Re: [Netconf] Mandatory local configuration in Keystore groupings
Martin Bjorklund <mbj@tail-f.com> Tue, 18 September 2018 20:12 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DF0130E60 for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 13:12:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8BqyKV7ZapI for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 13:12:12 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 9F86812D7EA for <netconf@ietf.org>; Tue, 18 Sep 2018 13:12:12 -0700 (PDT)
Received: from localhost (h-80-27.A165.priv.bahnhof.se [212.85.80.27]) by mail.tail-f.com (Postfix) with ESMTPSA id A35ED1AE02BE; Tue, 18 Sep 2018 22:12:10 +0200 (CEST)
Date: Tue, 18 Sep 2018 22:12:10 +0200
Message-Id: <20180918.221210.1111111634668608576.mbj@tail-f.com>
To: kwatsen@juniper.net
Cc: balazs.kovacs@ericsson.com, balazs.lengyel@ericsson.com, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <A9FACF6E-2207-4FD3-966A-3482DC96B35D@juniper.net>
References: <20180918.090227.98113334613843662.mbj@tail-f.com> <VI1PR0701MB2016707AE81A6F77719461D4831D0@VI1PR0701MB2016.eurprd07.prod.outlook.com> <A9FACF6E-2207-4FD3-966A-3482DC96B35D@juniper.net>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/n7xom0Kkb6kIM3mW1wyjijX_mE8>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 20:12:16 -0000
Kent Watsen <kwatsen@juniper.net> wrote: > > I like Martin's "twist" - I don't view it as an extreme hardship (the > 1% case), and I prefer (C) for supporting "require-instance true" as > well as having one less action. So, let's go with (C). > > Martin, you mentioned some details might be wrong, are they wrong in > (C)? - I'd like to have it right when posting the next update... Yes; in (C), "generate-hidden-key" and "load-hidden-key" doesn't take "name" as input. /martin > Balazs, the desire to reference an IDevID could be from any > SSH/TLS-based app, it would be hard to know in advance where. No > matter, with (C)+twist, we can have "require-instance true" always. > > Kent // contributor > > > -----Original Message----- > > Hi, > > I'd just emphasize that in creation step of hidden key, the name must > be coordinated between step A/1&2 by external application logic. Same > holds for deletion of hidden key for A/1&2. "Same name" is important. > > Enabling the possibility for 'require instance true' would be also > good remark on the side of (C). > > Regarding manufactured keys, I would not expect manufactured keys to > be used in other common models, such as in TLS/SSH use cases. If they > have some specific use case, maybe those models could either have > 'require instance false' or it could be said to create an empty key > for them as Martin described. > > Br, > Balazs > > -----Original Message----- > From: Martin Bjorklund <mbj@tail-f.com> > Sent: Tuesday, September 18, 2018 9:02 AM > To: kwatsen@juniper.net > Cc: Balázs Kovács <balazs.kovacs@ericsson.com>; Balázs Lengyel > <balazs.lengyel@ericsson.com>; netconf@ietf.org > Subject: Re: [Netconf] Mandatory local configuration in Keystore > groupings > > Hi, > > Ok, so we have these two alternatives illustrated below. There are > some details that probably are wrong, but it doesn't really matter at > this stage. With (A), there is one more action to control the > lifespan of keys (delete-hidden-key). > > In the case that the key is given as config, A and C works in the same > way. > > In the case that the key is permanent, A and C also works in the same > way. > > A and C differ in how hidden keys are handled. > > > In order to create a hidden key + certificate, the steps are: > > A: 1. call generate-hidden-key with a given name > 2. create an asymmetric-key with the same name in the config > 3. call generate-certificate-signing-request > 4. <get hold of a cert> > 5. create the certificate in the config > > (step 1 and 2 can be done in reverse order) > > C 1. create an asymmetric-key in the config > 2. call generate-hidden-key on this key > 3. call generate-certificate-signing-request > 4. <get hold of a cert> > 5. create the certificate in the config > > In order to delete a hidden key completely: > > A: 1. call delete-hidden-key on the asymmetric-key to be deleted > 2. delete the asymmetric-key from the config > > C: 1. delete the asymmetric-key from the config > > > > In summary, they are very similar. > > One possible twist that probably works best for C could be to use > leafrefs with require instance true, and say that in order to use a > permanent key (created during manufacturing), you first need to create > config for the key (more or less empty config). The benefit is that > we get proper leafref validation (no dangling pointers to handle in > all other models). FWIW, this is the approach taken in > ietf-interfaces. > > If we don't do this twist, I think that we can use either of A and C. > > > > /martin > > > > > Kent Watsen <kwatsen@juniper.net> wrote: > > > > > With (A), once you have generated the key, you first have to create > > > the config for it, then invoke the action. With (C) (99% of) the > > > keys already exist in the config, so you can just invoke the action. > > > > I don't follow. What I see is that, with (A), a hidden key can be > > created with a single action invocation while, with (C), first a > > configuration operation is needed to create the "asymmetric-key" > > (without the three leafs) followed by an action invocation (to > > populate the three leafs). > > > > > > > To summarize, A and C both get the job done. Which one is better is > > > probably subjective. I think (C) is might be easier to understand. > > > > Okay, let's see how it looks. Bubbling all the ideas to the top, I > > created the below tree-diagrams. Note, in both cases, the three > > "mandatory true" leafs are replaced with an all-or-nothing "must" > > expression: > > > > > > (A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden > > keys; > > and an action statement is used to delete all hidden keys. > > > > +--rw keystore > > +--rw asymmetric-keys > > +--rw asymmetric-key* [name] > > | +--rw name string > > | +--rw algorithm? ct:key-algorithm-ref > > | +--rw public-key? binary > > | +--rw private-key? union > > | +---m "(algorithm and public-key and private-key) > > | | or not (algorithm or public-key or private-key)"; > > | +--rw certificates > > | | +--rw certificate* [name] > > | | +--rw name string > > | | +--rw cert ct:end-entity-cert-cms > > | | +---n certificate-expiration > > | | +-- expiration-date? yang:date-and-time > > | +---x generate-certificate-signing-request > > | | +---w input // KEY MAY BE IN <OPERATONAL> > > | | | +---w subject binary > > | | | +---w attributes? binary > > | | +--ro output > > | | +--ro certificate-signing-request binary > > | +---x delete-hidden-key > > | // no params > > +---x generate-hidden-key > > | +---w input // RESULT IN <OPERATONAL> > > | +---w name string > > | +---w algorithm ct:key-algorithm-ref > > +---x load-hidden-key > > +---w input // RESULT IN <OPERATONAL> > > +---w name string > > +---w algorithm ct:key-algorithm-ref > > +---w public-key binary > > +---w private-key union > > > > > > (C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden > > keys > > created in <operational> (i.e., during manufacturing). But if there > > is > > even just one key created during Manufacturing, and it doesn't appear > > in <intended>, then leafrefs still need to be "require-instance > > false", > > right? Also, it seems that such keys could never be deleted, unlike > > other hidden keys, but that is probably okay (correct behavior). > > > > +--rw keystore > > +--rw asymmetric-keys > > +--rw asymmetric-key* [name] > > +--rw name string > > +--rw algorithm? ct:key-algorithm-ref > > +--rw public-key? binary > > +--rw private-key? union > > +---m "(algorithm and public-key and private-key) > > | or not (algorithm or public-key or private-key)"; > > +--rw certificates > > | +--rw certificate* [name] > > | +--rw name string > > | +--rw cert ct:end-entity-cert-cms > > | +---n certificate-expiration > > | +-- expiration-date? yang:date-and-time > > +---x generate-hidden-key > > | +---w input // RESULT IN <OPERATONAL> > > | +---w name string > > | +---w algorithm ct:key-algorithm-ref > > +---x load-hidden-key > > | +---w input // RESULT IN <OPERATONAL> > > | +---w name string > > | +---w algorithm ct:key-algorithm-ref > > | +---w public-key binary > > | +---w private-key union > > +---x generate-certificate-signing-request > > +---w input // KEY MAY BE IN <OPERATONAL> > > | +---w subject binary > > | +---w attributes? binary > > +--ro output > > +--ro certificate-signing-request binary > > > > > > > > > > Kent // contributor > > > > > > > >
- [Netconf] Mandatory local configuration in Keysto… Balazs Lengyel
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen