IETF Logo Mail Archive

Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)

Kent Watsen <kent+ietf@watsen.net> Thu, 01 February 2024 15:36 UTC

Return-Path: <0100018d655024ef-519c91c9-6fd1-4131-ab42-b81b34a01ee4-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68DFFC14F61E; Thu, 1 Feb 2024 07:36:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.884
X-Spam-Level:
X-Spam-Status: No, score=-0.884 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DOTGOV_IMAGE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SQviRqCpTlbt; Thu, 1 Feb 2024 07:36:09 -0800 (PST)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C44F3C151090; Thu, 1 Feb 2024 07:36:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1706801767; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=aFxAS1QH0sWt5lD4Ebi1+1PypmLVT96omp4iAGF8pYw=; b=AH447Xk/4vE3d8r76ff4kg38I6Dm5HHE8Ve0TQXqDm3HGzdrWTIQSKa0qgCXVAUw ECxiD1dd59vqqn3DJ21k+DCqY9nRTuM9rpVE8l+04JVzCPtREd18zaRrjbNN54UcOn3 AqzRyUvB2hZh0JdviI5kmDPX8NlvBC4yy38VJklU=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d655024ef-519c91c9-6fd1-4131-ab42-b81b34a01ee4-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_360404E0-6D31-42AA-BECC-6E8DF2776503"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Thu, 01 Feb 2024 15:36:07 +0000
In-Reply-To: <CAN8C-_Jw+xSdRcH5O4SVzbEL3d8zObKG0ZLpXict4yyV9+gu4g@mail.gmail.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, draft-ietf-netconf-crypto-types@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
To: Orie Steele <orie@transmute.industries>
References: <170656963762.34041.922180093314268674@ietfa.amsl.com> <0100018d607eee07-04a9a8b6-3256-42d4-95e7-e9636b953246-000000@email.amazonses.com> <CAN8C-_Jw+xSdRcH5O4SVzbEL3d8zObKG0ZLpXict4yyV9+gu4g@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.01-54.240.8.96
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/SszCgAKW9AsB_-DcTL_OuAhCEi8>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 15:36:13 -0000

Hi Orie,

Thanks for joining the conversation.

> On Jan 31, 2024, at 12:50 PM, Orie Steele <orie@transmute.industries> wrote:
> 
> It sounds like "hidden" is being used as a substitute for "non extractable" or "non exportable", through the use of software or hardware isolation. 

That characterization seems fair/accurate.


> I searched https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf briefly, and could not find a better term.

Thank you for searching, I didn’t think to because the word seemed like common English.


> Web crypto and Android use the term "extractable" 
> 
> - https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey/extractable
> - https://developer.android.com/privacy-and-security/keystore#SecurityFeatures
> 
> Apple uses the term "exportable"
> 
> - https://developer.apple.com/documentation/security/1643698-seckeycopyexternalrepresentation

Interesting, but we’d want the negated forms of these words, so maybe inextricable or unexportable?
Yet neither of these seem as short or straightforward as “hidden” - thoughts?


