IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

Kent Watsen <kent+ietf@watsen.net> Mon, 16 September 2019 16:41 UTC

Return-Path: <0100016d3af34c5a-846fdcd1-9398-4266-84d4-5abec5c0fad1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFB3120046 for <netconf@ietfa.amsl.com>; Mon, 16 Sep 2019 09:41:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3YdWLKpRGPx for <netconf@ietfa.amsl.com>; Mon, 16 Sep 2019 09:41:28 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1077E120026 for <netconf@ietf.org>; Mon, 16 Sep 2019 09:41:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1568652086; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=qybDz9VpP2Xgt+tOhz4iOxVvhheGY0qorLgIZifvZIE=; b=MpUPyqzfn32pjsfjE4+sp0k2u/J5+cHtX2gGHC0ZkquhOR8r3omOo0Qq6LaGpiUP 6GefA3xRVWfS8Y1KviKbhaaYJClmVb9/GRPkupjxu9r8BXLqXaebSJhX9D8ynBLGaqu uCeEhiZef2ny86iFULWt70bnZ4ePJywZp5J/k/kE=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016d3af34c5a-846fdcd1-9398-4266-84d4-5abec5c0fad1-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_02FEE243-A112-482A-95C8-ACD349871623"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 16 Sep 2019 16:41:26 +0000
In-Reply-To: <20190912.195859.497068783415208339.mbj@tail-f.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>, Russ Housley <housley@vigilsec.com>, rifaat.ietf@gmail.com, sean@sn3rd.com
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <20190912.111242.323252506550752617.mbj@tail-f.com> <0100016d265824b0-313d5248-5aba-4b96-8f21-768be7784568-000000@email.amazonses.com> <20190912.195859.497068783415208339.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.09.16-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Xo0LOPGV8sfhD4lCYNpdIh_7mWA>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 16:41:35 -0000

Hi Martin,


>>> I guess it is still needed
>>> when a key is generated though.  But then note that "rsaEncryption" is
>>> not an OID ("1.2.840.113549.1.1.1" is the OID).  If you want to use a
>>> symbolic name you need something else.
>> 
>> Isn't it?  Check https://tools.ietf.org/html/rfc3279#section-2.3.1
>> <https://tools.ietf.org/html/rfc3279#section-2.3.1>.
> 
> The symbolic name is not (guaranteed to be) globally unique.

Probably...



>>> Is the idea that the module becomes ietf-tls-keystore with top-level
>>> node tls-keystore?
>> 
>> There is no need to change the "keystore" module's name.
> 
> So where would keys for SSH go?  Your reasoning was (which I agree
> with) don't create a super-generic module for all things crypto /
> keys, but let's focus on what we need (you wrote "to configure an
> HTTPS server).  If we limit ourselves to TLS it should be reflected in
> the naming.   But perhaps I misunderstood your intention.

Some options:

1) use a 'union' between the two key types (binary vs string)
2) add a new 'case' to the "private-key" choice called "ssh-key"
3) go back to -04 draft with top-level "host-keys" container

Of these, (2) is the obvious choice. 



> Right, but at that time the idea was to be able to have very generic
> "algorithm", and have each alg define its own format, right?  As soon
> as we limit "algorithm" and the format for the key, we are no longer
> generic.  Hence we should have a less generic name, that more
> precisely decribe what it is.

s/ ietf-crypto-types / ietf-asn1-types /?




>> More fully, that line says: 
>> 
>> 	c) figure out a plan for SSH later (the risk level is pretty low,
>> 	e.g., I've seen code to key SSH keys from TLS keys)
>> 
>> The intention was to signal that it should be easy to determine how to
>> support SSH, to support the netconf-client-server draft.  Nothing is
>> blocked.  We just need to discuss a plan for what to do.  The easiest
>> thing would be to 1) update the mapping table in the ssh-client-server
>> drafts from mapping SSH-specific algorithm identifiers (e.g., in
>> rfc4253) to OIDs
> 
> But do these OIDs exist already?

Probably.  Regardless, we have to map them to something.  Look at ssh-client-server draft.



>>> Yes, NC/RC are programmatic APIs, but simplicity is always goodness...
>> 
>> ACK, but let's be clear that the "simplicity" is in the ready access
>> to tooling, not from an algorithmic perspective.
> 
> But the solution becomes more robust if you can use the format you're
> used to w/o additional conversion.

Right, see option (2) above.



Kent

v2.23.0 | Report a Bug | By Email