Re: [netconf] built-in trust anchors

"Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com> Tue, 12 January 2021 22:59 UTC

Return-Path: <jason.sterne@nokia.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 214193A1373 for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 14:59:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.151
X-Spam-Level:
X-Spam-Status: No, score=-2.151 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6V1rcpI9ROdm for <netconf@ietfa.amsl.com>; Tue, 12 Jan 2021 14:59:31 -0800 (PST)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2132.outbound.protection.outlook.com [40.107.92.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E5A03A136C for <netconf@ietf.org>; Tue, 12 Jan 2021 14:59:30 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hUxVPnUCEvxcVG6jPr4DCfSAN6PGRY/ASIWeeIxvGuQVreHeTnBey/Dp8u6+QFsW4yklXXO6yd7Ql+IAiCPhkGaiiidfY+BhQqq36wb63Xhxa0shMroLgx0qRwJdPLf6NEfy5vEuexyKd2iLu0pDAeZKJMGzSDV7cumjIIlGCxiTx4wgnc7FHxiatCoTmyX28W9pGgPx5CwuLVl91qPkLt7LEspyD4FA0ZG7eD5DUkUTwKyqHXK/xvuBTGimNd7LxuDNdjUHQ9DRo8ZJa+9hVnvSb44iS4oRdwX0BeLIQOnWgX1CYFRxdv441TlOvazVNQ2uTMaig+kerNecDVEu8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MuNhft9+tA0ul53guen7wFb7JKfaUpqtqm9aqIXKKjY=; b=CO2wTAMPYQ1lDEz2bwfU1iP12VYIL4DhjQr6r600fTblS+HPSMygnidB+F61V2c1smsR2/DpwP8vGWQq5BKXDQww3LppiBX1GafHaXCJ17I6oH33iash+evT+tLc6w7X2CYh4Sqz2VwxiK7eLMldmZUbNBwtMJhkH1QLN4QBN4Qe+/1v4p7M4Qexcod78GHevDaov3Ps8MLglKT7htI8NmuRdSSVkRCKzb4sy2WoYxwfgdD80b0OyAys1H0gS6t/ETb2qDRSCLNt4f5IDpJdDVVf64N66NXf1U28LDZEBCznRiAUbK08/K6wLxVGdLtops2Xb9zLIUDkrG8qo+ZVFQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nokia.com; dmarc=pass action=none header.from=nokia.com; dkim=pass header.d=nokia.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MuNhft9+tA0ul53guen7wFb7JKfaUpqtqm9aqIXKKjY=; b=M+NVk4IJ3KSvKrB/4aztllmn+gVFB20AHZ3YML6P39KvW5s1HtYwN2XAvS1QG57OVimtSLuU24V+ZkTbPmi/hyt2ebLK86feOSjbuXRbQhpKHNVgCld4Q9d6I+OKbYTXhQNHjZNugyHPcXH+EeHWB4Epy0JMVAlr5ertdpOfn2s=
Received: from DM6PR08MB5084.namprd08.prod.outlook.com (2603:10b6:5:41::29) by DM5PR08MB3324.namprd08.prod.outlook.com (2603:10b6:4:65::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.12; Tue, 12 Jan 2021 22:59:28 +0000
Received: from DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3]) by DM6PR08MB5084.namprd08.prod.outlook.com ([fe80::e9d5:c438:1c73:8ca3%5]) with mapi id 15.20.3742.012; Tue, 12 Jan 2021 22:59:28 +0000
From: "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: Netconf <netconf@ietf.org>
Thread-Topic: [netconf] built-in trust anchors
Thread-Index: AdbpFFL2IioTw935RTC9hP47Cn7q7QACSnGAAAYuKwA=
Date: Tue, 12 Jan 2021 22:59:28 +0000
Message-ID: <DM6PR08MB5084ED69870DF456DA8F1A509BAA0@DM6PR08MB5084.namprd08.prod.outlook.com>
References: <DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=nokia.com;
x-originating-ip: [2607:fea8:e324:8d00:f965:4ae3:4b56:123b]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0f665033-31ec-4573-76ed-08d8b74db704