> OS

Kent


> 
> On Wed, Jan 31, 2024 at 11:09 AM Kent Watsen <kent@watsen.net <mailto:kent@watsen.net>> wrote:
>> Hi Roman,
>> 
>> Thank you for your valuable comments.
>> Please see below for responses.
>> 
>> Kent
>> 
>> 
>> > On Jan 29, 2024, at 6:07 PM, Roman Danyliw via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>> > 
>> > Roman Danyliw has entered the following ballot position for
>> > draft-ietf-netconf-crypto-types-29: Discuss
>> > 
>> > When responding, please keep the subject line intact and reply to all
>> > email addresses included in the To and CC lines. (Feel free to cut this
>> > introductory paragraph, however.)
>> > 
>> > 
>> > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
>> > for more information about how to handle DISCUSS and COMMENT positions.
>> > 
>> > 
>> > The document, along with other ballot positions, can be found here:
>> > https://datatracker.ietf.org/doc/draft-ietf-netconf-crypto-types/
>> > 
>> > 
>> > 
>> > ----------------------------------------------------------------------
>> > DISCUSS:
>> > ----------------------------------------------------------------------
>> > 
>> > ** hidden key
>> > 
>> > --  Section 2.1.4.3.  “The "hidden-key" node is of type "empty" as the real
>> > value          cannot be presented via the management interface. ” -- YANG. "A
>> > hidden key.  How such keys are created is outside                 the scope of
>> > this module.";
>> > 
>> > “hidden key” is underspecified.  The above are the two descriptions I found.
>> > Could a detailed explanation please be added – what is it?  When (how) would
>> > one use it?  What is the difference between hidden and access controlled?
>> > 
>> > I observe that draft-ietf-netconf-keystore suggests that it could be related to
>> > TPMs and Section 4 of that draft uses it in the context of administrators with
>> > different privileges.  However, this document is the base reference.
>> 
>> True, a "hidden key” is best implemented via a TPM, albeit neither this draft
>> nor the “keystore” insist on it.
>> 
>> To your DISCUSS, how about this updated description?
>> NEW:
>> 
>>              "A hidden key.  It is of type 'empty' as it's value is
>>               inaccessible via management interfaces.  Though
>>               hidden to users, such keys are not hidden to the server
>>               and may be referenced by configuration to indicate which
>>               key a server should use for a cryptographic operation.
>>               How such keys are created is outside the scope of this
>>               module.";
>> 
>> Thoughts?
>> 
>> 
>> 
>> 
>> 
>> > ----------------------------------------------------------------------
>> > COMMENT:
>> > ----------------------------------------------------------------------
>> > 
>> > Thank you to Valery Smyslov for the SECDIR review.
>> > 
>> > ** Section 2.1.4.8.  Editorial.
>> > 
>> >   *  The "cert-data" node contains a chain of one or more certificates
>> >      encoded using a "signed-data-cms" typedef discussed in
>> >      Section 2.1.3.
>> > 
>> > I observe that Section 2.1.3 says almost nothing about signed-data-cms
>> 
>> True and, more broadly, that section says very little about any of the typedefs.
>> This is true also for all nine drafts in the document series.  In general, I struggle
>> with trying to balance being DRY (don’t repeat yourself, or, in this case, don’t 
>> repeat what is in the YANG module) and providing nice introductions.
>> 
>> In general, I want to these documents to be as small as possible (they’re already
>> huge).  Truly, the entire “Data Model Overview” section could be skipped by
>> anyone reading the YANG module.
>> 
>> The “Data Model Overview” sections (in all the drafts) originally just had a single
>> YANG tree-diagram, but the WG wanted it to be broken up, with fluffy text, etc.
>> It’s a bit of a sore point for me.  ;)
>> 
>> In any case, that’s the background.  Since this is just a COMMENT, I think that
>> I’ve leave it at that for now, and wait to see if others want more text in the 2.1.3
>> sections.
>> 
>> 
>> > ** Section 2.1.4.12.  Editorial. The narrative text doesn’t explain what
>> > “certificates” are.
>> 
>> This section points to "end-entity-cert-grouping” saying:
>>         The "end-entity-cert-grouping" grouping is discussed in Section 2.1.4.9.
>> 
>> Section 2.1.4.9 says:
>>        The "cert-data" node contains a chain of one or more certificates
>>        encoded using a "signed-data-cms" typedef discussed in
>>        Section 2.1.3.
>> 
>> This is the text you quoted above - as the same text is in Section 2.1.4.9.  
>> That said, I do see an opportunity for improvement:
>> 
>> In 2.1.4.8.  (The "trust-anchor-cert-grouping” Groupin
>> NEW:
>>        The "cert-data" node contains a chain of one or more certificates
>>        containing at most one self-signed certificates (the “root” certificate),
>>        encoded using a "signed-data-cms" typedef discussed in Section 2.1.3.
>> 
>> In 2.1.4.9. (The "end-entity-cert-grouping” Grouping)
>> NEW:
>>        The "cert-data" node contains a chain of one or more certificates
>>        containing at most one certificate that is neither self-signed nor
>>        having Basic constraint "CA true”, encoded using a 
>>        "signed-data-cms" typedef discussed in Section 2.1.3.
>> 
>> 
>> Thoughts?
>> 
>> > ** Section 3.5.
>> >   When accessing key values, it is desireable that implementations
>> >   ensure that the strength of the keys being accessed is not greater
>> >   than the strength of the underlying secure transport connection over
>> >   which the keys are conveyed.  However, comparing key strengths can be
>> >   complicated and difficult to implement in practice.
>> > 
>> > I don’t understand the guidance in this section.  I would have benefited from
>> > clarity in the following areas.
>> > 
>> > -- Explain the impact of using keys whose strength exceeds the underlying
>> > transport connection (i.e., it doesn’t offer more security)
>> > 
>> > -- The verb “accessing” is confusing.  Let’s say that an implementation notices
>> > a discrepancy between key strength, what is it supposed to do?
>> > 
>> > -- The last sentence (“However, comparing ...) seems to acknowledge (correctly)
>> > that this advice might not be practical.  Is the WG sure the text is needed?
>> > 
>> > ** Section 3.5.
>> >   That said, expert Security opinion suggests that already it is
>> >   infeasible to break a 128-bit symmetric key using a classical
>> >   computer, and thus the concern for conveying higher-strength keys
>> >   begins to lose its allure.
>> > 
>> > Recommend removing this generic statement.  There would be a variety of reasons
>> > operators might choose to use symmetric keys in excess of 128-bits, policy
>> > being one of them.
>> 
>> I’m happy to remove Section 3.5 (Strength of Keys Conveyed) entirely.  
>> 
>> IDK if there is any value to keeping it.   I only added it because it is something
>> I remembered from a past life.  No one ever asked me to add this Section...
>> 
>> Is my understanding from your "Is the WG sure the text is needed?” above
>> that you lean towards removing Section 3.5?
>> 
>> 
>> 
>> > ** Section 3.6
>> >   Implementations SHOULD only use secure transport protocols meeting
>> >   local policy.  A reasonable policy may, e.g., state that only
>> >   ciphersuites listed as "recommended" by the IETF be used (e.g.,
>> >   [RFC7525] for TLS).
>> > 
>> > -- Would there be instances where implementation would use secure transport
>> > that _doesn’t_ meet local policy?
>> 
>> Shouldn’t be, but maybe a rouge new employee doesn’t know it ;)
>> 
>> Is your point that we should s/SHOULD/MUST/ here?
>> 
>> 
>> > -- RFC7525 has been obsoleted.  s/RFC7525/RFC9325/
>> Updated - thanks!
>> 
>> 
>> Kent
>> 
> 
> 
> -- 
> 
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>  <https://transmute.industries/>
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email