Re: [netconf] ssh/tls key generation support
tom petch <ietfc@btconnect.com> Wed, 23 March 2022 16:52 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB8A3A00E1 for <netconf@ietfa.amsl.com>; Wed, 23 Mar 2022 09:52:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U71HnI_dtfay for <netconf@ietfa.amsl.com>; Wed, 23 Mar 2022 09:52:51 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140119.outbound.protection.outlook.com [40.107.14.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A9073A07D6 for <netconf@ietf.org>; Wed, 23 Mar 2022 09:52:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ROWH8c9/K8RAmumtOgURtO+Ho2lMPdvDnvJXrFetqxyfa9HPO/eGPclHHmYraE5MlMrYxdzeI+z1RMIVRonACOJmsG+jZ0ruZw2x9J2RB3REiFz1mbIdgWhLPoNcRSSP+yhnVsdKxlQVJ8o1rBl6p6SfJ4BiWWh4IrXbmmL5+QFf3s+uVcU6eXcdfYbGKsbBM1OcdPg3bPUZGZ5IX+X10PxOO4aHfTMqPn0AaWR3MFxOIzEu3AdYkCxSoootdvRC9CU1noTQV0anrLv67Jn++uVzDMjRQBTDADolXdFwnvBtSwM8/fZPyHsRUK4B/nmf5LHIFGpwNNxufOPNy1h4Pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4J6FhLdHFxuB8S2JodIHKHVSiaAMudozl1zYThnIxZ8=; b=OC4PVPbzbYAwhlTc5vnrKybzepsQDPnWl/QYRHWUgPI8cm1590Jyye7JHNfZGzMR5p4twrlWXY8CrY+KGfCso4Ght/BDf4P/W3KCaNYuPwZdwGhu6ZzFcg1yZMC4ksussyCnzGXmaQIztwQ5XhvFaEQukji5lXL9xG2sDST+3uBlJBaqbbTyIEyj03WJpgUktYKwJ9bX3ElBEW1IPXw1ZgTM897+O0R9bOLaXcUam2skDaa6jh8aZ2nPi4aySkm9anq5HLpIU8iQMDeoOMh2V6seaHxaJJFptqOHAOHCullHe1P8upxWJtbMVubN1900oT4K1Y/YhDiSP4wnM8dT7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4J6FhLdHFxuB8S2JodIHKHVSiaAMudozl1zYThnIxZ8=; b=LouzI3o6EL892rAbaLcDphTBOj7DeG0DuP+wP0SzJzqwW9MEdjHcJf7Yc8tZAxz5q8fdIqZwtNqy4qOv2Q++b1gBZhxfS41nK9rtrIgU540iCy4snNDqhbS9YkbMlNs4wI2BpAE2VRJ4Uw5LU60sU3LVCJ8/ukz38L+e7ZL/tAo=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by VI1PR0701MB2095.eurprd07.prod.outlook.com (2603:10a6:800:24::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.17; Wed, 23 Mar 2022 16:52:46 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::b1c5:beb7:ddbf:b358]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::b1c5:beb7:ddbf:b358%7]) with mapi id 15.20.5102.017; Wed, 23 Mar 2022 16:52:40 +0000
From: tom petch <ietfc@btconnect.com>
To: Dhruv Dhody <dhruv.ietf@gmail.com>, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] ssh/tls key generation support
Thread-Index: AQHYPbn02qvTEV5X8ki9Q2q8v26gX6zLAf0AgAItbX4=
Date: Wed, 23 Mar 2022 16:52:40 +0000
Message-ID: <AM7PR07MB62487F2C1C0F864171952F1FA0189@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <20220322065600.c26vr26mdlevccgo@anna> <CAB75xn7GsGMzRdy8ipzXGsj57JUpkqdUe31Y8utQG-5TVrqQDg@mail.gmail.com>
In-Reply-To: <CAB75xn7GsGMzRdy8ipzXGsj57JUpkqdUe31Y8utQG-5TVrqQDg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: a4abc105-15dc-9d1b-973f-e59a637af6b2
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c6a3879d-1886-49e4-7548-08da0ced8b3a
x-ms-traffictypediagnostic: VI1PR0701MB2095:EE_
x-microsoft-antispam-prvs: <VI1PR0701MB20958C965A109B962F0DE551A0189@VI1PR0701MB2095.