x-ms-traffictypediagnostic: DM5PR08MB3324:
x-microsoft-antispam-prvs: <DM5PR08MB3324C9F7493E84C77E50B2C79BAA0@DM5PR08MB3324.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tY93dCcPPMFN2D63FHmx4Jih+8ZlpLFGKsRXDCtXtuQc3UQchyQvwqesTSF+vDRhMTJcxEkMs9n0Dxj5LJuiG5ZGA119Gr+GtKClLfoxdlBPAk4dSOQvq/kOuCdufSZc8T9XwPJVxEK2EL/Zpcop43C5YtLYgxvREhD9I9Zf9/qqnrFT0QirRuxzJRbKSXBTkxHVkvj9gM+W2UXzayd9PzOm+Rig1jWynH9EaBanrOdmx2F6iGmT2N5fWnYrkf0ZhCW5Rv6KUJpCMbCQNCX7IvrXSD5qXVlA1lxYGBGefLY9FsqW+P5Spp4k1sROHFgYp70y1y7QACqDMUUDAkgX/2QoC2iARtiZNg8JVKPLG1OUc3aNhW2vU+6O6o2WmVqadwWAn0XIx1xCvk+cSkhb6GkhOTyW76dXAxhGhvTaIBeIS7JaKntQEqABZEiL0EvUpunMAiql2AbtWQ4cd/KjRKq5APBinh0iDTBoiTXdX9u+rkrlUUqiTcEiOV3vaG1UlQGT2V1NwlpLL9FueXbSTQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR08MB5084.namprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(396003)(346002)(39860400002)(136003)(4326008)(8676002)(33656002)(316002)(7696005)(66476007)(55016002)(2906002)(53546011)(83080400002)(86362001)(186003)(6506007)(83380400001)(9686003)(71200400001)(8936002)(966005)(478600001)(5660300002)(52536014)(66556008)(66946007)(76116006)(64756008)(66446008)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: SE2t42sq352rK4Lb/6tYB95X/lnLYmmFHPn3unIgEwNJjk1W6I2LIQqT4DVOfSv7h3fcUn8/vvI+BNvTWGcx5uB+L+qrHOT6f6mlpZSK8I5ifITHuIRzZ6qc0Ys3gczqMeIq0FiDyQ4ZlIxBwuALkidh/4T0lH819g7xB3nXkCkCa/UvDTyNgAzjqYIeZgmOrr5Kf6M4CPhjiVY5GdTzfjJIiDbWJURAnUaH9GLBIu0YIDiMVLDsj9JdfqxB+41QyZa4DpjDUwq2vFWbGlYYb4eqQrjeZgt0o9H8B0C523b/7nK1PwzEb9D4fsIzRTQQr17EbBqrFh7eUvIj2mZdDHegK4R1RqSa5/OBr0Yi5bHqWn72iLEbX980MNRqLyQRgjCpZ5/DPjHKXy0bDDl8zfFqrYQdf835CjfJ4pmd7e0x6SOoPKV6/Uc3+bqPoTDWBMjBjA9S17/oK3DUDbwhHB6yCiuiszRo5DxdjVJQSTXb/pGsZow1Xsi/7oXv72qiqzqHHixosLVexd8Bz40j+SEwcqX9QEyQkgPY8bzOjMpUX5GC6l+bbkKLFd6SsggJOVKLIRg2PwJ+F/nDra3AsKyhlbojOyrnEcSwQhbRnjBlSRb9bgx8thOr1rY785QuWEC8jUlnEGz/0SqwsbSOVb6WOpax6l0ospxdTJZsyYEYJdv4i3XZSaQKOrvKxrUTMPys9Cm4o8vJAuPOsudh11Pra6SlPid8X4LBI+VNRpSylt3IcYsi8q97j5SHZsfBVLZ4PGKMoZcdXq7dNc8yzMyInmS9AvYQ3tHQqJLJCUJ1dAMV2jQHqKrQVQDUsCqMDF4MK2iTKdQdVLCA0quC4oAPjNDghxtEipy7zb03AzNH0diKoh9H/BSHggxI0L2eaNEPLqMb0Sg6k29ZOZlekWy9jBj+JyoZlFlO3A2UcDpFZcfG/Riny7lABhVa918vxwhXV2DtbhBvLoyUyTL+t9bosmM3sCfDOCDNXed7ISgaf7L6xh7LU9R24hSeSG3cJ8PwG2hsrPza5o0nixZeRT3zTQwY6CYCcKA2ofTlYEHNVVU7fhWoYtGKGGtoLfDE
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR08MB5084.namprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f665033-31ec-4573-76ed-08d8b74db704
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jan 2021 22:59:28.3163 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NIuwoCYz2ZHu7jrphMFskBk3Ik8r1j28uLWP2HbWfUjuk7HgHCW6uNxSyxJucAuDSTxpSOrjx/0dQuQMXeoVig==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR08MB3324
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/G88WsVwJturKIAcXdmK89hz8VnA>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jan 2021 22:59:33 -0000

