IETF Logo Mail Archive

Re: [Netconf] regarding keystore and related drafts

Kent Watsen <kwatsen@juniper.net> Sat, 17 March 2018 20:20 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E6FA12D94B for <netconf@ietfa.amsl.com>; Sat, 17 Mar 2018 13:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4NIUzw9wULxk for <netconf@ietfa.amsl.com>; Sat, 17 Mar 2018 13:19:59 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BAA412D87B for <netconf@ietf.org>; Sat, 17 Mar 2018 13:19:59 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w2HKH78M008208; Sat, 17 Mar 2018 13:19:55 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=Y4Oy2xnFXKOxjGG9WFsAX6U1Azj0REwoj5FPXGS9JHE=; b=1sc4bslZMN7/RgXFxpkjIoZ5H7+yp47qXqLljWL2O5VElQvIv6BimubtJ6gpIRoH4pz/ euL2EuMghxaDVgrDfhQKTTa3RnRHxzXRFLmj02WuUxW9bAWsfVcd0onkN3UL6pi5hKrq 0/QjbjQrZIpefMYuvGgLeVhH5aPn/r7CfVZDy98Mpw2PDP/Eydxpl6EXAXVBiuci/k/w yaaiD9Ybx0jvUCDMNNvqZ6SOWzzTXo4pOh6e0Snvxef+xbjQeo+Ikebq2dnxPDmci2py oMChozn3wDTy2u7sHDVb8xmuRSi3+/5TB0uE9SRULwg70eT6B7dlisTfP4DyduErcmGQ Mw==
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0022.outbound.protection.outlook.com [216.32.181.22]) by mx0a-00273201.pphosted.com with ESMTP id 2gs21kgh0t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 17 Mar 2018 13:19:55 -0700
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3147.namprd05.prod.outlook.com (10.173.219.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.6; Sat, 17 Mar 2018 20:19:53 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::d13e:bdcf:3798:c34f%2]) with mapi id 15.20.0609.007; Sat, 17 Mar 2018 20:19:53 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Qin Wu <bill.wu@huawei.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: regarding keystore and related drafts
Thread-Index: AQHTtM10Ic3/bywG8UKTrdOWuVfDLqPFh27ggA9pkwA=
Date: Sat, 17 Mar 2018 20:19:53 +0000
Message-ID: <10031105-49E4-45E0-B445-713294E396FE@juniper.net>
References: <A5CA2680-30CE-4135-9692-7064FC7C9B15@juniper.net> <B8F9A780D330094D99AF023C5877DABA9AD7B730@nkgeml513-mbs.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABA9AD7B730@nkgeml513-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [193.110.55.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3147; 7:+e1KbPUqrZKWh+he3g1yCIjvbKJSNYfV0VsOsMkhxngnhX2XY0OkX7leNf+EgFXaEarXvjoGxu1wAJHMC4ObfR2ZK/ut38+JHUxx4mt1YVX+XJHEKZ3UEE9XdGCj/+0NODuJ94eoUuJPTHLQQs83LS4S5vQufeQ+bNoXRq+g5yjHKm9zMa8wzZN8bCYZ0DDY+kMzdryRKTwAU3R3UPOqQwPJJIX50pJF0nHobAdMYERYLIM0nwHDWLlk94juXuiH
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 99c29cec-8f18-494c-f729-08d58c447185
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:DM5PR05MB3147;
x-ms-traffictypediagnostic: DM5PR05MB3147:
x-microsoft-antispam-prvs: <DM5PR05MB3147CA492DC33F821E49E734A5D60@DM5PR05MB3147.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231221)(944501300)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR05MB3147; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3147;
x-forefront-prvs: 06141B80DC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(39380400002)(366004)(376002)(346002)(57704003)(189003)(199004)(2906002)(6346003)(8936002)(58126008)(105586002)(6512007)(53936002)(478600001)(3660700001)(110136005)(2950100002)(6506007)(36756003)(66066001)(316002)(102836004)(229853002)(186003)(86362001)(83716003)(26005)(6116002)(106356001)(3846002)(14454004)(7736002)(97736004)(99286004)(33656002)(305945005)(5660300001)(5250100002)(2900100001)(8676002)(76176011)(6246003)(82746002)(81166006)(81156014)(6436002)(25786009)(6486002)(2501003)(3280700002)(68736007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3147; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Mx/ltoJ8E1ZTSxtYqjAQMayjO+lFdTxE+7oq2D9Ym9prwWwFTaMb9xv+IfZV+PANj6tTHuevSxb+7LFYKcV5WStVZPKGHFbNQEg+mz7VEy1bDj2L540WwiNdspebxmqtrNegm7UCckv2tBPrYIwurPAGvvTwvvo8HGpWODp1rjxB+3Q55ah427W98jD9UPPhyrav4YceqnM+1KfmbwAMB8FCzXJf/guOVVYiV/cJr6UhJA3wF8d8qCclq16V1R8UP8bYF6zDxx9cmQkbM3noUVBXzHqTSRhlsRUGXgLJGZAqzgVXl+Q7GAU9NkSaVAQQ+kcjsUg/FeQdYeRuWjBzHg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E860598DD3AA5D4BBDCF578E0E26A28B@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 99c29cec-8f18-494c-f729-08d58c447185
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Mar 2018 20:19:53.2442 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3147
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-03-17_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803170254
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Z1L0T6j-vYZZjy_QNuygdZUygkI>
Subject: Re: [Netconf] regarding keystore and related drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Mar 2018 20:20:04 -0000

Hi Qin,


> Interesting drafts, for crypto types, is it designed for application
> requiring asymmetric key. 

Yes, the "private-key-grouping" grouping in crypto-types-00, like the
top-level "/keys" container in keystore-04, is for asymmetric keys.


> I see RFC8177 works for application requiring symmetric key.

Correct.


> Would it be great to see crypto types covers all application 
> requiring asymmetric key.

What do you mean by "all application"?


> For trust anchors, I think this draft is more related to certificates

It will likely be used mostly for certificates, but the model enables
SSH host keys can be configured as well.


> Do we need to consider certificate file format, e.g., PEM(text format), 
> DER(Binary format)

The typedefs for "x509" and "cms" both state that it is the DER encoding
of the ASN.1.  The DER can be converted to a PEM using standard tools, in
case a PEM is needed by the software internally. 


> Have we considered different certificate-type,e.g., built in ca 
> certificate, ca issued certificate, local stored certificate, etc.

It is the intent that any kind of x509 certificate can be stored.
Currently the draft shows that a single X.509 certificate is stored,
but this should be updated to allow a chain of certificates, in case
the trust-anchor cert is not a self-signed root certificate.  
I'm not sure, does this answer your question?


Thanks,
Kent

v2.23.0 | Report a Bug | By Email