IETF Logo Mail Archive

[netconf] ssh/tls key generation support

Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> Tue, 22 March 2022 06:56 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 917AB3A095D for <netconf@ietfa.amsl.com>; Mon, 21 Mar 2022 23:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bFvSML3y22n8 for <netconf@ietfa.amsl.com>; Mon, 21 Mar 2022 23:56:08 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0618.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::618]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797DF3A09B5 for <netconf@ietf.org>; Mon, 21 Mar 2022 23:56:07 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fg1FpFLhtuZF8h0HoYh88Jr+b1/WiQ/+RLDqiD99v08GGHqwISaPm1SGa2Te1O2ZwzzprIxhEPx0+PEgTeQDbarnGtBy1vtjWrOLqmk6jOPQpIFhbht+GvJU4UyjE5QJH+ZfUeUdt0LfOvqjmwUvxOguL4Y5BewMFI5dXgo8s9BA+lIqjQqkKwwsRx80MzJfAku3Xc4cWEXPKBEK85VxzwMyBZe07OcXIceaKDDyHSUQwQa+ntGvO00AVA0VtIrGuTTvcIkZg8t4vOMoXU4X0FfEwUQ7TUcer2V5BqUafvLb8mVF81vhKWr+67Ci8dCRgPeJgo/q0OLhtJMo7L6rEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GO/GAedVvjMPx5fNC4/OgqZyr+jyqjFKChKBfPqlCHo=; b=jTEogZHOdnB/wMEnsKie2Jfe9vpScqmsBg2pT9v6o9piLuSkTmWRMIVE351hpgnQ200SCxMIiQqewSpcWBh1ScThuEyJmNK5aFCeMe7JN4wLWGj3eLmRrR++tE4ynGawmTGjQq8IzvxVPkHTi9aTZrz9sL3hU5UupKd1E/v87CaOrcnjuS6x0zev3IcOUQMpFPIzgbk49SQ/iuvQcQXNKUDouRVe7Dl6C1RPqXPtc4ftp46O/a4LHbcZy2uL5LRbWNXjdtQa92qRw01230sDaiyGBbvAZ69EDWk6GP6AtZTt3Peuab9J3QflK0KNx3UL34nX0pnvFV+BACbKkMiIQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GO/GAedVvjMPx5fNC4/OgqZyr+jyqjFKChKBfPqlCHo=; b=ZCXnl3I04rfrJxLR5CroDKhkbEJZibDZvjrZxTUNgdpiESQgCtISP8RypVVxx21r+rwZRcaFkqegvj+ZX/ztR+U1RtA810MD4LjdouozwdjarlqI8FexXN2yr6CHEQBz+Cl3UL8pN9bZ88wObIjid6RL5KQ/UCR+t3kbmnXgoHA=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by DB6P190MB0359.EURP190.PROD.OUTLOOK.COM (2603:10a6:6:32::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.19; Tue, 22 Mar 2022 06:56:02 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e409:a2d3:2c86:fe95]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e409:a2d3:2c86:fe95%7]) with mapi id 15.20.5081.023; Tue, 22 Mar 2022 06:56:02 +0000
Date: Tue, 22 Mar 2022 07:56:00 +0100
From: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
To: netconf@ietf.org
Message-ID: <20220322065600.c26vr26mdlevccgo@anna>
Reply-To: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: netconf@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-ClientProxiedBy: AM0PR02CA0201.eurprd02.prod.outlook.com (2603:10a6:20b:28f::8) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: adb50406-2bbd-461d-161d-08da0bd106e4
X-MS-TrafficTypeDiagnostic: DB6P190MB0359:EE_
X-Microsoft-Antispam-PRVS: <DB6P190MB0359C2C2D1164CA82742A36CDE179@DB6P190MB0359.EURP190.PROD.OUTLOOK.COM>
