IETF Logo Mail Archive

Re: [netconf] ssh/tls key generation support

Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> Tue, 22 March 2022 18:33 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D7C3A0FE2 for <netconf@ietfa.amsl.com>; Tue, 22 Mar 2022 11:33:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wss3xduuiUDf for <netconf@ietfa.amsl.com>; Tue, 22 Mar 2022 11:33:14 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2061d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::61d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DCBF3A1082 for <netconf@ietf.org>; Tue, 22 Mar 2022 11:33:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=k/6sF8bNTg9rEL0aY8H0ke4sVUj/vojHdGH0VAZKM/3BpkTtRB3k4MrFgbVOzz5gTw2DFnuC8x3D0xn6AckobnUU89B1yxCoCUZ6m6Yx8t/ju5wSzhjUDMblpGRyxdbpKKts+iL3Ows8xQsRjdCUj7IaN3SxqCXupjx5nfMI8FK8aom5J6yumPFI/CwHn0kYV0zaqzSWzXDi65YC0YPINUEekJcWTikwPtCguKHf6EStTdZbFkBpQRIRLRTi5CN40txD9iBetJ/j+if3CyasNnHeWdv4udD4Hi8NbC4AWK33oghn+ooNHBmwledb5OB9d4OgZ8ZOIrvFURuTgWAm8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OqOMh4UEfjWPd/6cJ628ZpypVHHPJEYsOwOuh3V72qs=; b=nHaQjRBlav5gD/R5GkarrfbdkRS7PoAPBw/38ORqr3pHb7NFFitfxPrUairLgSRwnSqRRifdveABHdbcJTC1/je1qjqlyfQqZWm2FBcgD4nAzZsNcZxKrCLKTkhpM2A/G/uNHN6yo5+72VlU26NTf4bn9sIMPVVqX/CAR7WuxrYW/LW7uTLtZsag0k0lcNTFi8OU63NYUSwOmgeiQiSnZTmOlzQIetUOnunz3iVhG/V3ywedwM6ZKKGgBfJy3qwiuLjKGgOZ+wmOM/hDvUbmYjOwh6EKLvotX59tx0I/Zoo9r6IPe7Jc+W044/seCvEmakGuEImdksWhU0a6svYpBA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OqOMh4UEfjWPd/6cJ628ZpypVHHPJEYsOwOuh3V72qs=; b=CpayeeZjK+3pSPc685RLujek2w/TI042wNexUsMbWDtwVz7cXcp1pBkXrMyGl99DRl+f/wuf3eJe0XoqY0Iejpuqo4ZHCZ33if0Os1Yg7Kaqy9zcHzI2+Wy1iHDcJfSGD+9iD90FJa2AvxXWX5tdwpDqA2Lc3itXzW/g+wGYHzE=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jacobs-university.de;
Received: from VI1P190MB0656.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12b::14) by PAXP190MB1614.EURP190.PROD.OUTLOOK.COM (2603:10a6:102:1cb::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.19; Tue, 22 Mar 2022 18:33:09 +0000
Received: from VI1P190MB0656.EURP190.PROD.OUTLOOK.COM ([fe80::e944:2292:2210:434e]) by VI1P190MB0656.EURP190.PROD.OUTLOOK.COM ([fe80::e944:2292:2210:434e%7]) with mapi id 15.20.5081.023; Tue, 22 Mar 2022 18:33:08 +0000
Date: Tue, 22 Mar 2022 19:33:07 +0100
From: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent@watsen.net>
Cc: "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20220322183307.wwuc2pxkk2yccvd6@anna>
Reply-To: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <20220322065600.c26vr26mdlevccgo@anna> <0100017fb2d20bbf-5569e493-8fdd-4970-a873-f4215b541641-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <0100017fb2d20bbf-5569e493-8fdd-4970-a873-f4215b541641-000000@email.amazonses.com>
X-ClientProxiedBy: AM0PR01CA0100.eurprd01.prod.exchangelabs.com (2603:10a6:208:10e::41) To VI1P190MB0656.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12b::14)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 28ea4d99-48fd-4a83-88f1-08da0c326968
X-MS-TrafficTypeDiagnostic: PAXP190MB1614:EE_