Yes - adding require-instance false would eliminate the issue about built-in anchors in <running>. But there are useful advantages to keeping require-instance true. I don't have a strong feeling though one way or the other.

But assuming we keep require-instance true then the question still remains of how built-in items get into <running> (and are they deletable, and do we only need keys in running, etc).

Jason

> -----Original Message-----
> From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> Sent: Tuesday, January 12, 2021 3:00 PM
> To: Sterne, Jason (Nokia - CA/Ottawa) <jason.sterne@nokia.com>
> Cc: Netconf <netconf@ietf.org>
> Subject: Re: [netconf] built-in trust anchors
> 
> Jason,
> 
> since the leafref typedefs are weak references that do not require
> that the certs/keys exist (there is no 'require-instance true'), it
> may be OK to not have the certs/keys in <running> in terms of validity
> of the <running> datastore.
> 
> Oops, I had to reread RFC 7950 (section 9.9.3): if require-instance is
> not present, it defaults to true, so my review comment about weak
> references is incorrect, these are actually strong references and
> hence there is the need to copy what is referenced. Setting
> require-instance to false may resolve this (but we loose the ability
> to catch references to certs/keys that do not exist).
> 
> /js
> 
> On Tue, Jan 12, 2021 at 07:02:04PM +0000, Sterne, Jason (Nokia - CA/Ottawa)
> wrote:
> > Hi all,
> >
> > I noticed Jurgen's comment about built-in trust anchors in his YANG doctor
> review of trust-anchors-13. I wanted to pull that out into a dedicated
> thread/discussion here.
> >
> > Jurgen:
> >
> >
> > - Section 3 talks about populating <running> with built-in trust
> >
> >   anchors.
> >
> >
> >
> >    In order for the built-in trust anchors to be referenced by
> >
> >    configuration, the referenced certificates MUST first be copied into
> >
> >    <running>.  The certificates SHOULD be copied into <running> using
> >
> >    the same "key" values, so that the server can bind them to the built-
> >
> >    in entries.
> >
> >
> >
> >   Is the idea that this copy operation is an explicit management
> >
> >   operation or can implementations populate <running> with this
> >
> >   data automatically?
> >
> > I suppose a server *could* populate this in running as part of a built-in
> startup datastore in the absence of a startup datastore (i.e. as contents of a
> RFC8808 factory default). But I assume it is desirable to be able to delete the
> running copy of a built-in item. So the system would have to avoid populating
> these unless it is loading the factory default.
> >
> > But even if the system can populate these, we'd also want the client/user
> to be able to explicitly populate them as well (i.e. in case they delete one
> from running, and want to add it back in to reference it).
> >
> > In either case (system population of running, or client population of
> running), do we really need to put the contents of the bag or the cert into
> running?  Or is populating the list key enough since the operational copy
> shows what contents are in use for that list entry?
> >
> > Jason
> 
> > _______________________________________________
> > netconf mailing list
> > netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf
> 
> 
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>