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: oYNsiRFGOm+PIoJ0t52RGnxvHYs/kt6uVzicA5w33q9DDO+qpiqtasahmIGMczjbvtZ87nF5YIW1yweh6fLlDWsHmuHDC7UzMi/UPQp3SLNa/q8j65ZSchunLMwS/XLzE2wPvsWcgLRnE3Hw9Hv1otrC8OvJCWjcbUwNcA/jVKOXTWirQ/BEnOTSwXuDm6zR0zdPIK99vYK0qfGei0Y/C2G4Ksny271UbuRHbIvetj1uSqgmo2DvRUDx1QKIFj8TvZbSbkLfxxZB3D2DYjnM9cFcktWWWhIhN16+XdMdhvRhya+RTLOc9gQU6gljTbEiB8+sbJvSPflTywY1uNbBKea780SuywCYN/A9G9OkxWuaOP9CVhBiBPXMaRLmzhN4cX1ZGx1foAO7CW2G7xVU/85QN358GSgqCLKJTAxygFtWbpE/bJowZZN3yE8jT+sypPNGLB1cOfwokcbhd6dkehjMnZ/i9wzF3/g/MoHSaLXpiuLSaZcQo2WYIMU6h6y8OQ1iRd0q5O3tQ+kW324RmOorwDQSFXUjHTsOckKCNlrEfrv+v2DLtU/JUary6ySqcFMZwAeb9vmK+iqGmqjvm0Kn3jIGwnug50h1ARNWbb9l/7jWW88AupDladMMHeJ8gz88p0LD3swk24JY4Hom6GOnMpc7vilZK1Xvl+Ia5FmLfcEstc95b6PsEjxVgLEvmIcOuj/q3fOW1k4K7gBJxvSFGbw4ff74l/atkfGg8Czt/Nz12qwL89VZzEkRDksIdyBns8/HCvjGzCCvKpOE6S8BIETriDOPEBfzWY72kEo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230001)(7916004)(366004)(3480700007)(3450700001)(5660300002)(2906002)(8936002)(66946007)(38100700002)(86362001)(66556008)(66476007)(38350700002)(33716001)(8676002)(40140700001)(66574015)(6512007)(498600001)(85182001)(1076003)(85202003)(186003)(26005)(6506007)(6486002)(52116002)(6916009)(83380400001)(9686003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 5a3G+ypoHXzV1AVFCBtPreakuf+3ti3TS+BQZv2Puk0AsxihjTiMF2JWlGupAwSpzcMMjQODFPzVSOQS5HB+g4ZejzTOHXSVo+h9iDmK0SpJbq7orHJkWbNMWtPfTyZjXKd7IP75AZuIBZD6jX8hNDGvngBNbQoY8bf5PhJuiEDdX6kfVsw/phYcE1Qwmf5NUxGwOy7lEB5RIJ/7R3kNCRj3+BZuaqy3K0SHSBbPy6wt1e9SwzyhZsiWwHg0mhDtMY5GB9OK4wVHsSE3A2Ly2Rc0pv/lPJZWLpZhhs4Tvpn8qgBad2tYsdNmjNux87l9ecIqR1+uwoTTpSb0I9YCWqcNNlIp0VrwiThaBcspZPBX8u2TMlduBIymlKi0VHJtYJeR0456ttPS4fLMRtQwJ0GJynRqTr71QZwj3R+9bX/1oRqA7OrXJrOnkobfK9MwU5aQn5tGD99K0j9BQ0TdOXNzl6/95cDJIpqBY1kUveoNOFKf2Q2dGQmVhh6FqN1hjIB/1+WHm3S3tKlNJgm209RLnHvtdmi8lXP/IjY4JIeGzHxBF/zX7KnJooEFGlVmu/54lPN4FpoFdFi/rJAqfZB3WVje14/V+Iy0ri82oozHZV750LcxXQV+pvhxKzq9Fjll0SbqBpiCX7tU89NxVxkTXKPh60B3HWbdzYZcOAp7TG5r6wexAbwXDF/plmBqITyUfeiJRojmSNRvhL5WDHvaotWiviIArBPDgQITqriCPn0xNZq3uDczLE9iGC4yS51TmK0dWcua6DTGeEOl2vG1F71dGmlicbwY8t/ZHPtvqYkeg6zvRJO1MlA0H5BMJUYpkrNaq7pHLyTcdn7THyJZAzsISo4MoU46IQywXobUrhtZxsQcB3d6IQ8bcex2XZ7BRtgK38GaEz/dMcTIBVWfyXX0gfvKKVWJOkwRdn++Xw5i6zjLLR9OkZrck3BRE9hxGbQm2lKXGj7zVdPOW+vXLh6Kr3JaqjABB2j1wpTBTlT/kRfV3/4/yFu9oNbjkX3uKn8awdgLIQAdZfZJPsjNhrroNJqDgh9ASXB00gLV4RtvP2zjD3M9oWvPTBKSiV4+UAaic6IPRg4t3AQufrzRnEb7tRKYhVc3pxa4MfI6DoQ5EaD0qQLMYqbvgyKgcGTtbH7k+4/LCroH/1YQue3M5/XAOL7PhizyQwLDYoXYeujVeGipMQgO+G2LzuIH+h17Qv02qcemcf3Ch4qjOb0mt7ScSrlMyzl8FCDRmHarZXmMkoSmpIFukXrRbI5NrHMZ1c504Li2UFc6ppdMtYUpba62BStKajzsqZ+Y7UgCyx55BuShPWsR5tcU6qEyO7KxSHhbm1GG1sbMHbb/PE5U00tZvZMcxXxOyzrpuwJA0+dsXyn5OAzPD5YvePL1Sgw4aUhDA7K2ndokshLdMzeHshFiRiyRkXpn3dwuMYbxxill2RbaNJbAtjwhCmNWoFcjopSbU67gBKqW5QEsfk44CzP6GvhC5j+SPJ6qd2I=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: adb50406-2bbd-461d-161d-08da0bd106e4
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2022 06:56:01.9746 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 1u8l9OQ4wo4GfAMXwWa6S16hb0M/3d3K5uiFhb4uQ2PYLaT4pTEgWEbAgHhidbX/GNkzsqAYUoKWDzlarQtZTwYBXTbwEYCxvK+9EeLi9bA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0359
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ZcNKhRQRS8TYagb_CqsjmEwK338>
Subject: [netconf] ssh/tls key generation support
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 06:56:14 -0000