X-Microsoft-Antispam-PRVS: <PAXP190MB1614DB2E5D6F9D6BE5AD4832DE179@PAXP190MB1614.EURP190.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: PqL7IAFDFz2t0xJiw+OqAgCys5kaFo9anwK0In0f92OEruLUHxbSotxxvfoO7q+nRnlQHrNlDc9ppt1G9Tb55arCh359cu2vt3j70zwqAjSR+AhO9oqP4Fvjx/JwZw2CqsplJuGehkZYnIpT3qFDlHOz/HemOLNpu3sMTUe2sio/70p0n2Ut9h+6g2oRuYEcjz7xisY2Mu2yihnrfkCpBqlyBF65PfJQZYFb1zMJChvSJhsb09oN0BDrjDJFULt4EhQMLDYpXII+JYgyUVHae9BIXrBTVxUnN2xG385as97ON8wdxz87vIBjH9S4QZg4cu92xVcOYhsTvKboa82p3HDYHEJYdns1yfmTSHBO4wQW2DOQQRtC82IQcS7ooSr6fecv7ksJEAnVblTsUWNTrVduHuXkco3oxSC+/IR2tC1RqDjiUknPGGbvjYMA99hMbncKgTlFumfnj/xWrm6rtVgmU6BcN0OokuMndRN38q59KxSQuYWMZQmckXFdnQM55YT//Zi/7XKQjnm9nBtM5lMq3hemOyu5DVULbfnoooj7bmCiXbsw4kHZCcqe6ILVnN4yDIZ9d0fpREvfVKMOI/drflP9pZY1sil9k079E9tQkVHcNCSBnqx6tN5UtbIzAaBWhP/9gBuMF2/IqZi+N94DjNAfxFFh6FnkQKV3Bi1DykL7uFLmmo6alAxFIpqhIDDrIMVrQZyu8zEqrQXa/QzY4orlSE21lCSHjyQyaxxv4IP3hQS9SvogS8a8OP2Uy3QWhJxUmMqJ5MMCU3gQ3AYzIszFw3mJoeSrWibFRJM=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1P190MB0656.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(7916004)(366004)(186003)(66574015)(26005)(6512007)(3450700001)(2906002)(85182001)(52116002)(85202003)(83380400001)(1076003)(6506007)(9686003)(40140700001)(508600001)(38100700002)(966005)(6486002)(4326008)(66946007)(66476007)(8676002)(66556008)(33716001)(38350700002)(8936002)(316002)(786003)(6916009)(5660300002)(86362001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: M/YPNaQqCnAnyYB+89QTArpoDo9UmWDOXEge0k4vQ+bP+ZQzcT3f7jALq8kH8Hvj/roLvV3nItrKdwhEjoSuJLdp366eaLIN72GrOnnAczcjLlXvAbQRsJI1K9jlbHCrVlHDwNIgd1t8/snot6cx5UUuM1Tokl0KNd/9rNdfNuooXGQIzsMTFQxshRUwV6qYhKYkfH75yeoEzg3G/E6H18LZPNUth4AlD8hDjxTEbBaFh3eRS6Yipv6T4hQy4QhWvwO1yQTCpJ92gu4m8T1iYW78cAVfgoEPQtkLqoGtNliKHHq2K5/Jt4QkCznerEMBHmr/WKwQQq4uxN8nIvmJFl0Ioz3Hl8KDKBb24Kbxvd18WdWuuBheL9d1PuZL+YBIR8qbLi5JzDDpZ7tDUIoYcJH96JieAtQKALOP3NB5gAOMztQGK7X4o+PVjWARHFhBsxdIbwWXyaNUWBEjncICD3GpF+2yped6tjzrDeL/KrinQfu0qjaXI3K4BgrenGTccBAR03FyQKLhSQ+s3/CBnGwOk6ayfTAA6sxDLPs5aPSgxnFLpmZ57vWsRT7OuRAv5/xLf6m/Kp8UfIKIoxUvQQjyJrLCQDAk6kP6D5zvILGYpMLpnG4S38cqc03XveMaWX9gTS6TGbPlZ2E7xjaOX0mNAHdA13iGQV2ty50ogv0B+PtYTIZYY7VnBzgu2ZpYFyXUXBP5CicQ6JJUWI/42dYRb+PleiXz9Q1OnjxJy6YjP1ZyNLKnCXl5B+080ks0WmoFbxUg3fR4Q3o6d2fNRksXoyxtLOns8xcqKJnaGBCTuoLQgo8Q22b1pmsCm/1fN9OcJS2ctSbdKhm2ouubD4r4wP85znhRzN7OMQ+uDNrUHEGnLtt1Ck7pV6SKXOnXvC5NVE2qswQul2ejjx0BNBb8nDK//TrUJhNmprhEpKLdXJS/rnqeN+0ulpgm5v/57CXJCR41dpFiGqcrIEyVYs27RV7SYcsgTD2OC/x95cNmGioBgiCLyFdobnC155uBT+yq7CQ13yZzSJX0568i8x27ttctnBDL7+FeVp3ZTkU25pa9twh2XNCzue20qirBR5K4nStnF533AlKY3Ar6tkeX6YDfn0O4uIT4gWJCZmWOUcg8vIJoGjWepOrz0fLrVEnFXfu0UkgzbipAH3RBffq+OK5K3I1x+4OQRVCnEkkQgS7kAlmCO+xXjmDyhG3rW/8LzLdG/3kcAp4IKX5dK36M+zEssao9DQaKBiTcx75mf6NO3lBP1ja+yJZMgy33jCSAZHj5e7GdH0AyhH7HaqiC/olzTydE4eh5aOnztMjsVdNEJVpXVbrR1bEycz2lEMoaQyLNSv/s/GNEiwaZfJ0TVN8dsnBV/3Lcl4ISJjJy8bpWsd6RvcHPp0ZIwZgBflH4acSuraNSFVFTtmsf5kGGRLgWpgN6sQh6fAv/wzNg2fP+fpFuUzvkeM9RSrNYrRX3ncjO2stDFYmMz0zQOoA1TvqARCB4F7EKseyDpR4=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 28ea4d99-48fd-4a83-88f1-08da0c326968
X-MS-Exchange-CrossTenant-AuthSource: VI1P190MB0656.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2022 18:33:08.4890 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: E9N0zoOzOVqLcxkI1oscibCbRnvBs32j89e5O5/sNRgJENyA0zQc29Nq8bx05y4H4LOWOfkucaY6xPj8cAOTD4YCOHnKuwgj/ur8Ym+efL8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXP190MB1614
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/TGCx0vp5HM8LNk-y7578DJ37yQg>
Subject: Re: [netconf] ssh/tls key generation support
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 18:33:28 -0000

