[netconf] ssh/tls key generation support
Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> Tue, 22 March 2022 06:56 UTC
Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917AB3A095D for <netconf@ietfa.amsl.com>; Mon, 21 Mar 2022 23:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFvSML3y22n8 for <netconf@ietfa.amsl.com>; Mon, 21 Mar 2022 23:56:08 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0618.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::618]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797DF3A09B5 for <netconf@ietf.org>; Mon, 21 Mar 2022 23:56:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fg1FpFLhtuZF8h0HoYh88Jr+b1/WiQ/+RLDqiD99v08GGHqwISaPm1SGa2Te1O2ZwzzprIxhEPx0+PEgTeQDbarnGtBy1vtjWrOLqmk6jOPQpIFhbht+GvJU4UyjE5QJH+ZfUeUdt0LfOvqjmwUvxOguL4Y5BewMFI5dXgo8s9BA+lIqjQqkKwwsRx80MzJfAku3Xc4cWEXPKBEK85VxzwMyBZe07OcXIceaKDDyHSUQwQa+ntGvO00AVA0VtIrGuTTvcIkZg8t4vOMoXU4X0FfEwUQ7TUcer2V5BqUafvLb8mVF81vhKWr+67Ci8dCRgPeJgo/q0OLhtJMo7L6rEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GO/GAedVvjMPx5fNC4/OgqZyr+jyqjFKChKBfPqlCHo=; b=jTEogZHOdnB/wMEnsKie2Jfe9vpScqmsBg2pT9v6o9piLuSkTmWRMIVE351hpgnQ200SCxMIiQqewSpcWBh1ScThuEyJmNK5aFCeMe7JN4wLWGj3eLmRrR++tE4ynGawmTGjQq8IzvxVPkHTi9aTZrz9sL3hU5UupKd1E/v87CaOrcnjuS6x0zev3IcOUQMpFPIzgbk49SQ/iuvQcQXNKUDouRVe7Dl6C1RPqXPtc4ftp46O/a4LHbcZy2uL5LRbWNXjdtQa92qRw01230sDaiyGBbvAZ69EDWk6GP6AtZTt3Peuab9J3QflK0KNx3UL34nX0pnvFV+BACbKkMiIQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GO/GAedVvjMPx5fNC4/OgqZyr+jyqjFKChKBfPqlCHo=; b=ZCXnl3I04rfrJxLR5CroDKhkbEJZibDZvjrZxTUNgdpiESQgCtISP8RypVVxx21r+rwZRcaFkqegvj+ZX/ztR+U1RtA810MD4LjdouozwdjarlqI8FexXN2yr6CHEQBz+Cl3UL8pN9bZ88wObIjid6RL5KQ/UCR+t3kbmnXgoHA=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by DB6P190MB0359.EURP190.PROD.OUTLOOK.COM (2603:10a6:6:32::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.19; Tue, 22 Mar 2022 06:56:02 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e409:a2d3:2c86:fe95]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e409:a2d3:2c86:fe95%7]) with mapi id 15.20.5081.023; Tue, 22 Mar 2022 06:56:02 +0000
Date: Tue, 22 Mar 2022 07:56:00 +0100
From: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
To: netconf@ietf.org
Message-ID: <20220322065600.c26vr26mdlevccgo@anna>
Reply-To: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: netconf@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: AM0PR02CA0201.eurprd02.prod.outlook.com (2603:10a6:20b:28f::8) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: adb50406-2bbd-461d-161d-08da0bd106e4
X-MS-TrafficTypeDiagnostic: DB6P190MB0359:EE_