Hi,

Kent asked for feedback concerning key generation support. My view is
the following:

- As long as you can trust your device to generate good keys, it is
  good idea to generate keys on the device so that keys are never sent
  around and they may be kept in protected storage.

- As stated by others during the WG meeting, the proposal in
  draft-ietf-netconf-ssh-client-server-27.txt should be more explicit
  that it is about generating key pairs and in particular hostkey
  pairs.

- Generating server key pairs is just a step of a more complex
  process. In SSH, clients traditionally built trust into hostkeys
  using an ad-hoc process, in TLS this is traditionally done using
  certificates. Hence, at least for TLS, we get into the territory of
  generating certificates, either creating self-signed certs, hooking
  into an automated certification system like lets encrypt, or
  handling a full blown cert process (generating csrs etc).

- If we got the YANG modules right, then it should be possible to add
  support for server key generation without changes to the existing
  definitions (i.e., we can do this later if we decide to do so, there
  is not reason why this needs to be done now).

- The SSH and TLS documents started as WG documents in July 2016, we
  are getting close to 6 years in the WG and it is somewhat unclear
  what the uptake of these documents will be. If we get into
  certificate territory, I fear we add at least another year of delay.

My take is that we should leave key generation for future work and
instead try to deliver what we have. Note that the documents highly
interrelated and they have overall grown to a significant size (even
if we leave out the IANA algorithm registry modules, this is
substantial).

  | Pages | Lines | Draft                                            |
  |-------+-------+--------------------------------------------------|
  |    63 |  3528 | draft-ietf-netconf-crypto-types-22.txt           |
  |    51 |  2856 | draft-ietf-netconf-keystore-24.txt               |
  |    31 |  1736 | draft-ietf-netconf-http-client-server-09.txt     |
  |    60 |  3360 | draft-ietf-netconf-netconf-client-server-25.txt  |
  |    56 |  3136 | draft-ietf-netconf-restconf-client-server-25.txt |
  |   137 |  7672 | draft-ietf-netconf-ssh-client-server-27.txt      |
  |    34 |  1904 | draft-ietf-netconf-tcp-client-server-12.txt      |
  |   146 |  8176 | draft-ietf-netconf-tls-client-server-27.txt      |
  |    39 |  2184 | draft-ietf-netconf-trust-anchors-17.txt          |

/js

-- 
Jürgen Schönwälder              Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email