Re: [netconf] crypto-types fallback strategy
Kent Watsen <kent+ietf@watsen.net> Mon, 16 September 2019 16:41 UTC
Return-Path: <0100016d3af34c5a-846fdcd1-9398-4266-84d4-5abec5c0fad1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFB3120046 for <netconf@ietfa.amsl.com>; Mon, 16 Sep 2019 09:41:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3YdWLKpRGPx for <netconf@ietfa.amsl.com>; Mon, 16 Sep 2019 09:41:28 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1077E120026 for <netconf@ietf.org>; Mon, 16 Sep 2019 09:41:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1568652086; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=qybDz9VpP2Xgt+tOhz4iOxVvhheGY0qorLgIZifvZIE=; b=MpUPyqzfn32pjsfjE4+sp0k2u/J5+cHtX2gGHC0ZkquhOR8r3omOo0Qq6LaGpiUP 6GefA3xRVWfS8Y1KviKbhaaYJClmVb9/GRPkupjxu9r8BXLqXaebSJhX9D8ynBLGaqu uCeEhiZef2ny86iFULWt70bnZ4ePJywZp5J/k/kE=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016d3af34c5a-846fdcd1-9398-4266-84d4-5abec5c0fad1-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_02FEE243-A112-482A-95C8-ACD349871623"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 16 Sep 2019 16:41:26 +0000
In-Reply-To: <20190912.195859.497068783415208339.mbj@tail-f.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>, Russ Housley <housley@vigilsec.com>, rifaat.ietf@gmail.com, sean@sn3rd.com
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <20190912.111242.323252506550752617.mbj@tail-f.com> <0100016d265824b0-313d5248-5aba-4b96-8f21-768be7784568-000000@email.amazonses.com> <20190912.195859.497068783415208339.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.09.16-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Xo0LOPGV8sfhD4lCYNpdIh_7mWA>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 16:41:35 -0000
Hi Martin, >>> I guess it is still needed >>> when a key is generated though. But then note that "rsaEncryption" is >>> not an OID ("1.2.840.113549.1.1.1" is the OID). If you want to use a >>> symbolic name you need something else. >> >> Isn't it? Check https://tools.ietf.org/html/rfc3279#section-2.3.1 >> <https://tools.ietf.org/html/rfc3279#section-2.3.1>. > > The symbolic name is not (guaranteed to be) globally unique. Probably... >>> Is the idea that the module becomes ietf-tls-keystore with top-level >>> node tls-keystore? >> >> There is no need to change the "keystore" module's name. > > So where would keys for SSH go? Your reasoning was (which I agree > with) don't create a super-generic module for all things crypto / > keys, but let's focus on what we need (you wrote "to configure an > HTTPS server). If we limit ourselves to TLS it should be reflected in > the naming. But perhaps I misunderstood your intention. Some options: 1) use a 'union' between the two key types (binary vs string) 2) add a new 'case' to the "private-key" choice called "ssh-key" 3) go back to -04 draft with top-level "host-keys" container Of these, (2) is the obvious choice. > Right, but at that time the idea was to be able to have very generic > "algorithm", and have each alg define its own format, right? As soon > as we limit "algorithm" and the format for the key, we are no longer > generic. Hence we should have a less generic name, that more > precisely decribe what it is. s/ ietf-crypto-types / ietf-asn1-types /? >> More fully, that line says: >> >> c) figure out a plan for SSH later (the risk level is pretty low, >> e.g., I've seen code to key SSH keys from TLS keys) >> >> The intention was to signal that it should be easy to determine how to >> support SSH, to support the netconf-client-server draft. Nothing is >> blocked. We just need to discuss a plan for what to do. The easiest >> thing would be to 1) update the mapping table in the ssh-client-server >> drafts from mapping SSH-specific algorithm identifiers (e.g., in >> rfc4253) to OIDs > > But do these OIDs exist already? Probably. Regardless, we have to map them to something. Look at ssh-client-server draft. >>> Yes, NC/RC are programmatic APIs, but simplicity is always goodness... >> >> ACK, but let's be clear that the "simplicity" is in the ready access >> to tooling, not from an algorithmic perspective. > > But the solution becomes more robust if you can use the format you're > used to w/o additional conversion. Right, see option (2) above. Kent
- [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Per Hedeland
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Per Hedeland
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy tom petch
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- [netconf] FW: crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Holland, Jake
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] [Taps] crypto-types fallback strate… tom petch
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Rob Wilton (rwilton)
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy tom petch
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy tom petch
- Re: [netconf] crypto-types fallback strategy Wang Haiguang
- Re: [netconf] crypto-types fallback strategy Salz, Rich
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Schönwälder
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Kent Watsen
- Re: [netconf] crypto-types fallback strategy Martin Bjorklund