Re: [Netconf] Adoption poll for crypto-types and trust-anchors

Kent Watsen <kwatsen@juniper.net> Thu, 10 May 2018 22:31 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3263412EBAD for <netconf@ietfa.amsl.com>; Thu, 10 May 2018 15:31:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvrlzDcduhwv for <netconf@ietfa.amsl.com>; Thu, 10 May 2018 15:31:00 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 532EB12EB97 for <netconf@ietf.org>; Thu, 10 May 2018 15:31:00 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4AMTeia030158; Thu, 10 May 2018 15:30:58 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=c9OKtmzu1tEd+CE4j7sK+5KFW64miR6M6iWWArYsCcQ=; b=Ozz/xz8D1LEGARwq1ZVZbNtiWazOuqOb2+kwPDBJxtt+fle9UzeTftL7ZgcYQbRIFttw FAUGOmJu9Csj8osC4CRSslrzoItZ6ObPR0TA8zHFZvUPU7rBSJpFQzsoK3IxzBHY2FsK i/43OENJgOYlt3c2xUqPJNVTMZ4rmYyEavRniEtgfGYqeSLCmJOtu3HCaI3EK9Mw4Bxx MxmyKuEcIUOs6foRw7qJDy/fcIXIri+CAlZh6TBK8GQNp51p+LMGpTLMbGyetWaTrO2u 8mFvAd5SQrOsask6d+XrxiXQB6yxj/UCWU1HwOyjc/cxR9l0zm6kDPB4XZsehWHAfhfB Dg==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp0049.outbound.protection.outlook.com [216.32.180.49]) by mx0b-00273201.pphosted.com with ESMTP id 2hvv0kra74-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 10 May 2018 15:30:58 -0700
Received: from BYAPR05MB4230.namprd05.prod.outlook.com (52.135.200.153) by BYAPR05MB4310.namprd05.prod.outlook.com (52.135.202.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.776.4; Thu, 10 May 2018 22:30:56 +0000
Received: from BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::5c50:c79f:dbd0:7a9a]) by BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::5c50:c79f:dbd0:7a9a%13]) with mapi id 15.20.0755.012; Thu, 10 May 2018 22:30:56 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Eric Voit (evoit)" <evoit@cisco.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Adoption poll for crypto-types and trust-anchors
Thread-Index: AQHT4wADJ2ALQ9zNKkqYEk+Kq3yYtKQfpfMAgASX5ZD///FoAIAB9YWggAMvS4A=
Date: Thu, 10 May 2018 22:30:56 +0000
Message-ID: <C59CC8EF-DD5C-49FF-9275-E8AA1E2A3DBF@juniper.net>
References: <30074620-B60A-420D-8805-80C9EF1E1BDC@juniper.net> <D8937259-459A-4D8C-84B7-D75EE559A9BA@juniper.net> <AM5PR0701MB23377923E96B8A0121B8D00A839B0@AM5PR0701MB2337.eurprd07.prod.outlook.com> <69CC8DB5-95C5-413A-965D-A624EE05DC9D@juniper.net> <fe1783af8fc743c1845f91b253ed4cd9@XCH-RTP-013.cisco.com>
In-Reply-To: <fe1783af8fc743c1845f91b253ed4cd9@XCH-RTP-013.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4310; 7:0ffAbN/1GYFTO6yy7c+PqqRQGSYDuahj/8PPNVO2P1/fTz05dCrl4hoDSzAZsC/ILJeieHTCu/gbJkp8NFkl+1Wv6JAjReXfHcVPw/XWPXiYxz/Z3VJS7Wu6mF05Nq9XRTZO9A7lZzgbap6J6mjkcLXDdBA/DouVW18xbRbhG3yPuvhHugDtHxhYOlRouAfI08A0rZvZq3e4J1yrteTSlG1iff0U0b1fzh+hrMd9QxZ1PXXoc9bFDQFToZ07GWJF
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4310;
x-ms-traffictypediagnostic: BYAPR05MB4310:
x-microsoft-antispam-prvs: <BYAPR05MB43103A677319BBDE3A08BF31A5980@BYAPR05MB4310.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231254)(944501410)(52105095)(3002001)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(6072148)(201708071742011); SRVR:BYAPR05MB4310; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB4310;
x-forefront-prvs: 066898046A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(346002)(376002)(39380400002)(366004)(199004)(189003)(2616005)(25786009)(6246003)(106356001)(186003)(6346003)(68736007)(3280700002)(26005)(446003)(97736004)(36756003)(486006)(478600001)(5250100002)(86362001)(14454004)(11346002)(83716003)(2906002)(5660300001)(105586002)(2900100001)(316002)(6436002)(66066001)(81166006)(476003)(82746002)(93886005)(54896002)(58126008)(6512007)(229853002)(6486002)(6116002)(59450400001)(76176011)(99286004)(8936002)(3846002)(6506007)(102836004)(33656002)(7736002)(6916009)(4326008)(3660700001)(8676002)(81156014)(53936002)(6306002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4310; H:BYAPR05MB4230.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: TtTS1g7pFHF2MNEqi9fsx5ilyMhLNbQlj+ai7qN2T5gzVUG0a14KB3XoayaeC0h1Eu1yg4z6Y3r/WWEds4Bw9jPyfnPAt1dYtZDQkrYfcRCIhd3AwJcwNktYIxYXTiRIZM62I0ESRwtfzffQ3hYn2+6PuMt3DYi3hlEkeNkGO+ZwBAYuXMQmiAJIPdWO67M3
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C59CC8EFDD5C49FF9275E8AA1E2A3DBFjunipernet_"
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: b2a9d2df-4cb3-4c21-1c3a-08d5b6c5b2f2
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b2a9d2df-4cb3-4c21-1c3a-08d5b6c5b2f2
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 May 2018 22:30:56.9504 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4310
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-10_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=766 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805100206
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/W7A66nwCzsFB-OvvdgiLEDTTdtE>
Subject: Re: [Netconf] Adoption poll for crypto-types and trust-anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 May 2018 22:31:02 -0000

Kent writes, in response to Balazs:
You're right about that, if added later, it may not be widely implemented.  Back to the technical discussion, some important points have been raised.  Perhaps it is better after all to keep ietf-keystore, the -03 version, before the private key was converted to being a grouping.  Right now, the adoption poll is showing weak support, and this seems to be the core issue.  Hearing from others on this point would be very helpful!

<Eric> I do like providing grouping which allow key-pairs to be defined and used in various models.

<Kent> It's possible to both have groupings (for those that want them) and to use those groupings in a keystore data model.  The only question then would be if the ietf-[ssh/tls]-[client/server] modules use one, or the other, or both?  [I think the idea of bringing back the keystore module would be then to just use it in our modules]

<Eric> One question on this, leaf public-key in draft-kwatsen-netconf-crypto-types-00 has a must constraint for a private key, which is fine for the purpose of this grouping.  But do you see a case where other YANG modules might want to pick up using the schema definition of public key and the various key algorithm identities defined?  Maybe for someone who just wants to store decryption keys?  If yes, perhaps an extra grouping definition?

<Kent> Potentially.  If I understand you correctly, the public-key-only grouping wouldn't be used in any current modules (e.g., in the keystore module), but merely be available for anyone who might want just a public-key in the future?

Kent // contributor