Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
Kent Watsen <kent+ietf@watsen.net> Thu, 08 February 2024 22:26 UTC
Return-Path: <0100018d8ad3d581-f009daf9-72ad-45b3-a6ac-35bb5041de17-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3C6CC14F5FD; Thu, 8 Feb 2024 14:26:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7PXXPPYWD_o; Thu, 8 Feb 2024 14:25:57 -0800 (PST)
Received: from a48-94.smtp-out.amazonses.com (a48-94.smtp-out.amazonses.com [54.240.48.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425DFC14F5E5; Thu, 8 Feb 2024 14:25:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1707431155; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=dvriWprZQGrcrKCxahu3bBXnqJC8nq/OlCD3SENFXwk=; b=XAhQW215aR40em5aFKoAXPMi6SAi2rzNNryYIqlSMYcapDTcf1rz6+6jn6NTKJiD 8Kv/miiBQEoZzaRdtX2VhNeqt32DySI0PW7ki8k+SEYM9hV7c4SI8vdDiMAG5Mq/OCc 9OXDi0nj/gz+OpmNLmSeew7lHTJOJfS5zmptsQek=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018d8ad3d581-f009daf9-72ad-45b3-a6ac-35bb5041de17-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6D342FF7-9097-424F-ACCB-5081B1CC8601"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Thu, 08 Feb 2024 22:25:55 +0000
In-Reply-To: <BN2P110MB11074D96D5A34B8CB1610729DC46A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-netconf-trust-anchors@ietf.org" <draft-ietf-netconf-trust-anchors@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
To: Roman Danyliw <rdd@cert.org>
References: <170663325496.44925.1682814616077470749@ietfa.amsl.com> <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@email.amazonses.com> <BN2P110MB11074D96D5A34B8CB1610729DC46A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.08-54.240.48.94
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/kGaOGY2ZCkzKtfnW2DjTRR9bbBc>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 22:26:00 -0000
Hi Roman, Thank you for clearing your DISCUSS position. See below for more. Kent > On Feb 6, 2024, at 4:29 PM, Roman Danyliw <rdd@cert.org> wrote: > > Hi Kent! > > Thanks for the revised -24. I’ve cleared my DISCUSS position. A bit more inline … > > From: Kent Watsen <kent+ietf@watsen.net <mailto:kent+ietf@watsen.net>> > Sent: Wednesday, January 31, 2024 3:52 PM > To: Roman Danyliw <rdd@cert.org <mailto:rdd@cert.org>> > Cc: The IESG <iesg@ietf.org <mailto:iesg@ietf.org>>; draft-ietf-netconf-trust-anchors@ietf.org <mailto:draft-ietf-netconf-trust-anchors@ietf.org>; netconf-chairs@ietf.org <mailto:netconf-chairs@ietf.org>; netconf@ietf.org <mailto:netconf@ietf.org>; Qin Wu <bill.wu@huawei.com <mailto:bill.wu@huawei.com>>; Mahesh Jethanandani <mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>> > Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT) > > Hi Roman, > > Thank you for your valuable comments. > Please find responses below. > > Kent > > > > On Jan 30, 2024, at 11:47 AM, Roman Danyliw via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-netconf-trust-anchors-23: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ > > > > > ** YANG. list certificate-bag > "A bag of certificates. Each bag of certificates SHOULD > be for a specific purpose. For instance, one bag could > be used to authenticate a specific set of servers, while > another could be used to authenticate a specific set of > clients."; > > Since normative language is used here, can additional guidance be provided on > qualifying “specific purpose”. For example, can one put different applications > for the same server in the same bag? > > Technically possible, yes. > > > > What is the consequence of incorrectly binning the certificate chains? > > A misconfiguration, possibly leading to trusting something in an undesirable context. > > > > More generally, I’m wondering about the > significance of where certificates are binned. Because of natural language > describing the purpose of these bags, I don’t see an obvious, interoperable, > general purpose way to automatically parse this structure to know which > certificate to use for a server beyond checking subjectAltNames in the > certificate against a domain name (which precludes the need to even organize > these certificates into bins beyond readability). > > Each bag has a “name” and “description” fields. From https://datatracker.ietf.org/doc/html/draft-ietf-netconf-trust-anchors-23#section-2.2.1: > > <certificate-bag> > <name>trusted-server-ca-certs</name> > <description> > Trust anchors (i.e. CA certs) used to authenticate server > certificates. A server certificate is authenticated if its > end-entity certificate has a chain of trust to one of these > certificates. > </description> > > So it seems very easy for clients to know a bag’s purpose without having to look at, e.g., the SAN. > Does this resolve your comment? > > [Roman] I’m primary drilling in on the text “Each bag of certificates SHOULD be for a specific purpose”. Since “specific purpose” has no clear, ambiguous definition, it seems like an argument could be made that almost might qualifies as a “specific purpose”. My simple fix would be s/SHOULD/should/. Fixed - and thank you for the the clarification! > [snip] > > ** Section 4.3 > None of the readable data nodes defined in this YANG module are > considered sensitive or vulnerable in network environments. The NACM > "default-deny-all" extension has not been set for any data nodes > defined in this module. > > Doesn’t read-access to this module provide insight into which other > resources/applications/servers this particular server communicates with by > virtue of having their end-entity certificates or SSH keys? Wouldn’t this > provide an attacker insight into potential targeting? or business > relationships? > > Good point. > > Hmmm, but can you clarify, is the concern limited to just the “cert-data” node (i.e., the CMS), or does it include also, e.g., the bag’s “name” and “description” nodes too? > > [Roman] I’m not exactly sure how this YANG model would be used. The cert-data node seems like it would definitely be sensitive for the reason described above. I trust your judgement on what you anticipate the natural language descriptions might look like. I’m not sure. Okay, I made three changes: 1) in the “crypto-types” draft, where the YANG groupings are defined: - changed "default-deny-write” to "nacm:default-deny-all” 2) also in the “crypto-types” draft, in the Security Considerations section: OLD: <t>The "cert-data" node: <ul empty="true"> <li>The "cert-data" node, defined in both the "trust-anchor-cert-grouping" and "end-entity-cert-grouping" groupings, is additionally sensitive to read operations, as certificates sometimes convey personally identifying information (especially end-entity certificates). However, as it is commonly understood that certificates are "public", the NACM extension "nacm:default-deny-write" (not "default-deny-all") has been applied. It is RECOMMENDED that implementations adjust read-access to certificates to comply with local policy.</li> </ul> </t> NEW: <t>The "cert-data" node: <ul empty="true"> <li>The "cert-data" node, defined in both the "trust-anchor-cert-grouping" and "end-entity-cert-grouping" groupings, is additionally sensitive to read operations, as certificates may provide insight into which other resources/applications/servers this particular server communicates with, as well as potentially divulge personally identifying information (e.g., end-entity certificates). For this reason, the NACM extension "default-deny-all" has been applied.</li> </ul> </t> 3) in *this* draft, in the Security Considerations section: OLD: None of the readable data nodes defined in this YANG module are considered sensitive or vulnerable in network environments. The NACM "default-deny-all" extension has not been set for any data nodes defined in this module. NEW: Most of the readable data nodes defined in this YANG module are not considered sensitive or vulnerable in network environments. However, the "cert-data" node uses the NACM "default-deny-all" extension, for reasons described in <xref section="3.9" target="RFCAAAA"/>. > Roman
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Roman Danyliw
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen