IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

"Rob Wilton (rwilton)" <rwilton@cisco.com> Thu, 19 September 2019 10:44 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 250FA1201E4 for <netconf@ietfa.amsl.com>; Thu, 19 Sep 2019 03:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jwpSZqUw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=BQuAMv12
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vLJ_STiKDG7G for <netconf@ietfa.amsl.com>; Thu, 19 Sep 2019 03:44:11 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71766120164 for <netconf@ietf.org>; Thu, 19 Sep 2019 03:44:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10267; q=dns/txt; s=iport; t=1568889851; x=1570099451; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=kjOL6zo1UcAFkKWBqqyZ/rOlswJ4qbgYSUEBgh8UCi8=; b=jwpSZqUwjb5Nrwxup1Tdj5CchTfJ9xyxyj5UQ84yUTHlVLpbeB3QfgP4 ibGcP6ygqzlqp5ys6f2Mk3V3tOYPstfbcXteaszYjpDwBlFT2KKOczGtt M33oILQ8qSAlzpcEUtwl10ZugGGGApw14VpQvDbwhPc/hsPZnh7Iy3Cog g=;
IronPort-PHdr: 9a23:Zja/Th36FIYlG3bwsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKHt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQE1L6KOLtaQQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AGAACEWoNd/4ENJK1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBUwQBAQEBAQsBgRUvUANtViAECyoKh18DhFKGKYJciWaJMIRdgS6BJANUCQEBAQwBAS0CAQGEPwKDAyM0CQ4CAwkBAQQBAQECAQUEbYUtDIVKAQEBBBIbEwEBNwEPAgEIEAEEAQEvIREdCAIEAQ0FCBqDAYEdTQMdAQKjEQKBOIhhgiWCfQEBBYUODQuCFwmBNAGKRYEmHRiBQD+BV4JMPoIagiwMgy+CJpUBl0hBCoIikQiEG5R3hCyOFooZjngCBAIEBQIOAQEFgVI4gVhwFYMnUBAUgU6DcopTc4EpjioBgSIBAQ
X-IronPort-AV: E=Sophos;i="5.64,523,1559520000"; d="scan'208,217";a="627981812"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Sep 2019 10:44:10 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x8JAiAjm016521 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Sep 2019 10:44:10 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 05:44:09 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 05:44:08 -0500
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Sep 2019 06:44:08 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IvbDbjylZlCc7JKo9vbMxSV8tXHe/zHPiO7evEhTA1pvufMSZMLfGSDAfVPz8OXDb01u+0yP9hyfJmjHUhAmRv23Co1NSeb1rJELi66wqsFfrrbsC8ULO1o5VIshe6RGnrenFo7+hI41thL5gJ2cB4wITPlU+XIxR76726tmDqk+T4vBuVGEJVTc0B5hFtMfp22lnZJ4A/L4YNNvJht83PHP8T4cQiztcljVMWuKomxfqO/Z0Ro8vuEKZHup/kQ1FDPSJ6ydDjWDinD/ZtegafUkgyV61lAW+Zy4QsKlLryU6wL74uK/M0fbIV7bjqnPeB+CgqArtjXY2J0wJd0kGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gu4KZ1aSu7rY2zZWZzbsLgB9NUxps+qqCJX6Q0o8ZHg=; b=Safw7qBeaTWVC5BntJRJF4E06sQ5FPJWiG8mHUBXki0OvxcyBerIPlzd/Fl5EUk9oUSLA4RsKrxOeyoxDluy62igXs2zR18WYKyILIMHtvo1UroUZq430KAF2ujZtVY1TRumvOvETy6C2frF76bFhsr+ACHg+AWy+4SWEN+B76H3MfjqLJV8LKk+G9U4ITreFPVeCtWVaqdJOUqhA8uBdv7+0SXxeYMmvgqvsxBk3lML3WnlinNkrPcGoc5n8l6OwoxGI/4YQ9y9X+4/c0OjCWKuBxeqRQ+qfScXKA2wg1eN2uN2QIsBtIfY92dx5rpBZwpeIcszhm8+6GvaiBr7Wg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gu4KZ1aSu7rY2zZWZzbsLgB9NUxps+qqCJX6Q0o8ZHg=; b=BQuAMv12aIOY5GXaD7eswTeHzgEAolyevxDBd4tqXZdR9xqVz8fXC9wcCs4HVIg66a0cX1LRVCyEzL9xc4RTI38PDA3yqdB6A7dCkYfJ4HGrEp0Zzl/sxnrL2Dh8xAD6xA9y3T4KUnfXh90aa+FO6yOufbfR8E+W0aLinNwjTeU=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (52.135.38.209) by MN2PR11MB4285.namprd11.prod.outlook.com (52.135.39.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.22; Thu, 19 Sep 2019 10:44:06 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6%7]) with mapi id 15.20.2263.023; Thu, 19 Sep 2019 10:44:06 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>, Juergen Schoenwaelder <J.Schoenwaelder@jacobs-university.de>
CC: "netconf@ietf.org" <netconf@ietf.org>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxVu0aQE+n/K0iPwVgOy8FH/KcpQIdQgAVLFQCAARKfAIAATvkAgAABvxCAAC5vAIAAAggggAADhQCAAQHLcIAARlAAgAAAT1CAABr3gIAADR/AgAAZbYCAAAnmgIABJX6g
Date: Thu, 19 Sep 2019 10:44:06 +0000
Message-ID: <MN2PR11MB4366E914816F6C3D9515A31DB5890@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <8053FDA0-77EA-488F-B5A7-F203359105E0@akamai.com> <MN2PR11MB43669B3A47A39FD93B47292FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <6924CAD5-F740-4512-8689-E0307AF0BD88@akamai.com> <MN2PR11MB4366B5C09B4348FDAE33E2BCB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <99BFF357-6A2A-49E0-BB38-37C25DB04213@akamai.com> <MN2PR11MB4366F20EE2FD6DF04B965125B58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <EBE4757D-E99E-41EB-A52B-A25F023BF4BC@akamai.com> <MN2PR11MB4366E4ECE10DFB018941BA5FB58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d44bda220-51590a9a-0a15-4b63-a49d-47efe712e82e-000000@email.amazonses.com> <MN2PR11MB436617082A8308A7A8928DDFB58E0@MN2PR11MB4366.namprd11.prod.outlook.com> <20190918163657.4pxh5jddxgrir5oh@anna.jacobs.jacobs-university.de> <0100016d455c6145-844c669e-8f31-4203-a827-7368d33cdee4-000000@email.amazonses.com>
In-Reply-To: <0100016d455c6145-844c669e-8f31-4203-a827-7368d33cdee4-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [173.38.220.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b906c076-c624-438d-fd1b-08d73cee4bb4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MN2PR11MB4285;
x-ms-traffictypediagnostic: MN2PR11MB4285:
x-microsoft-antispam-prvs: <MN2PR11MB4285B5E962446C8DC8A81A0CB5890@MN2PR11MB4285.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(136003)(366004)(376002)(346002)(199004)(189003)(54896002)(6306002)(55016002)(9686003)(4326008)(229853002)(6246003)(86362001)(3846002)(6116002)(790700001)(71190400001)(71200400001)(25786009)(256004)(14444005)(74316002)(2906002)(6436002)(66066001)(478600001)(7736002)(52536014)(14454004)(81166006)(81156014)(8936002)(316002)(99286004)(5660300002)(7696005)(76176011)(6506007)(53546011)(186003)(26005)(102836004)(66946007)(486006)(476003)(446003)(11346002)(8676002)(66476007)(66446008)(64756008)(66556008)(33656002)(54906003)(76116006)(110136005); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4285; H:MN2PR11MB4366.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: pJWSfMlieFEJWFlbTXVwM3whcrQ0Ge8wVm9+7ih3Gm2CxQfsdbHMPicsqKrC/ZYdL+Av3hrV7plahARWEl7epeYyaaMT1ztXi916L09drhNpAQ3hshPuVqfbYMubVxjF9TWR8dZtxCfXw+kD9hKkG4kgXjhSCf7ProNgmuhsxTafxieMUYwQeU0Hdye4y07S3LBy5Dow2lDv2hy1RM1eZzYV2gpeCmsCPkjKiRhkr2+8Daeznd5/GRk3pkqgSY4sZ/da+50WG4IuJU5svynGoXpJkjBvTtkOumzF+obWtRKEWrOQjds3HubEqlFprMkXPqx9MZhY6bZW93luuYtCBI7muiuXWGaEiwuuydNral0u+jmDZM0FAxlWbEdsDy3d4H9xp06NSfMb3T4qierNywUwid6fCVJwOoFzTlolN7A=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB4366E914816F6C3D9515A31DB5890MN2PR11MB4366namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b906c076-c624-438d-fd1b-08d73cee4bb4
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 10:44:06.4491 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3IelxVQHcGPVIxNokgGSHgMkMPQKMhJpVeR1a7NyVNZegTt5grgle5aYeeXCjervzd6MWabNInTpoRcDjHuvDg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4285
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/hTDnMyNAuHkvev8jQ3d7haPckgQ>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 10:44:14 -0000


