[netconf] ietf crypto types - permanently hidden

Balázs Kovács <balazs.kovacs@ericsson.com> Thu, 21 March 2019 14:24 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88A0B1310BE for <netconf@ietfa.amsl.com>; Thu, 21 Mar 2019 07:24:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=GWdSnHEl; dkim=pass (1024-bit key) header.d=ericsson.com header.b=BD30eChl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7n8pY78RKcQJ for <netconf@ietfa.amsl.com>; Thu, 21 Mar 2019 07:24:35 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B6B713107B for <netconf@ietf.org>; Thu, 21 Mar 2019 07:24:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1553178273; x=1555770273; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=cmnJ0eB4ydJDoCLSP6r7X6dDggXaJ8wlFevmqGCHIrY=; b=GWdSnHEl69ubqRaMZOV9T6huAzUENCt4JpIas7LO8kHHACiNmc5YCStM/PLzKrk2 BUAYiIVnkhFs4KGoWX+TKoEGrzpuyZSZcFtZbGajZ7V8FDgNFLnpTMNf+R9KG6lC NGbFcLxV43y7iUSOR8PK9Xee/UbXZ4JjMHZi9cmKvtk=;
X-AuditID: c1b4fb30-777759e000007fec-c1-5c939ea1da50
Received: from ESESSMB502.ericsson.se (Unknown_Domain [153.88.183.120]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 53.CC.32748.1AE939C5; Thu, 21 Mar 2019 15:24:33 +0100 (CET)
Received: from ESESSMR501.ericsson.se (153.88.183.108) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 21 Mar 2019 15:23:44 +0100
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESSMR501.ericsson.se (153.88.183.108) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5; Thu, 21 Mar 2019 15:23:39 +0100
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1713.5 via Frontend Transport; Thu, 21 Mar 2019 15:23:38 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cmnJ0eB4ydJDoCLSP6r7X6dDggXaJ8wlFevmqGCHIrY=; b=BD30eChl6zaU+SKUONxF5wogb0jsEXbRArsH0sQdSdF8mADPgdtALGp2qUOUVgcrLBaQpS02a0xYFQlT2xul5pqp671jLdP5NtbkU8zvgBY/JWl1qA4u7ibxZNmYPRrBCmLYqWkra6ZWynm95gBEoHDJ/HhT1mooDDIvKvtPNks=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB4671.eurprd07.prod.outlook.com (20.177.57.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1709.16; Thu, 21 Mar 2019 14:23:27 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::807b:cd48:c48:cf03]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::807b:cd48:c48:cf03%4]) with mapi id 15.20.1730.013; Thu, 21 Mar 2019 14:23:27 +0000
From: =?iso-8859-1?Q?Bal=E1zs_Kov=E1cs?= <balazs.kovacs@ericsson.com>
To: "netconf@ietf.org" <netconf@ietf.org>, Kent Watsen <kent@watsen.net>
Thread-Topic: ietf crypto types - permanently hidden
Thread-Index: AdTf8DCbvspujhISQkyURJOX9ReFpA==
Date: Thu, 21 Mar 2019 14:23:27 +0000
Message-ID: <VI1PR07MB4735863E79020AD84C4FDF9483420@VI1PR07MB4735.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [2a02:ab88:2cb8:5600:59d2:9436:ebbf:9e59]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 989c158f-3a91-4772-22b0-08d6ae08c8d0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB4671;
x-ms-traffictypediagnostic: VI1PR07MB4671:
x-microsoft-antispam-prvs: <VI1PR07MB467153FE54EB5549DACBA42D83420@VI1PR07MB4671.eurprd07.prod.outlook.com>
