Re: [netconf] draft-ietf-netconf-trust-anchors-02 certificate expiration

Balázs Kovács <balazs.kovacs@ericsson.com> Thu, 21 February 2019 09:45 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85484130F0A for <netconf@ietfa.amsl.com>; Thu, 21 Feb 2019 01:45:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.321
X-Spam-Level:
X-Spam-Status: No, score=-3.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=TB177vI3; dkim=pass (1024-bit key) header.d=ericsson.com header.b=S/+MjdQU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgLU7p3-ZAdi for <netconf@ietfa.amsl.com>; Thu, 21 Feb 2019 01:45:55 -0800 (PST)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C56EF130E89 for <netconf@ietf.org>; Thu, 21 Feb 2019 01:45:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1550742352; x=1553334352; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ic3LcRTtXAcUvQPurb0u8VZI10dF6P3FaeaoBf2tT4k=; b=TB177vI3W+Lz9XjDQusHoeNuz9gOVvpEyeaxi4OAsaFE8mWpJv5pwUi9Vl3Z+9Ol 19CxvZugPNO32o859UPKvDOWUjZavsN8pgSxmoTR7dD709WlHTswJpELDn1UlU4i pOLHUXEdbww99TToy63OfXT+3JKalHLWQH9J4mkLcOg=;
X-AuditID: c1b4fb3a-167ff7000000672c-95-5c6e7350598a
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 53.9A.26412.0537E6C5; Thu, 21 Feb 2019 10:45:52 +0100 (CET)
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 21 Feb 2019 10:45:52 +0100
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 21 Feb 2019 10:45:52 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ic3LcRTtXAcUvQPurb0u8VZI10dF6P3FaeaoBf2tT4k=; b=S/+MjdQU1p+Uj3P6plglHAK3zIz691PA02zOMMEJIDR1QBW/8KA9XhgTAzsAcdV5N4B73wqBZkB4FODZNbTVuhSRppBRWOvpEcpvXfUflRIUMhlc5uOgZ6NeBx+QyjZetf5SYEiOTKaFBnVXgg2wllaFlXZ7JKPMBB/ZZuUzliQ=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB6191.eurprd07.prod.outlook.com (20.178.9.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.11; Thu, 21 Feb 2019 09:45:51 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::1cb3:96e7:59f4:9720]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::1cb3:96e7:59f4:9720%5]) with mapi id 15.20.1643.014; Thu, 21 Feb 2019 09:45:51 +0000
From: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] draft-ietf-netconf-trust-anchors-02 certificate expiration
Thread-Index: AdTFSgSIoMQFLNvKT3OBL+NQZebQrQCZ9MAAAIX/RyA=
Date: Thu, 21 Feb 2019 09:45:51 +0000
Message-ID: <VI1PR07MB47350F355024F04D3FC5A96F837E0@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <VI1PR07MB473594D316BB4C748E22980583600@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016901b72756-897fe418-e836-485c-9f50-7f22943626ea-000000@email.amazonses.com>
In-Reply-To: <0100016901b72756-897fe418-e836-485c-9f50-7f22943626ea-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6dc678bf-a4ad-4929-9029-08d697e15dcc
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB6191;
x-ms-traffictypediagnostic: VI1PR07MB6191:
x-ms-exchange-purlcount: 1
x-microsoft-exchange-diagnostics: =?utf-8?B?MTtWSTFQUjA3TUI2MTkxOzIzOkhKMThzaU1SbVRyeCs0aHIwNGNpODRKczVW?= =?utf-8?B?Ulh5TE1QV0VlUXJtRWJ0T2RWcE9LTS9vMDgrSFF1T2lNQ2xQVTR6SlZTTDZB?= =?utf-8?B?TlNkVzNRNVJMcEVxWHdVWGhpQWN4UXh0Z3BPcmZLeVVvZEIwRHVYMFRtcVkx?= =?utf-8?B?TWgreFBtclEzQjZDeXcrUVUvcWtiTktIa1RoaXVodEM1WWtiZ0xJS0dTcEla?= =?utf-8?B?OHRHVjZFVEo5N1g1b1RrSnI4eUcwTEh6Z1FMekdFTmxHYUE5Ulpsa0c2UVlM?= =?utf-8?B?Zk9Ya0d0WG5CV1ZZWlI3OXh1RndZWDdOV1hiaWhHME8vL3N5eEoyYjBrVlF1?= =?utf-8?B?VGs1bnhyc0lSOWhwRTBGeHdEWWtXWTRnTTZmZ2NNNzlENWZFSnNxUGw3ZWZa?= =?utf-8?B?ZitaNk9FL2pYZU9mZE9LVjdlUlFlbWFaZFFScjZ5amd3OWVZZ21DZ2Zibjd6?= =?utf-8?B?SnN4MUdOeGc5MnJ5ZERkTjFCUGZiVTRRdnJYV2Yxd3dHdGhTMTNKMUNYaHJa?= =?utf-8?B?KzR5cUs2b0p1dFRlVHZpVVE0U0E1ZzQrZ1hFOGttd3ZhWG81bldRckRldENK?= =?utf-8?B?RnB0U3h3ZlluWTRuT2tNVkVhdkx3cjFuQXJwWGRKMm5tNXZBZWFrTzZXaTA0?= =?utf-8?B?MXJ5NnZRTHpGNnozYmRsSlhnU2VBVGo5cEcxS0FnRldIZjF4ckxtRHptSTEv?= =?utf-8?B?MFZiTEgvS2xMcWR5djlXSEFzTjE3SXRSUkljRkVzVVUrTmdNQjFIVndSTjg1?= =?utf-8?B?WWlMTFFHYys3ZzJhWVFJRnJRNFFidTNwT2x6czZ3dkZqOGk0a3ZNTHJqdVI5?= =?utf-8?B?U0RkQlNCRE4zMGZXa1djdURHRjJydHB5OE85U0pnZGpVN0wyazdwRm15aHJF?= =?utf-8?B?UHo1bXNtVjlleVJoWTBKcS9mM3F0S1ZaV1U4VmJlTkxVVXB3NWJiTktZeGs0?= =?utf-8?B?Nk5CNjYyZmtkKytrVDBEMUNyaDBDUkNOYlBQS0Y3NUgveHZqNWRhYnBFeDhN?= =?utf-8?B?T0lHYzB0VEFFNitHRmFxN2diRm9oVHAxY2VQVUJ5UXBCKzd2S0lkR1lBOXlF?= =?utf-8?B?NThtU1A3RmkrK2FNbTFqeFg3REpjK3FCNVdxa1FMNFc0bUlVOWJEV2lCY1o3?= =?utf-8?B?RG1qSDQ5QUduZDN5Zk5vbm5SMjhWMmp6RDNHblRYa1IrRWkwelI5dVJlV3lq?= =?utf-8?B?YW5UUUVWeURKMThvVEtQVGNyOE5BT2M2M1Nqb0I1NnZzSkRveUtkU0xzNFVU?= =?utf-8?B?eHZmRmlSU1F0MGVIbG1JNmE0ajVRc3lhTjF4RWUvRXo5NlBuc2N3UitHVFV5?= =?utf-8?B?R2ZuUVd1SVJIRElpeDVVeGJ1Qk0rODA0V2Y3Zjc3d1hPWnZ6c0JmRGFncU1N?= =?utf-8?B?TlJ5UW13K0E0VHAxTVBVN3NsVHVDYi9SczYvOVRVdEthTWVwVkNPblliYnNL?= =?utf-8?B?RUFaK3FRdElBeHpJWWRnZWprV1c2VUJWR3R2Unh2dUhhMU9KYkVBR1FuN2NK?= =?utf-8?B?akJ2YUZvRkNTSUFRVUtRa1h4M0hsS2JuVkFjU0ZUQnRvakNKMlRSbE9PK1Vj?= =?utf-8?B?WUR6YkhFWWlPRHpvWnNYSzNLOWp2WHNBbUU4Ym5QSWVpckVGcE1ZSVorVGlU?= =?utf-8?B?N3ZkK2RVeTdPNmppUUYyRVVTNjJmbjIxamVMVm9OdVhaemRmWncyb3RWTlNi?= =?utf-8?B?NjlUaVZGclBkREVBZFlkc1RsWHlvengxSytZRXlzeTMyUkwzVlBpMG5lWVll?= =?utf-8?B?YnB0bVRaUDZEekVXdUUvSERQbkhkSFFWUVlxVjQ5c3l0b0FUT2tqem1JM2oz?= =?utf-8?B?UUlJRDRwamk0clhZM3gxbVFFWHVscDFrdm81V1d4dStpWDQ3QmpHcmRZbWhy?= =?utf-8?Q?c0LvOgAe/Rw=3D?=
x-microsoft-antispam-prvs: <VI1PR07MB6191627E8A9DAE9D94EB2918837E0@VI1PR07MB6191.eurprd07.prod.outlook.com>
x-forefront-prvs: 09555FB1AD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(366004)(39860400002)(396003)(346002)(189003)(199004)(606006)(229853002)(6436002)(53936002)(97736004)(66574012)(9686003)(33656002)(6246003)(74316002)(7736002)(25786009)(54896002)(790700001)(3846002)(6116002)(55016002)(86362001)(236005)(81166006)(6306002)(81156014)(8676002)(4326008)(6506007)(66066001)(8936002)(14444005)(966005)(256004)(7696005)(68736007)(26005)(76176011)(316002)(478600001)(85202003)(5660300002)(2906002)(53546011)(102836004)(186003)(71190400001)(9326002)(71200400001)(14454004)(99286004)(11346002)(106356001)(6916009)(486006)(446003)(476003)(85182001)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB6191; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 64oJe2Ym7w1nYK2LkuhOmOyCXVIOOfVnWqn91EiG/dxJ4a6o9EMlv1RMrQCkn/CYs616Ti3yXSdpATWsYgeSJCDBii6/cA3h08ccmBp0K7l90UELRGJnJjr2hPR3bNI7DV5d1Wm6tUtAmV21xO+7o6HytmCWaIp6b5BrtBotiSfUKd8/mWDdTqPGEft403yNgjTUITRhgcNiAXcIlUIfa53o3u1nXlqFdX54BKW6x/Eh3oZKjXX9uhglaLj558skJAIkly7pVrfru3GD2mQarD5Ber9ZqlVMm1IZ0lSz0TIKrtYLOqaJNwmqP1hjvPINASjxv7QSDeK/6+NZ27XIJm4woEydskupZA3jiXKkaCQteUAlcd03AOZXyTKxcNZcvbTRKaGYIgtepJWNcCT8N/83/SKSCVkSlHDnL2mvd64=
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB47350F355024F04D3FC5A96F837E0VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6dc678bf-a4ad-4929-9029-08d697e15dcc
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Feb 2019 09:45:51.4995 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6191
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFKsWRmVeSWpSXmKPExsUyM2J7sW5AcV6Mwcz9GhYrbz1kt5i66Tar A5PHkiU/mTwen+hiD2CK4rJJSc3JLEst0rdL4MqYuvkRW8GF8IrzF1pZGxjnhHYxcnJICJhI PLg9j7GLkYtDSOAIo8SVR02sIAkhgW+MEld3REMkljBJ7Gn/zQbisAhMYJaY2vkEqmUik0Tj jPdMEM4jRonJz6+wg/SzCThLnH/xmAnEFhFQlNja/gXMZhbQlFj79yMziC0sECzRu/M50CQO oJoQiYXbwyDKrST2/2gHG8MioCrRc/YT2Em8AjESs8/dZ4XYtZFRYtrWlWAzOQXiJS7s3ARm MwqISXw/tQZql7jErSfzmSAeFZBYsuc8M4QtKvHy8T9WiPpYiR2v77BDxJUkZry6xQphy0pc mt/NCGH7Stxa288CslhC4CajxLl5PVBFWhK/ZpyCapaSOHHxKCtE0UUhib139kNty5a4vPIh VIOMxLbXC5kgivrZJI4d/8E2gVF3FpJrIex8iYlbZrLPAntbUOLkzCcss4ChBAq99bv0IUoU JaZ0P2SHsDUkWufMZUcWX8DIvopRtDi1uDg33chIL7UoM7m4OD9PLy+1ZBMjMAUd3PLbagfj weeOhxgFOBiVeHi1U/NihFgTy4orcw8xSnAwK4nwemUChXhTEiurUovy44tKc1KLDzFKc7Ao ifP+ERKMERJITyxJzU5NLUgtgskycXBKNTCq9RU8ZVYRuV8ZsfLeupAPDt9CHGTbPXVqHDIn cupFXVq7w8L6p1dk+jfphQs38TT9+6Vk6jkxs3f7j7JLHl5pddcetMdsuqD2xKRsd6RwsVP7 ccmUuoaV2Q8/iUzNO/F5zh3F6yE3Z5x8z7Sx+er/6fE3km71c1mqcQuciRE/pfHx9OUn1iVK LMUZiYZazEXFiQDejJXYPQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Uz5dDPJ0J8maaMWyKDKI4tVuH1w>
Subject: Re: [netconf] draft-ietf-netconf-trust-anchors-02 certificate expiration
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 09:45:58 -0000