From: Kent Watsen <kent+ietf@watsen.net>
Sent: 18 September 2019 18:12
To: Juergen Schoenwaelder <J.Schoenwaelder@jacobs-university.de>
Cc: Rob Wilton (rwilton) <rwilton@cisco.com>; netconf@ietf.org; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Subject: Re: [netconf] crypto-types fallback strategy

[moving Russ and Sean to BCC, per Rich's action]




I tend to agree that sometimes less modules is more. For me, the
problem is likely more that I am not entirely sure what the proper
base types would be, which may depend on what exactly they are used
for. I guess I wait until I see the description text...


Okay, we'll keep just the one YANG module.
[RW]
Do you mean one module for all the identities of just the base identities?

Thanks,
Rob





A bit separate from the above, but still in mind:

 - specify that all TLS public-keys are a DER-encoded SubjectPublicKeyInfo structure
 - specify that all SSH public-keys are a "ssh-public-key-type" type (see below)
 - specify that all encrypted symmetric keys are a DER-encoded OneSymmetricKey structure
 - specify that all encrypted asymmetric keys are a DER-encoded OneAsymmetricKey structure

I would check what is commonly used in existing configuration
interfaces. We are not inventing the wheel here. And whatever we
define better is usable with existing implementations and tools.

These are the native types used by OpenSSL and OpenSSH, what more verification do we need?

Possibly we could discuss supporting PEM, in addition to DER, but I'd image that, if PEM is supported at all, the presentation layer (Web UI, CLI) would convert it to/from PEM as needed (i.e., the underlying model only needs to support DER).



The SSH implementations that I use have the binary key data rendered
in ASCII. In fact, the whole key record is rendered in ASCII. I
strongly suggest to use formats that are well established.

This is the "key-data" leaf from RFC 7317.  Are you saying that it should've been different?

Regardless, should this be a presentation layer issue?

Kent // contributor

v2.23.0 | Report a Bug | By Email