x-forefront-prvs: 0983EAD6B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(396003)(346002)(136003)(366004)(189003)(199004)(7736002)(97736004)(74316002)(33656002)(102836004)(6306002)(81166006)(14444005)(68736007)(256004)(54896002)(106356001)(9686003)(55016002)(110136005)(99286004)(316002)(71190400001)(71200400001)(53936002)(14454004)(186003)(486006)(478600001)(52536014)(25786009)(476003)(5660300002)(46003)(2906002)(6506007)(81156014)(105586002)(7696005)(6436002)(6116002)(9326002)(790700001)(8936002)(8676002)(2501003)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4671; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 6F2TGZXNYDv+YkWgOSUPOvxTM0/IkJvktp12UQihXpB97DIhxa458Bwd9HKgcddvC9pLDsl477nfEKaZj4u//Y5opSm5yk1nF3YekfDoDcKtWiD/Ai79aHPNCWqQkEQaIKvM8OAh3+12eJC7aSGD6N5HDjynI6BAlaJ6lp4bybrGjHRMTL0kXbsPN2w6Ds2VKu7UVrS0FSPzPkHHiCPeDvywHIactifcnsWxp/xcFM+XIGsAANWkIIbVC+vfnBBN6PpIdYO94NI59hkZwE7R45Mds9LNiI/n+I0zusKn6XKaIdLtxxWZS6WObb3IAo36FRxmAiYwCqqNzw0tjF+HeSw9tJfscsX6ghoty6Gqfeg9tDc0kELGfRgvIAIZfW/wosa+LIMp122aGe/oBuIlb2ev/ZjIwLbxmEQ/1nHAFtw=
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB4735863E79020AD84C4FDF9483420VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 989c158f-3a91-4772-22b0-08d6ae08c8d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2019 14:23:27.0908 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4671
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTURzHO/febVdxclyaPyzFBoEzfCSGQqkFSYsSJEQiDVt5ceJ78xlJ Ypo6K5ePUou2xVQSe2gjLWfYepBGDAMr1zJF06ZRYGlZc+Z2V/jf5/s453d+cGhS0MXxodOz 8xlZtiRTyHWlWo70Fgdprjckh35f9Ii8aZrkRTb1vOfsIcRa7TIhnnqh4MUTR113pzKZ6YWM LCT6uKt0pWOQyB2JKDZZBzhlSB2qQC404HCYGbbyFMiVFuCnCO7VaylWLCHQTYzz/ouvUxaS FVoCurQDhF1QWEnC5HObs1ZPwFx3o7M2geBDpYFrH8PFsfCpZZlnZ08shonWH5SdN+IQUF9T Ov1wsLV9JFgOhvL2UUeHwtvA3GlECkTTfJwMtW+22m2EN8HP4S5HncTeYJpWEexGGLR6I8my F1imbBy2fwz65s081t8F5WdfOfu+8FpVi1iOg2vWOscygMcQtFWruWwQCKplo5MzwNJ30clb 4M7YDYI90MyBuhq9Y5oAM9Bxq9J5qx90Xpik2JKRhPGeEcQ+OwdWVN1cJRK1rtuidV1kZz72 gKGWaYr1g+FdUyOX5e3QrpknWQ6CZpuBWu+rEa8TeckZ+YmstLCwYEaWflIuz8kOzmbye9Da H3qs+xPahyyzew0I00joxt9/uSFZwJEUykuyDAhoUujJf5i0ZvFTJSWnGFlOiqwgk5Eb0Gaa EnrzrQKPZAFOk+QzGQyTy8j+pQTt4lOGEvweFFaIE8+t3j1tfilK2KdcGJIWnXkSXdbQtghf SgO+xSRt0PjnEe6PTKK4Q7rhXzURVxe1idXPBr2im0srGqpqi5qiRP7xt/W9WVVReqlmdKY6 tir/gO9q3iW3+NmFgvaDbxNEtvvcK7/Pp8ToKpbGV/rnPpt39gd4HnYXlXCElFwq2RFIyuSS vyKuwgc/AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/iflL5ryju7n1dLqZzzRuH_9_8xA>
Subject: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 14:24:38 -0000

Hi,

The 'generate-hidden-key' action is meant for cases when the key must be generated in the device and not the operator is configuring it. The 'generate-hidden-key' is said to produce a 'permanently-hidden' asymmetric key. The description of 'permanently-hidden' is as follows:

                "The private key is inaccessible due to being
                  protected by the system (e.g., a cryptographic
                  hardware module).  It is not possible to
                  configure a permanently hidden key, as a real
                  private key value must be set.  Permanently
                  hidden keys cannot be archived or backed up.";

Th second sentence doesn't sound right. I can create a permanently hidden key any time by calling the 'generate-hidden-key' action, or if the device or the model allows I could even switch to non-hidden key, I believe, by providing the binary. So I find the second sentence irrelevant in this description.

More importantly, I find the "Permanently hidden keys cannot be archived or backed up" statement false. Isn't that implementation specific how archiving is done? If a device puts the hidden keys on some storage, it may still be possible to back them up. I would prefer to remove this sentence and leave backup considerations to implementations.

Could these changes be done?

Br,
Balazs