Re: [netconf] truststore usage in ietf-ssh/tls-client/server

Balázs Kovács <balazs.kovacs@ericsson.com> Tue, 08 October 2019 19:38 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12AD120043 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 12:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Li5A3JnzylED for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 12:38:35 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80058.outbound.protection.outlook.com [40.107.8.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D46A120033 for <netconf@ietf.org>; Tue, 8 Oct 2019 12:38:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j/dLVvgKOKv9TTm3x2NSJZejCM0vHd6YdHIcMVTFFBPp1tBMbzZYx1XOc2ShDy7Am3ZUwbqhpGUp566uiEr87n8Y7EqRz4MIK2ZfUTltHTNHGy+yHtV5qYHNdwB6nLFNme30F0vp715arU8Tp4RB7Tt9kuIeMfz7BocmFb06RTGNTdDFj9ZkO/0g6KbxeiuxKjnRpO2ZjDyBXaaF2yH3rEHguxXBKpZ0Wjpdfjmh2XvFPDAPtly/DZSIr+SbqHIf52SDTtTsQZ9K+cUGuAhwPB/arZ8H/RNl7GnbuGVZkyaBCj1wcrOEM28QSrz/aAsLRn8NFxhPq510Z58rLuX6bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BrjPzMn+mwjnI6ChzA6gaCGyv/0qt7UAl2tsp28ViNI=; b=PeW0pJjydMUL2tICEIDnUR/Svvd2uOa7m8tcJKLtqLSXPydntoT+G+LxPaUwJzJlp241a8wCKKzyMGmiraReiH9F1gUqTw+RIxd7LbYhXBixoXYaabwa2U/m6Keq2aXHZXGiOg8pclonWXSOuYx7AA6ysZnZT1d4Aj6OXNdiMazlNldI5Vh8/RgUoStgiK1t4RvvFZGAQ4T1o0EVqcXt9WAqnIRFrnVQUobfDtoNZF3cEn8/ohPVxfkICjPUJ1fSgC5BNWBYxg4L4lQmQKD1ZOsLhNLJx6AqK5JjU1Ki5VEE9IaQ80Y1b4INE8qBYdjlysg81Msqrjv++y3gpymsxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BrjPzMn+mwjnI6ChzA6gaCGyv/0qt7UAl2tsp28ViNI=; b=FPqAE3Wovr2HBGeu1j8AWwhJsiJ9Zd8Wp1WceqTM/H/26mzbsxiv5lfHqJyL64uUCiW0sxDro7z9ujVWYgkkI0vLkdIws/6KMmRAc3TYZO1fbFbgjDsERuK67aqsQcDQ0yH8CfICZmfzDCn8NePwCKE8mP/5o+QzCgjBtFXD2kA=
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com (20.178.20.74) by AM0PR07MB6049.eurprd07.prod.outlook.com (20.178.115.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.13; Tue, 8 Oct 2019 19:38:32 +0000
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::f016:8dc4:2887:cacd]) by AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::f016:8dc4:2887:cacd%3]) with mapi id 15.20.2347.016; Tue, 8 Oct 2019 19:38:32 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: truststore usage in ietf-ssh/tls-client/server
Thread-Index: AdV6qssoOPhu3prpR26CPrmHv0Da1QCjJP6AADXTaaA=
Date: Tue, 08 Oct 2019 19:38:32 +0000
Message-ID: <AM0PR07MB51877236CE073078C5B90F9A839A0@AM0PR07MB5187.eurprd07.prod.outlook.com>
References: <AM0PR07MB51879334FAD36D55675307E3839E0@AM0PR07MB5187.eurprd07.prod.outlook.com> <0100016da755ddce-18e94501-441b-471d-af1e-03ba88fde0ba-000000@email.amazonses.com>
In-Reply-To: <0100016da755ddce-18e94501-441b-471d-af1e-03ba88fde0ba-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [176.63.23.159]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e38f59da-83d5-4276-7304-08d74c271a7d
x-ms-traffictypediagnostic: AM0PR07MB6049:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <AM0PR07MB6049D18CE1D2AB6CFFE3F35F839A0@AM0PR07MB6049.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(39860400002)(396003)(366004)(136003)(189003)(199004)(25786009)(66446008)(486006)(102836004)(7736002)(186003)(76116006)(476003)(66946007)(9686003)(54896002)(236005)(8936002)(6306002)(446003)(55016002)(11346002)(86362001)(45776006)(6506007)(8676002)(6436002)(66066001)(26005)(9326002)(81166006)(81156014)(74316002)(66476007)(33656002)(14444005)(256004)(66556008)(229853002)(7696005)(64756008)(3846002)(6246003)(99286004)(790700001)(6116002)(52536014)(4326008)(316002)(2906002)(5660300002)(14454004)(478600001)(71200400001)(71190400001)(966005)(606006)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB6049; H:AM0PR07MB5187.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gNAAUUZ1zwRM53PHFTT6UqynHPi4uxO33Krhp1DJJas5XyjWQRy17pVvoIlPUPfBBIJKiwzFRzzKFoRWQwrYKDaW/tb5NuKFtNJRCWUnmxRQpvLLrWSoBrjHM+STpugO5i4wU+tAChA5/QxWxkx2q/XrpsKOPQ0Ge7K/9b7Pz4BucNntL+zA1V1I5EQN94DnG60vhNc4iSwOsvok38njY5Paa0wfIxBWSRfvfd3CrahORYhhyk6Rp5R2n/VbUXuAJSkDGNL656Z7Or6xSkRQ/dWiqRLngENfQT83hHQ+nigqoaP5l5esB2mZ/g2wseXTqmWyGXmHVmdfVsOIDJwnfFmDPxPz5u6W12vwM4txxMIk68/ff4gErHH1dvCYwHDtWm2JbIW5tXvPKitRTr9XpnFuQz+ZlKK0QiNVWsqIMZcktVoRMcLFXsEvx/Of8ykJRC6InL/r5iAUTDl9lgHEww==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR07MB51877236CE073078C5B90F9A839A0AM0PR07MB5187eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e38f59da-83d5-4276-7304-08d74c271a7d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2019 19:38:32.7379 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Tq5518aJeNLkEWBbAOwMMdbo+Gfax0Kkto/WWHY7s/OxeshrUQVmpum278t+nfHMmcafPtt6PXsty7xLwqEGDBee0L6Ja6BV4ahPc9I868w=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6049
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/dQoskpwSXf15zyNh5PXGIyjmuOU>
Subject: Re: [netconf] truststore usage in ietf-ssh/tls-client/server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 19:38:38 -0000

