Re: [netconf] ietf crypto types - permanently hidden

[Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>]

On Thu, May 30, 2019 at 02:14:22PM +0000, Kent Watsen wrote:
 
> I'm growing weary of this discussion.  Perhaps we should do even less for the first release of the crypto-types module.  That is, instead of:
> 
>    leaf private-key {
>      nacm:default-deny-all;
>      type union {
>        type binary;
>        type string {
>          pattern
>            '<permanently-hidden>'
>          + '|<encrypted by="*">[A-Za-z0-9+/]+[=]{1,3}'
>          + '|<value-to-be-generated(-and-hidden)?>'
>          + '|<value-to-be-hidden>[A-Za-z0-9+/]+[=]{1,3}';
>        }
> 
> we have:
> 
>    leaf private-key {
>      nacm:default-deny-all;
>      type union {
>        type binary;
>        type string {
>          pattern
>            '<permanently-hidden>'
>          + '|<encrypted by="*">[A-Za-z0-9+/]+[=]{1,3}'
>        }
> 
> 
> This removes the "verbs" (as you call them) and thus leaves open possibility for either "verbs" or action statements to be added in some future revision.   This subset still supports the critical use-case of a manufacturer-generated private key for a secure device identifier (i.e., IDevID).    Unfortunately, it does not support the security best practice use-case of having the device generate the private key.  The IESG (Security Directorate) may or may not be okay with this (obviously the shepherd would have to bring it to their attention), but perhaps it's worth testing their resolve and see what happens?
>

Some comments:

- Not sure what security best practice is and where it is defined.
  Creating the key on the device has the benefit that the key may
  never have to leave the device but it also requires that I can trust
  the device to create good keys. (People recall the glitch that led
  to weak openssh keys on many Linux systems? And given todays world,
  which devices should I trust to generate strong keys?) I might
  decide that creating keys with known software I am willing to trust
  is far better than trusting a key generator shipped by a random
  device manufacturer.

- Side effects are bad and should be avoided. If something requires an
  rpc/action, make it an rpc/action.

- If you create something, give it a name; once things are named (or
  have other unique properties), config can then refer to these named
  objects. A create key operation might simply return a fingerprint
  for the key as the key's name.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>