Re: [netconf] crypto-types and keystore comments
Kent Watsen <kent+ietf@watsen.net> Thu, 14 November 2019 12:35 UTC
Return-Path: <0100016e69e99e3c-893fbfb4-3dc8-4725-b7ef-87bbf491dc2c-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 273031201DE for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 04:35:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fis3P2IdXt1 for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 04:35:50 -0800 (PST)
Received: from a8-64.smtp-out.amazonses.com (a8-64.smtp-out.amazonses.com [54.240.8.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D83C1201A3 for <netconf@ietf.org>; Thu, 14 Nov 2019 04:35:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1573734948; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=C+/ECxGRnCfNknZE1/sTkJQgv5stFR+lalAa9W3NRNw=; b=dlAofpaZqXk7K4j7dJgEDk0KhUJogL8P92O2k6J2hhBFAasw8QT/qU6VSYg7d9dm 2dxsAEQPoFdP14mavj8wmiTPpgQCCKP2uLAFhBpYrYJNrsje2YNbhVKrjyUtSikpoog f0v6KZEjE9K3B77sLjeOswGVPJbaKF4SUA3l0iFA=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016e69e99e3c-893fbfb4-3dc8-4725-b7ef-87bbf491dc2c-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_74709B82-5445-490A-8130-78E46E595098"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 14 Nov 2019 12:35:48 +0000
In-Reply-To: <20191114.100558.1371995383202419404.mbj@tail-f.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <20191113.135649.2218807015240802033.mbj@tail-f.com> <0100016e66c9b02d-382d9d6e-6d88-47ec-a117-5f38a3699fb1-000000@email.amazonses.com> <20191114.100558.1371995383202419404.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.11.14-54.240.8.64
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Xl9oOwTh4eHEW9IAzrZE7VylEFk>
Subject: Re: [netconf] crypto-types and keystore comments
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 12:35:53 -0000
Hi Martin, > Suppose I want to configure a ssh host-key as the server-identity for > my NETCONF server. Is the intention that a client can pick either > "ssh-public-key-format" or "subject-public-key-info-format", and the > server must support both? It's assumed that the client would set the public key using "ssh-public-key-format" (per RFC 4716, as that is the only standards-based public key format that `openssh` is able to export). While it's possible to convert the public key to a SubjectPublicKeyInfo structure, doing so is unlikely. In either case, the same data is conveyed. The issue presents itself when configuring the "server-identity" in ietf-ssh-server, whether a local definition or a reference to a key in the keystore. A "must" expression could be used to constrain the supported key-formats allowed. Our modules could hardcode this for all implementations or, if wanting to provide flexibility, we could let implementations augment-in their own 'must' expression. >> Yes, well, this is a known problem (e.g., >> https://github.com/netmod-wg/yang-next/issues/82 >> <https://github.com/netmod-wg/yang-next/issues/82>). > > That is quite different. How so? Features are effectively opstate lists too and, in both cases, YANG fails to support granular discrimination. > You're using a normal config false list for this (which is fine), but > I don't think you can use a single global list like this. I don't understand this statement. >> I will say that the definition above was given because it is the only >> *standards* based key that `openssh` can output (i.e., `ssh-keygen -e >> [-m RFC4716] -f <private-key-file>`). > > With my proposal you can take the output of this openssh command and > copy & paste the base64-encoded data from this output to a YANG node > using ssh-public-key-format. > > With your proposal you have to copy the entire output, base64 encode > it *again*, and then copy & paste that result to the YANG node. Not true or, rather, the intention is to support native encoding formats, including DER vs PEM, and CMS vs multi-part PEM. That a text-based format is base64 encoded is not an issue and, IMO, a feature as it escaping concerns when the content is placed in an XML or JSON document. >> That said, if you refer to the link I provided at top, it is my belief >> that the "key-format" node may be extended to support alternate >> encodings (e.g., DER vs PEM and, potentially, CMS vs multi-part PEM). >> To this end, perhaps we could support both the 4716 and 4253 formats. > > Do we really want to go there? This is already quite complex, and > having a multitude of optional formats for the same thing may make > things even more complex, to understand and get right. Binary formats (e.g., DER) are fundamental, but some raised usability concerns, hence the exploration. As for complexity, how do we know until we try? >>> o subject-public-key-info-format >>> >>> The crypto model has: >>> >>> identity subject-public-key-info-format { >>> base "public-key-format"; >>> description >>> "A SubjectPublicKeyInfo (from RFC 5280)."; >>> } >>> >>> Should this be "DER encoded"? >>> >>> (this and other defintions have references to RFCs in the >>> description; they should be moved to proper "reference" statements) >> >> Yes. I put together these definitions in as a test/protocol to gauge >> viability with the plan to enhance the definitions if the WG committed >> to the approach. I just added some "FIXME" comments to my local copy. > > Ok. It helps immensely when folks can provide spec-text, either on list or as a pull request. Kent // contributor
- [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Kent Watsen
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund
- Re: [netconf] crypto-types and keystore comments Martin Bjorklund