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8KTjW1Clvx55bVpLBTxY3/6NssdT2Za9HnJC22TfydjOIMIBGRCaSBUrf6vbRvFA+cmqmqi3d7Q3tyVPRmzBTJQQqT3pHbepxVAShsFin4qt6Ov6XFIZalmrUuMfK01GqnNvV1mRPXPdOHcqrg/obyry+dGeEoew/zCjcDrXSihZkwRV/2M8/6SrNqJdWLuIkKRxR7S+jFu/6AKf1BDBWVxy5yghK0YLjHRo8L6ROmlOOzXFLWQcpkTid6V4+/FvqiZlbNP6+hAwCPcR0VhJnZhz+HfESrQBgLpa3M6WgQL6PBXxZY40ZMtT511Z9GxT2j9opEI8ezq4jb6mEaST5Tufz3zq3GshebZ8mcA2Agrl1OjmtUDzKfIIamyU0vkKxSwtiGwkvkS2Ler3Al7L/XKPQGgbBQXJIoIaaekEE4OYgw6veXuPNQzF5KY0doBvWzcK6EzgXHKkLD55VjZ/VvrttvO53jXFdDZMNi+7gIsPEwmPbCN5Afj94y/wFhKLM8XfW2fodQRTbhxtg4VXRcy3HJ4OpHHJ4v6j8gzQ8lyqbCrtR3FDbMncwwTFwPgjamx2iaqK62ger/KXW+oA7TsaPzVQqFwrzhZJ6pGYOFLWEF1yrvTErqHcHxMaBNvbPUqGbRxbCQ2Bq2zfJ7jGYjo+f3w3Vg4yuU0pFwWxCUzHygVCKYAXSPyg+/FnX2yHv34xsZFgxtsjZEyKvus/NEgg26Pzx5bys8Pf2pXM2G4dJTl7FtoCU3LKAIys1mRAJ05TD1QlO+XjO09q13880c9yWj32eD6Bk4OpqznD3gX8k2ici1obbfWh6p/61XHEV9N+Ity2S86Roz2KtiCRDw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(186003)(26005)(66574015)(83380400001)(7696005)(6506007)(966005)(71200400001)(9686003)(508600001)(53546011)(66946007)(64756008)(66476007)(66556008)(76116006)(38070700005)(8936002)(86362001)(66446008)(8676002)(40140700001)(33656002)(82960400001)(122000001)(38100700002)(91956017)(110136005)(316002)(2906002)(52536014)(5660300002)(55016003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: uuLA1dE71xcDAyZYq06BAMK9CVaOxxNWyB2oEXqJwd9IqBrHK035/GPIoGKLyzMzL3PANX4l4sCRpi25mR+/yQmfxi4tO4iqOYAGMU/0zq+ITbmnUsRry5aeZ142xSBMv2gBCJuO0nQ9gYJ7TU0gTNuDFQAv0659Gs7ptd8IzgUZHbZVgpXOil+NWdAFMaGnCfSQ14MJf1BMz0mqwv3Oc7uJ7tlcEYQ8tsjW+Hdhu7fcgqRqsYKDlti3cD5jQpAub/YNFbU3w4RFIm4O6jflAon51WVBtJPYX73nEOigTgjT72+Ii9W2OGvmNdYx+FXuw2N7IoaLtcAPN4OQAwjEU6Rcb18WrejJTpkRinm+iprptR4hBPa/kZye3t3Y+zgfYCZisrsU1AA9dwryQ3FAYEInAAhc+N7md6cD5IJd3R3UHRGd0IyLCM023FtlpSCOBcIIdochiPY7fFtsobrPKi3OUzoXH9UxQofiTh0frLia8CrNQSzLr4VxOhtF+pyzt3KqLkFXBskTfahRXPQxe5LsKgCLIBn+2Ux0OdgEbg8qP7RVw1PckrY7Pzl9vLEFSLF6UOIXCl8iTF4E+GdElPXRc9ORVE0DmGTxLRQcIlPEO3MEt/PPYaYjQw0YEt7PPcGVRG2tQPYfc6nO50tXhyPnoRA9Y7+WzZZq65DvkViDTKm/s5QYf5bsMsRngHUmdzOOKC6nGMcUhljdnegU76dW9ICN+fM3FTyCPfrYwfb6M9hWebIMFQXE4KAS2Cnv2MdZ0kJZ0HpoQEgIXJKWlWY40G3loxO+W+3thz5HRTfbZjM0V7pw6xb2E7Fu8ZYpgNTEH5skGZaS+jkDv4kZ4nUXNIDhKY0GxYrsDeotsHecWi19KFg1rz0raAds8VgHa00NHwbgldGAyqxnAuINSn7fL4rHadbmtGH3ROwNIVS9KgIW+FBlcN0Y6FTPg9f+L1r/sgsyvDsXRp0sXKDm+ZhZEbNXTktsvzUH/sg/a1P5lm7rqwjGPC5krEQth9GE2Z6rafwWNwTwX9JcMAFqFo0bFAQbLUpNwzVRw7uIlHl7rNZau6gk0pL4ybEUPBp3LAkaL65fuHKBD2rH5ZD3KDS/3zGJ0PQ0otvoOz0GygsbWkhTtT/0lY6FXCQZRp3qL+eTIJLJfXkjBwZ0Q2OYPIjpzV3MI8V4zcg6DCKc4jeKFoEqOr6EotY+kCVY8op8YRxIv1vLd4h+sxHJ6uxgo359YRastD8ZhBtxURhs8yzQQ2LR0snp92s5y4OLYqcoFeSRc2r3Xu0wnrD0nVoGVezryyvNO4n3IWtZHBZGl9Ssz7BE5/x8TNE+nWemgrHELUJmKoEw+Ex7fFxlbSeFiX5Tx7P0hyASGK/nB1LlQ+CbOkH5HYmJn5gBhG8jkjUwv05rD9GjwgbQCe1yej5gOz4Pu4LxU819VPtKsmybkxuO82l3WnLrCAEGWW7y7se7
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6a3879d-1886-49e4-7548-08da0ced8b3a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2022 16:52:40.8211 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MWEeevjBEAe+48RjdbhsOW0rJbKj/ykhb2YXX8+fTk4rFFd4DRrS8cDHZ5YCxYOCU7jpmS45M4BExU+0bZzw+Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2095
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/WeVkXbLzaGp9dk4XQ65TblKPPdU>
Subject: Re: [netconf] ssh/tls key generation support
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 16:52:57 -0000