X-Microsoft-Antispam-PRVS: <DB6P190MB0359C2C2D1164CA82742A36CDE179@DB6P190MB0359.EURP190.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: oYNsiRFGOm+PIoJ0t52RGnxvHYs/kt6uVzicA5w33q9DDO+qpiqtasahmIGMczjbvtZ87nF5YIW1yweh6fLlDWsHmuHDC7UzMi/UPQp3SLNa/q8j65ZSchunLMwS/XLzE2wPvsWcgLRnE3Hw9Hv1otrC8OvJCWjcbUwNcA/jVKOXTWirQ/BEnOTSwXuDm6zR0zdPIK99vYK0qfGei0Y/C2G4Ksny271UbuRHbIvetj1uSqgmo2DvRUDx1QKIFj8TvZbSbkLfxxZB3D2DYjnM9cFcktWWWhIhN16+XdMdhvRhya+RTLOc9gQU6gljTbEiB8+sbJvSPflTywY1uNbBKea780SuywCYN/A9G9OkxWuaOP9CVhBiBPXMaRLmzhN4cX1ZGx1foAO7CW2G7xVU/85QN358GSgqCLKJTAxygFtWbpE/bJowZZN3yE8jT+sypPNGLB1cOfwokcbhd6dkehjMnZ/i9wzF3/g/MoHSaLXpiuLSaZcQo2WYIMU6h6y8OQ1iRd0q5O3tQ+kW324RmOorwDQSFXUjHTsOckKCNlrEfrv+v2DLtU/JUary6ySqcFMZwAeb9vmK+iqGmqjvm0Kn3jIGwnug50h1ARNWbb9l/7jWW88AupDladMMHeJ8gz88p0LD3swk24JY4Hom6GOnMpc7vilZK1Xvl+Ia5FmLfcEstc95b6PsEjxVgLEvmIcOuj/q3fOW1k4K7gBJxvSFGbw4ff74l/atkfGg8Czt/Nz12qwL89VZzEkRDksIdyBns8/HCvjGzCCvKpOE6S8BIETriDOPEBfzWY72kEo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(7916004)(366004)(3480700007)(3450700001)(5660300002)(2906002)(8936002)(66946007)(38100700002)(86362001)(66556008)(66476007)(38350700002)(33716001)(8676002)(40140700001)(66574015)(6512007)(498600001)(85182001)(1076003)(85202003)(186003)(26005)(6506007)(6486002)(52116002)(6916009)(83380400001)(9686003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 5a3G+ypoHXzV1AVFCBtPreakuf+3ti3TS+BQZv2Puk0AsxihjTiMF2JWlGupAwSpzcMMjQODFPzVSOQS5HB+g4ZejzTOHXSVo+h9iDmK0SpJbq7orHJkWbNMWtPfTyZjXKd7IP75AZuIBZD6jX8hNDGvngBNbQoY8bf5PhJuiEDdX6kfVsw/phYcE1Qwmf5NUxGwOy7lEB5RIJ/7R3kNCRj3+BZuaqy3K0SHSBbPy6wt1e9SwzyhZsiWwHg0mhDtMY5GB9OK4wVHsSE3A2Ly2Rc0pv/lPJZWLpZhhs4Tvpn8qgBad2tYsdNmjNux87l9ecIqR1+uwoTTpSb0I9YCWqcNNlIp0VrwiThaBcspZPBX8u2TMlduBIymlKi0VHJtYJeR0456ttPS4fLMRtQwJ0GJynRqTr71QZwj3R+9bX/1oRqA7OrXJrOnkobfK9MwU5aQn5tGD99K0j9BQ0TdOXNzl6/95cDJIpqBY1kUveoNOFKf2Q2dGQmVhh6FqN1hjIB/1+WHm3S3tKlNJgm209RLnHvtdmi8lXP/IjY4JIeGzHxBF/zX7KnJooEFGlVmu/54lPN4FpoFdFi/rJAqfZB3WVje14/V+Iy0ri82oozHZV750LcxXQV+pvhxKzq9Fjll0SbqBpiCX7tU89NxVxkTXKPh60B3HWbdzYZcOAp7TG5r6wexAbwXDF/plmBqITyUfeiJRojmSNRvhL5WDHvaotWiviIArBPDgQITqriCPn0xNZq3uDczLE9iGC4yS51TmK0dWcua6DTGeEOl2vG1F71dGmlicbwY8t/ZHPtvqYkeg6zvRJO1MlA0H5BMJUYpkrNaq7pHLyTcdn7THyJZAzsISo4MoU46IQywXobUrhtZxsQcB3d6IQ8bcex2XZ7BRtgK38GaEz/dMcTIBVWfyXX0gfvKKVWJOkwRdn++Xw5i6zjLLR9OkZrck3BRE9hxGbQm2lKXGj7zVdPOW+vXLh6Kr3JaqjABB2j1wpTBTlT/kRfV3/4/yFu9oNbjkX3uKn8awdgLIQAdZfZJPsjNhrroNJqDgh9ASXB00gLV4RtvP2zjD3M9oWvPTBKSiV4+UAaic6IPRg4t3AQufrzRnEb7tRKYhVc3pxa4MfI6DoQ5EaD0qQLMYqbvgyKgcGTtbH7k+4/LCroH/1YQue3M5/XAOL7PhizyQwLDYoXYeujVeGipMQgO+G2LzuIH+h17Qv02qcemcf3Ch4qjOb0mt7ScSrlMyzl8FCDRmHarZXmMkoSmpIFukXrRbI5NrHMZ1c504Li2UFc6ppdMtYUpba62BStKajzsqZ+Y7UgCyx55BuShPWsR5tcU6qEyO7KxSHhbm1GG1sbMHbb/PE5U00tZvZMcxXxOyzrpuwJA0+dsXyn5OAzPD5YvePL1Sgw4aUhDA7K2ndokshLdMzeHshFiRiyRkXpn3dwuMYbxxill2RbaNJbAtjwhCmNWoFcjopSbU67gBKqW5QEsfk44CzP6GvhC5j+SPJ6qd2I=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: adb50406-2bbd-461d-161d-08da0bd106e4
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2022 06:56:01.9746 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 1u8l9OQ4wo4GfAMXwWa6S16hb0M/3d3K5uiFhb4uQ2PYLaT4pTEgWEbAgHhidbX/GNkzsqAYUoKWDzlarQtZTwYBXTbwEYCxvK+9EeLi9bA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0359
