Re: [netconf] built-in trust anchors
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 13 January 2021 15:09 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF1813A10FF for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 07:09:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ai9DAs0WK0pQ for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 07:09:39 -0800 (PST)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 166943A10FA for <netconf@ietf.org>; Wed, 13 Jan 2021 07:09:38 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 725EE670; Wed, 13 Jan 2021 16:09:37 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.198]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id M3Ne2z3I0g30; Wed, 13 Jan 2021 16:09:37 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "DFN-Verein Global Issuing CA" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Wed, 13 Jan 2021 16:09:37 +0100 (CET)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by hermes.jacobs-university.de (Postfix) with ESMTP id 204C320156; Wed, 13 Jan 2021 16:09:37 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10028) with ESMTP id g48p5UXh5SSR; Wed, 13 Jan 2021 16:09:36 +0100 (CET)
Received: from localhost (anna.jacobs.jacobs-university.de [10.50.218.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by hermes.jacobs-university.de (Postfix) with ESMTPS id 7C10F20154; Wed, 13 Jan 2021 16:09:34 +0100 (CET)
Date: Wed, 13 Jan 2021 16:09:34 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Martin Björklund <mbj+ietf@4668.se>
Cc: jason.sterne@nokia.com, netconf@ietf.org
Message-ID: <20210113150934.pg7ptdm5ljfuuhpp@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Martin Björklund <mbj+ietf@4668.se>, jason.sterne@nokia.com, netconf@ietf.org
References: <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de> <DM6PR08MB5084ED69870DF456DA8F1A509BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210113082918.zy4m4wtltstrs64h@anna.jacobs.jacobs-university.de> <20210113.122655.1074482340604641202.id@4668.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <20210113.122655.1074482340604641202.id@4668.se>
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/TOxBg4zBwYfOO2FQi9yWv6yRDjE>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 15:09:42 -0000
On Wed, Jan 13, 2021 at 12:26:55PM +0100, Martin Björklund wrote: > Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote: > > After sleeping over it, I think a device should ship with the keys > > listed in whatever is the equivalent of the factory default, i.e., > > they are initially in <running>. Deleting them should be possible with > > the effect that no config can refer to these keys anymore (assuming > > strong references). Putting the keys back into running makes them > > available for config again. > > This could work, but see below. > > > I would be in favour to just have the names in runnning, not the > > key/cert details. This avoids issues with entries that do not match, > > and this then resembles hidden keys, for which details are also not > > known in <running>. In fact, <hidden> keys likely have the same > > property that they exist in the system (or a TPM), i.e., they are not > > config that can be arbitrary changed. I would assume that the same > > rules apply, if you delete a hidden key from <running>, it can't be > > referenced and used anymore. Perhaps the discussion in the I-D should > > be expanded to cover hidden keys as well. > > I like the symmetry w/ hidden keys. I assume that these entries would > be explicitly marked in the config as being "built-in" or "hidden". > > > I also expect that these special keys may be part of the firmware, > > i.e., they may change with firmware updates. This can lead to stale > > special keys that do not exist anymore in the firmware and new keys > > that exist in the firmware but must be (manually) added to <running> > > in order to use them. > > So then the question is what happens if a key is removed from the > firmware, but it exists (with just the name) in the config, and some > part of the config reference it? > > I think that this leads to the same problem as a weak leafref would > do, so either solution would work. > You will have a reference to a key that is not usable, which means you get runtime failures (as you would get with certs that have expired or other issues). Note that this is only becoming a problem if the firmware update renames keys/certs. If the update only ships a new keys/certs but keeps the names consistent, things will continue to work. I can't tell whether this brittleness is something to be concerned about or whether it falls into the usual 'things may go wrong after an update' bag of surprises. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [netconf] built-in trust anchors Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Sterne, Jason (Nokia - CA/Ottawa)
- Re: [netconf] built-in trust anchors Qin Wu
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Martin Björklund
- [netconf] 答复: built-in trust anchors maqiufang (A)
- [netconf] 答复: built-in trust anchors maqiufang (A)
- Re: [netconf] built-in trust anchors Juergen Schoenwaelder
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors tom petch
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors Martin Björklund
- Re: [netconf] built-in trust anchors Kent Watsen
- Re: [netconf] built-in trust anchors maqiufang (A)