFQpnI=; b=x6xBPD/fjF/5SU+o1ywHSdogA6h/4EjT5m3FWfG+Iyk3JD6HMHPo+6f/Ux1ZS0UFfcg4wVnI9zp9SXBtJv8Q8fxCI7OAcKA4BeYG06PHaKGLsH86GIWDeJc99rxxooZ/bEYXUmLnKuZQu4dDq87YKvnAgoEsjZr9q1nJntGjuy8=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (52.135.38.209) by MN2PR11MB4285.namprd11.prod.outlook.com (52.135.39.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.22; Thu, 19 Sep 2019 10:45:46 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6%7]) with mapi id 15.20.2263.023; Thu, 19 Sep 2019 10:45:46 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "Salz, Rich" <rsalz@akamai.com>, "netconf@ietf.org" <netconf@ietf.org>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxVu0aQE+n/K0iPwVgOy8FH/KcpQIdQgAVLFQCAARKfAIAATvkAgAABvxCAAC5vAIAAAggggAADhQCAAQHLcIAARlAAgAAAT1CAABr3gIAADR/AgAAgvYCAAShzcA==
Date: Thu, 19 Sep 2019 10:45:46 +0000
Message-ID: <MN2PR11MB43660652914A50BE1E7978F4B5890@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d3afa694e-ce58ee3a-792f-4c0e-89bb-83d0128a5194-000000@email.amazonses.com> <MN2PR11MB4366F63419F6BD4EF106766FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <8053FDA0-77EA-488F-B5A7-F203359105E0@akamai.com> <MN2PR11MB43669B3A47A39FD93B47292FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <6924CAD5-F740-4512-8689-E0307AF0BD88@akamai.com> <MN2PR11MB4366B5C09B4348FDAE33E2BCB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <99BFF357-6A2A-49E0-BB38-37C25DB04213@akamai.com> <MN2PR11MB4366F20EE2FD6DF04B965125B58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <EBE4757D-E99E-41EB-A52B-A25F023BF4BC@akamai.com> <MN2PR11MB4366E4ECE10DFB018941BA5FB58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d44bda220-51590a9a-0a15-4b63-a49d-47efe712e82e-000000@email.amazonses.com> <MN2PR11MB436617082A8308A7A8928DDFB58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d4553e645-9c5796b8-15da-4a51-b820-5ecef6575eff-000000@email.amazonses.com>
In-Reply-To: <0100016d4553e645-9c5796b8-15da-4a51-b820-5ecef6575eff-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [173.38.220.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3296071f-ad01-4524-7418-08d73cee8737
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MN2PR11MB4285;
x-ms-traffictypediagnostic: MN2PR11MB4285:
x-microsoft-antispam-prvs: <MN2PR11MB428503F8483158CBE4F5D11BB5890@MN2PR11MB4285.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(136003)(366004)(376002)(346002)(199004)(189003)(51444003)(54896002)(6306002)(55016002)(9686003)(4326008)(229853002)(6246003)(86362001)(3846002)(6116002)(790700001)(71190400001)(71200400001)(25786009)(256004)(74316002)(2906002)(6436002)(66066001)(478600001)(7736002)(52536014)(14454004)(81166006)(81156014)(8936002)(316002)(99286004)(5660300002)(7696005)(76176011)(6506007)(53546011)(186003)(26005)(102836004)(66946007)(486006)(476003)(446003)(11346002)(8676002)(66476007)(66446008)(64756008)(66556008)(33656002)(54906003)(76116006); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4285; H:MN2PR11MB4366.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: a4AYIav/9bQhRybjaNg8mw5cp274njfleL0DbJG92hbpXn61y6JCE4BgdbiMGZz5hiCwK/NQJn41/PryuYD3bltbpM8eWNpJkjCfbGkM9ywRt7FYLyP/Rqykhu48adt1xzATqlLJQswD9pSJUBOeo8LxRKV3C71phF7BN9MWVxD7t0vxgLJyV5Z7shE92sX/dvx+XbSA6B/3pA3xGN1Kup3wWiefK6CsAnEe6VE4MDHy9X3ODkXfGfX8W09kNjeSXv4LoTChk8i8lZJGnh/daFYe2nAAmSasJP/T8k+iKii+Np3/yT+5m2eOwuSSU5NLdXYWtbkx7020Yoc2Jhq7HuDHeBKgIDYaDRU0FL80cpgYK5Q7PtMUdG52mH+QJ7WjoLRyxSn2vHvZ3yzYZ8JN4voNb+96FikIjbzwtxMq49M=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB43660652914A50BE1E7978F4B5890MN2PR11MB4366namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3296071f-ad01-4524-7418-08d73cee8737
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 10:45:46.3436 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: AZKaUOSCjlwN/ioCKDIiPthOyt/kTeEwZQSu+0Jn1R1w0r4IzRORuKv8tkevrywiH28v5e66xB0C49EUQfxs5A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4285
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.24, xch-rcd-014.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Setjd4jUZdoY9ZgJ5N0mW9mtl8A>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 10:45:52 -0000


From: Kent Watsen <kent+ietf@watsen.net>
Sent: 18 September 2019 18:03
To: Rob Wilton (rwilton) <rwilton@cisco.com>
Cc: Salz, Rich <rsalz@akamai.com>; netconf@ietf.org; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Subject: Re: [netconf] crypto-types fallback strategy

[moving Russ and Sean to BCC, per Rich's action]



Minor: Does the “string” in the description above mean “ASCII string” or “binary string”, RFC 4251 seemingly uses both definitions?

I don't know, but this is the language found for the "key-data" leaf in RFC 7317 (i.e., we've been living with this definition for awhile)



Is putting the encrypted keys into DER-encoded OneSymmetricKey obviously the right thing to do?  Are there other choices?


Yes, if there was one thing that came out of my discussion with Russ and Sean is that OneSymmetricKey and OneAsymmetricKey SHOULD be used for encrypting key data.   Anything else would be a BIG effort.
[RW]
OK.

The real question is if we should also use the One*Key structures for unencrypted keys, which could help some ways, but I think that it's better to use the values provided by OpenSSL command line.  This approach pushes the complexity of using the One*Key structures to just the "advanced" case of when encryption is needed and, besides, it would primarily be for the NC/RC server to generate/parse; clients would rarely encrypt a key themselves, the only case I can think of when they might would be for the RMA workflow we discussed a few weeks back.

[RW]
I would suggest only using the One*Key structures for the encrypted key data.

Thanks,
Rob


Kent

v2.23.0 | Report a Bug | By Email