On Tue, Mar 22, 2022 at 06:09:44PM +0000, Kent Watsen wrote:
 
> > - Generating server key pairs is just a step of a more complex
> >  process. In SSH, clients traditionally built trust into hostkeys
> >  using an ad-hoc process, in TLS this is traditionally done using
> >  certificates. Hence, at least for TLS, we get into the territory of
> >  generating certificates, either creating self-signed certs, hooking
> >  into an automated certification system like lets encrypt, or
> >  handling a full blown cert process (generating csrs etc).
> 
> The "crypto-types" draft already defines a "generate-certificate-signing-request":
> 
>  - overview: https://datatracker.ietf.org/doc/html/draft-ietf-netconf-crypto-types#section-2.1.4.
>  - example usage: https://datatracker.ietf.org/doc/html/draft-ietf-netconf-crypto-types#section-2.2.2
> 

Sectiopn 3.2 is insightful as well:

   Early revisions of this document included "rpc" statements for
   generating symmetric and asymmetric keys.  These statements were
   removed due to an inability to obtain consensus for how to identify
   the key-algorithm to use.  Thusly, the solution presented in this
   document only supports keys to be configured via an external client,
   which does not support Security best practice.

Apparently we can generate a csr but not the underlying key pair,
which indeed is half-done. Should key generation actually fall into
the crypto types module and not be TLS/SSH specific? And would that
mean that a client invoces a yet-to-define generate-key-pair rpc,
which is then followed by a generate-certificate-signing-request
action in case an explicitely signed certificate is needed? Given that
I look at these I-Ds every N months, it is somewhat of a challenge for
me to keep the context...
 
> > - The SSH and TLS documents started as WG documents in July 2016, we
> >  are getting close to 6 years in the WG and it is somewhat unclear
> >  what the uptake of these documents will be. If we get into
> >  certificate territory, I fear we add at least another year of delay.
> 
> The uptake/demand is notable.  In addition to the PCEP WG dependency, both the BBF and O-RAN are waiting for completion, and IEEE said that they're about to start looking into using.

Progress has been made in waves with a low frequency between the
waves. I do not mind to give this a final try but then there ought to
be a hard deadline - either the details have been figured out by $date
or we move ahead without this feature addressed.

/js
 
-- 
Jürgen Schönwälder              Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email