Hi Kent,

I think the approach you describe is correct. I was assuming that both the owner of the pinned certificate and the device configured with the pinned certificate are in the same administrative domain. This obviously might not be true in some environments.

Thank you,
Balazs

From: Kent Watsen <kent@watsen.net>;
Sent: Monday, February 18, 2019 6:46 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>;
Cc: netconf@ietf.org
Subject: Re: [netconf] draft-ietf-netconf-trust-anchors-02 certificate expiration

Hi Balazs,

Yes, it is the responsibility of the certificate-issuer to issue an update, but it is also the responsibility of the server-admin to re-pin the updated-certificate.  This alerts the server-admin that a service may stop working and they should update the pinned-certificate before it expires.

To reproduce the equivalent of there being no notifications, the server-admin could chose to ignore expiration-notifications for all pinned-certificated.   That said, it seems better to give the choice to the server-admin than for there to be no choice.

Thoughts?

Kent // contributor




On Feb 15, 2019, at 11:24 AM, Balázs Kovács <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:

Hi Kent,

When looking at the model in subject, I was wondering why certificate expiration notifications of pinned certificates are emitted? I would think that the node should not be concerned about sending notifications of certificates of other nodes, and also one wouldn’t like to receive a notification N-times for a single pinned certificate that is going to expire.

Could you please comment on this?

Thanks,
Balazs
_______________________________________________
netconf mailing list
netconf@ietf.org<mailto:netconf@ietf.org>
https://www.ietf.org/mailman/listinfo/netconf