Re: [netconf] ietf crypto types - permanently hidden

Kent Watsen <> Tue, 04 June 2019 16:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F11BA1200EC for <>; Tue, 4 Jun 2019 09:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.312
X-Spam-Status: No, score=-2.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.415, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dGVZHKXjYYll for <>; Tue, 4 Jun 2019 09:48:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 63CE81200C7 for <>; Tue, 4 Jun 2019 09:48:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw;; t=1559666882; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=L5dfkoPNcE515CD/F5u+QskXQlljOQysS5cBcbuG3oc=; b=Ozfi/EcJVnr9TOeVc3o/RMitejab1julBtF3giuWOtMDgpo0Xb1KgOA10hpruqbN KD5WB3UZ1X9H4pjPAYCou4T1z7hmFgCh8/tXAahX3iLA7IKvducxSxBR2bksVGBam/Z 1q0YBcCQEQB4qX+495S4ncsLZ2AQ5ToX721FuxVc=
From: Kent Watsen <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5499BBC2-3B31-44AC-B12E-F4861FF1DF00"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 04 Jun 2019 16:48:01 +0000
In-Reply-To: <>
Cc: "" <>
To: Balázs Kovács <>
References: <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.06.04-
Archived-At: <>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 04 Jun 2019 16:48:26 -0000

Hi Balazs,

> Also validation of required input and output seems more complicated to me.
> How so?
> The ‘value-to-be-generated’ “action” would require both the private-key and public-key set to the same, plus the algorithm be configured. Besides, if there is a must statement on any of these, does the must statement consider the ‘input’ or the ‘output’ values? I got a bit confused while thinking on these.

If I understand correctly, this could be addressed by a 'must' statement to ensure both the public and private key values have the "<value-to-be-generated>" prefix.

> Actually, I view  ‘generate-and-not-hide’ as a very common case.  That is, ask the system to generate the key (because clients are lazy and security best practice), and let standard NACM rules protect the key.   I think that systems supporting user-generated "hidden" keys will be somewhat rare, to the extent that there should feature statements enabling servers to indicate if they support the ability or not.
> Maybe generate-and-not-hide would be widespread, but it is not my preferred choice of key handling due to that it opens up to the client to manage the key blob after first generation. So maybe all of these should be optional with features?

Yes, assuming we go this route...

> [...] 
> This removes the "verbs" (as you call them) and thus leaves open possibility for either "verbs" or action statements to be added in some future revision.   This subset still supports the critical use-case of a manufacturer-generated private key for a secure device identifier (i.e., IDevID).    Unfortunately, it does not support the security best practice use-case of having the device generate the private key.  The IESG (Security Directorate) may or may not be okay with this (obviously the shepherd would have to bring it to their attention), but perhaps it's worth testing their resolve and see what happens?
> If so, can you clarify the configuration use case of client configuring <permanently-hidden>, does that produce a valid end-result?

With the latest no-"verbs" proposal, there would be no ability (defined by this model) for a client to itself create a 'permanently-hidden' key; only the manufacturer could do that.  However, in order for a client to use the manufacturer-generated hidden key, it would need to "copy" it from <operational> to <running>.   In <operational>, the 'algorithm' and 'public-key' values would be visible, but the 'private-key' would have the value 'permanently-hidden'.  So, in order to "copy" the key to <running>, the client would (presumably) copy these three values as they are in <operational>, including the string "<permanently-hidden>" for the private-key's value.  The description of the node would state that this is the only time a client can legally configure the value "<permanently-hidden>" (i.e., when the same key already exists in <operational>)

> Or would that be only an output pattern created as the result of a ‘generate-hidden-key’ action that may be added by an implementation augmenting the model?

It is primarily intended to be an output-only pattern, with the exception being that mentioned above.

> Regarding ‘encrypted by’, would that be only used when the device allows to back up encrypted keys to later restore it to same device (or any other that may get hold of the same encryption key in some way)?

Correct.  For example, TPM chips have the ability to encrypt keys using their "storage root key" (SRK), which 1) enables the key to be safely exported but 2) only the TPM having the SRK can import/decrypt it.   While I don't think it's possible for TPMs to migrate an SRK, other implementations may support that ability and so, as you say, it could possibly be put onto another device.

Kent // contributor