Hi Kent,

Can you confirm that in the ietf-tls-client and ietf-tls-server models the direct use of truststore references in server-authentication and client-authentication containers will change to using local-or-truststore-certs-grouping?

Similarly in ssh models, will they change to local-or-truststore-host-keys-grouping?

Yes, it would make sense to use those groupings.

I just committed the following updates:

   SSH: https://github.com/netconf-wg/ssh-client-server/commit/5292d87ef47aafd2475241f82e76d8ac11defd11<https://protect2.fireeye.com/url?k=190005f0-458acf33-1900456b-86e1ed4002b1-2bf47647e54d6cab&q=1&u=https%3A%2F%2Fgithub.com%2Fnetconf-wg%2Fssh-client-server%2Fcommit%2F5292d87ef47aafd2475241f82e76d8ac11defd11>
    TLS: https://github.com/netconf-wg/tls-client-server/commit/d7b8c81bbd2dbbe5812e5519e4129abaf8012eb1<https://protect2.fireeye.com/url?k=70df6aa5-2c55a066-70df2a3e-86e1ed4002b1-d8431043a52ea433&q=1&u=https%3A%2F%2Fgithub.com%2Fnetconf-wg%2Ftls-client-server%2Fcommit%2Fd7b8c81bbd2dbbe5812e5519e4129abaf8012eb1>

What do you think?  All good?

1.

In ssh-client and ssh-server:

"Indicates that the client can authenticate servers
using the configured trust anchor certificates.";

"Indicates that the server can authenticate this user
using the configured trust anchor certificates.";

Do you prefer 'trust anchor' or could it be changed to 'certificate authority'?

2.

What's the rationale of the new presence containers in ssh models but not in the tls models?

Br,
Balazs