Re: [netconf] ietf crypto types - permanently hidden

Kent Watsen <kent+ietf@watsen.net> Tue, 30 April 2019 17:57 UTC

Return-Path: <0100016a6f64a438-50e97747-d12b-429b-8147-8bf6ed82bdac-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D485D120321 for <netconf@ietfa.amsl.com>; Tue, 30 Apr 2019 10:57:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBjPphLyh8i5 for <netconf@ietfa.amsl.com>; Tue, 30 Apr 2019 10:57:09 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D566120329 for <netconf@ietf.org>; Tue, 30 Apr 2019 10:57:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556647028; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=UunYTGwdE5/EnSAavPxD5KhtrZ2yICbQl+elryl72eo=; b=YNZY5r5OCiCqPW+++4tdfmtJ03lYurvu4cCVjflcHtLgOr01z16cg8XSOFDVfKwl u28v1WM3VO/m+vB7TsU8WXoS6075U/7HarvgfY7IjbZUMv19Gsr69z3qlhaaXfxtuMs M0DNMCjWd51nQYpjXBRlYXy3VQumLSUHlUVA3y0E=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016a6f64a438-50e97747-d12b-429b-8147-8bf6ed82bdac-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3DC919B8-DF9E-4C7F-8E65-7FA49758BA63"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 30 Apr 2019 17:57:07 +0000
In-Reply-To: <20190430.144930.844252169549242587.mbj@tail-f.com>
Cc: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016a69e36565-37279712-e5de-4c48-9a8a-7397d54c11b3-000000@email.amazonses.com> <VI1PR07MB47353B20AF138B5B8B702285833A0@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@email.amazonses.com> <20190430.144930.844252169549242587.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.04.30-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/WxrmjmmW2RORq_uMG5-0a5uZRZ4>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 17:57:13 -0000


> I (still) object to this.  Actions shouldn't create config.  We
> already have generic protcol operations to do this.  We go from a
> document-oriented configuration model towards a command-oriented
> model.  Not good.  In RESTCONF, the generic methods support things
> like ETags, which I suspect you don't want to replicate in this
> action?   Will the action support all error-options of edit-config,
> like rollback-on-error?

The specifics for how this could work would need to be defined.  Given that it is a special case, I think that we could constrain it heavily and target simple solution.   Depending how much text is required to describe it, it might be good to define an extension statement that could be placed on the actions.  While an extension statement may seem like it opens the gates for general use, we could further define the extension statement as being something that MUST NOT be used when general purpose operations are suitable such that, at least with the IETF, it could only be used in extraordinary circumstances.


> Some comments on the new text:
> 
> In action generate-hidden-key, it should be stated that the public-key
> will be populated, and that the private-key will exist but report
> 'permanently-hidden'.

Okay, but before making the edit, see comment below about lifetimes...



> In action install-hidden-key, shouldn't both public-key and
> private-key be mandatory?  Also state that the private-key will report
> 'permanently-hidden'.

Indeed, fixed.


> In leaf private-key, the type binary part of the union doesn't have a
> description, and the description for the leaf itself says:
> 
>       A binary that contains the value of the private key.
> 
> which is not quite correct.
> 
> I think we should state that the enum 'permanently-hidden' is only
> reported in operational state.

The 'type' statement doesn't have 'description' as a substatement, 
but, point taken, two updates:

In leaf private-key:
  OLD:
      A binary that contains the value of the private key.
  NEW:
      Either a binary that contains the value of the private key or, in 
      the case of a hidden key, the value 'permanently-hidden'.

In enum permanently-hidden:
  OLD:
       The private key is inaccessible due to being protected by the
       system (e.g., a cryptographic hardware module).
  NEW:
       The private key is inaccessible due to being protected by the
       system (e.g., a cryptographic hardware module).  Since hidden
       keys are only ever reported in <operational>, the value
       'permanently-hidden' never appears in <intended>.


> The new descriptions say:
> 
>            [...] present only in
>            <operational> and bound to the lifetime of the parent
>            'config true' node.
> 
> Aren't all nodes bound to the lifetime of their parent?
> The action is invoked in a node that exists in <operational> and it
> creates a key.  What does the statement tell me?

This seems like something new (and maybe wrong) and hence needs to be explained.  This seems new because we are saying that the lifetime of an operational value is tied to the lifetime of a configured value.  Normally we talk about how operational values exist on their own and that, if one wants to override/extend them (e.g., associate a certificate to the private key created by the manufacturer), configuration would overlay the operational values.  By extension, if the configuration is removed, the operational values go back to their original state (i.e., existing on their own).   Here we're saying that, if the configuration (for the parent node) is removed, the operational values are removed as well.

Note that this statement was added because Juergen asked about how hidden keys could be removed/replaced.   We iterated towards not wanting to support the "replace" case, and this seemed like an easy way to handle the "remove" case.  Another way to do this would be via another action such as 'remove-hidden-key'.   What do you think would be best?


Kent // contributor