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ZcNKhRQRS8TYagb_CqsjmEwK338>
Subject: [netconf] ssh/tls key generation support
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 06:56:14 -0000
Hi, Kent asked for feedback concerning key generation support. My view is the following: - As long as you can trust your device to generate good keys, it is good idea to generate keys on the device so that keys are never sent around and they may be kept in protected storage. - As stated by others during the WG meeting, the proposal in draft-ietf-netconf-ssh-client-server-27.txt should be more explicit that it is about generating key pairs and in particular hostkey pairs. - Generating server key pairs is just a step of a more complex process. In SSH, clients traditionally built trust into hostkeys using an ad-hoc process, in TLS this is traditionally done using certificates. Hence, at least for TLS, we get into the territory of generating certificates, either creating self-signed certs, hooking into an automated certification system like lets encrypt, or handling a full blown cert process (generating csrs etc). - If we got the YANG modules right, then it should be possible to add support for server key generation without changes to the existing definitions (i.e., we can do this later if we decide to do so, there is not reason why this needs to be done now). - The SSH and TLS documents started as WG documents in July 2016, we are getting close to 6 years in the WG and it is somewhat unclear what the uptake of these documents will be. If we get into certificate territory, I fear we add at least another year of delay. My take is that we should leave key generation for future work and instead try to deliver what we have. Note that the documents highly interrelated and they have overall grown to a significant size (even if we leave out the IANA algorithm registry modules, this is substantial). | Pages | Lines | Draft | |-------+-------+--------------------------------------------------| | 63 | 3528 | draft-ietf-netconf-crypto-types-22.txt | | 51 | 2856 | draft-ietf-netconf-keystore-24.txt | | 31 | 1736 | draft-ietf-netconf-http-client-server-09.txt | | 60 | 3360 | draft-ietf-netconf-netconf-client-server-25.txt | | 56 | 3136 | draft-ietf-netconf-restconf-client-server-25.txt | | 137 | 7672 | draft-ietf-netconf-ssh-client-server-27.txt | | 34 | 1904 | draft-ietf-netconf-tcp-client-server-12.txt | | 146 | 8176 | draft-ietf-netconf-tls-client-server-27.txt | | 39 | 2184 | draft-ietf-netconf-trust-anchors-17.txt | /js -- Jürgen Schönwälder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [netconf] ssh/tls key generation support Jürgen Schönwälder
- Re: [netconf] ssh/tls key generation support Dhruv Dhody
- Re: [netconf] ssh/tls key generation support Kent Watsen
- Re: [netconf] ssh/tls key generation support Jürgen Schönwälder
- Re: [netconf] ssh/tls key generation support tom petch