From: netconf <netconf-bounces@ietf.org> on behalf of Dhruv Dhody <dhruv.ietf@gmail.com> Sent: 22 March 2022 07:30 Hi WG, I agree! And as an author of the PCEP YANG model which is dependent on draft-ietf-netconf-tls-client-server<https://datatracker.ietf.org/doc/draft-ietf-netconf-tls-client-server/>; we would really like to see it published SOON! Dhruv You could oppose the adoption of the NETCONF I-D that are currently up for adoption on the grounds that the WG has a backlog that is too big and has been there for too many years and should not be taking on more work until some of that backlog has passed IESG Review! I have known ADs do just that in the past. You also might find some allies in the Babel WG. Tom Petch Thanks! Dhruv On Tue, Mar 22, 2022 at 12:26 PM Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de<mailto:j.schoenwaelder@jacobs-university.de>> wrote: Hi, Kent asked for feedback concerning key generation support. My view is the following: - As long as you can trust your device to generate good keys, it is good idea to generate keys on the device so that keys are never sent around and they may be kept in protected storage. - As stated by others during the WG meeting, the proposal in draft-ietf-netconf-ssh-client-server-27.txt should be more explicit that it is about generating key pairs and in particular hostkey pairs. - Generating server key pairs is just a step of a more complex process. In SSH, clients traditionally built trust into hostkeys using an ad-hoc process, in TLS this is traditionally done using certificates. Hence, at least for TLS, we get into the territory of generating certificates, either creating self-signed certs, hooking into an automated certification system like lets encrypt, or handling a full blown cert process (generating csrs etc). - If we got the YANG modules right, then it should be possible to add support for server key generation without changes to the existing definitions (i.e., we can do this later if we decide to do so, there is not reason why this needs to be done now). - The SSH and TLS documents started as WG documents in July 2016, we are getting close to 6 years in the WG and it is somewhat unclear what the uptake of these documents will be. If we get into certificate territory, I fear we add at least another year of delay. My take is that we should leave key generation for future work and instead try to deliver what we have. Note that the documents highly interrelated and they have overall grown to a significant size (even if we leave out the IANA algorithm registry modules, this is substantial). | Pages | Lines | Draft | |-------+-------+--------------------------------------------------| | 63 | 3528 | draft-ietf-netconf-crypto-types-22.txt | | 51 | 2856 | draft-ietf-netconf-keystore-24.txt | | 31 | 1736 | draft-ietf-netconf-http-client-server-09.txt | | 60 | 3360 | draft-ietf-netconf-netconf-client-server-25.txt | | 56 | 3136 | draft-ietf-netconf-restconf-client-server-25.txt | | 137 | 7672 | draft-ietf-netconf-ssh-client-server-27.txt | | 34 | 1904 | draft-ietf-netconf-tcp-client-server-12.txt | | 146 | 8176 | draft-ietf-netconf-tls-client-server-27.txt | | 39 | 2184 | draft-ietf-netconf-trust-anchors-17.txt | /js -- Jürgen Schönwälder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/> _______________________________________________ netconf mailing list netconf@ietf.org<mailto:netconf@ietf.org> https://www.ietf.org/mailman/listinfo/netconf
- [netconf] ssh/tls key generation support Jürgen Schönwälder
- Re: [netconf] ssh/tls key generation support Dhruv Dhody
- Re: [netconf] ssh/tls key generation support Kent Watsen
- Re: [netconf] ssh/tls key generation support Jürgen Schönwälder
- Re: [netconf] ssh/tls key generation support tom petch