[netconf] FIXMEs in ietf-crypto-types and client/server models

Balázs Kovács <balazs.kovacs@ericsson.com> Tue, 05 November 2019 15:17 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5E881200B3 for <netconf@ietfa.amsl.com>; Tue, 5 Nov 2019 07:17:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18Gj3w7iOLyh for <netconf@ietfa.amsl.com>; Tue, 5 Nov 2019 07:17:23 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60076.outbound.protection.outlook.com [40.107.6.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E34B1200B9 for <netconf@ietf.org>; Tue, 5 Nov 2019 07:17:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MZhA9E1qIu9kwk0adQHMUPJgnwywe17VpyzG5BktoI/Qj+pyMz8EyIKgA5bQi3wSsO9CeR6XnahxtGaP+Khv4azsuXyucoVITxqUWfH88WfuWLBKyzpPrNpzuKoZ3ubzBET65862fJ/h3jvMoYpTYUKJmnzikLJZqcwML/G7MyrKjx49tzpUkKcCtxQW2ZU7CzSHv5r5TUlfG0dHjkr2ygvlGgMRhiHaY7OmXmwGPXKudydkBSUFB95zyMhnT3hFm7TUCt+yTHfLzcNeRyuF1WsHghWi1nq3xeKXtNfuVlwVDh3uzK3TXpqTDKnMl/MdYWEoaVcbbPCllNrdSeLUPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=78esqjEYcsiIB+lj8ZfGCjSjzg7Q3iE2iltZFakaNQo=; b=VZq745YyyUo9KQBN+ELWRVIjYwcU1ucfeapD+sLFDDCMrVsKon+EJWzLmiXbtBXBqHoQ8o7CaTFNiucvdD0jxyIOzSt1CqeLJYDLlWR+MT++BkjUQ3qmkcOtAWBtwEg6Y9ejuH6L9C2NO7G4JaMezwrn7cf0MOA5bUGzmawnqWLi4ZZbpQBPkyHg2PNAQZRTRSDoGpe0xB+hbryzzXCovDFpIcnSGTb2fHaD0eWWfAnU2njignWTx+1cvq7WK0ShkPzXlrwc+QL2/isPfIzmD5J0u4NPAWU96sdxVL5d2LNT7TnAuzIDA3Bzw9xARjyv8Yvc/O9FkWluDhuLpeYHJQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=78esqjEYcsiIB+lj8ZfGCjSjzg7Q3iE2iltZFakaNQo=; b=lhJb/44Vme2vYs2aG2b+SDUyWqUObz5dLbRiG9jFIRKLg2rTRpNsp0zN79Ph+y7Ab8Hr7hWTdjS9RoniOGnvhie2wmUPOiEHnvqu2Fru9gquPwQzj2R07vubdzkfk93qBJc60ksp8EQllFKl2FUjM7bmPBwWs/8Ijd2S1/1naCU=
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com (20.178.20.74) by AM0PR07MB4547.eurprd07.prod.outlook.com (52.135.148.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2430.16; Tue, 5 Nov 2019 15:17:19 +0000
Received: from AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::f016:8dc4:2887:cacd]) by AM0PR07MB5187.eurprd07.prod.outlook.com ([fe80::f016:8dc4:2887:cacd%3]) with mapi id 15.20.2430.013; Tue, 5 Nov 2019 15:17:19 +0000
From: =?iso-8859-1?Q?Bal=E1zs_Kov=E1cs?= <balazs.kovacs@ericsson.com>
To: "netconf@ietf.org" <netconf@ietf.org>, Kent Watsen <kent+ietf@watsen.net>
Thread-Topic: FIXMEs in ietf-crypto-types and client/server models
Thread-Index: AdWT66zB5kr5iNWxQ6yg/MeI8i6GNg==
Date: Tue, 5 Nov 2019 15:17:19 +0000
Message-ID: <AM0PR07MB5187A1438941A29D28CE3486837E0@AM0PR07MB5187.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fb940188-f4d5-42c8-853c-08d762034047
x-ms-traffictypediagnostic: AM0PR07MB4547:
x-microsoft-antispam-prvs: <AM0PR07MB45476C901B53D7FB15720D07837E0@AM0PR07MB4547.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0212BDE3BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(39860400002)(346002)(376002)(136003)(199004)(189003)(66476007)(790700001)(6116002)(76116006)(66556008)(256004)(3846002)(6506007)(102836004)(2501003)(316002)(99286004)(74316002)(110136005)(26005)(64756008)(66446008)(2906002)(66946007)(33656002)(71200400001)(71190400001)(55016002)(6436002)(86362001)(478600001)(6306002)(14454004)(54896002)(9686003)(52536014)(561944003)(7696005)(66066001)(7736002)(186003)(476003)(5660300002)(9326002)(25786009)(8676002)(81156014)(81166006)(8936002)(45776006)(486006)(170073001); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4547; H:AM0PR07MB5187.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RftL+XU2n4ztvfO1SfTpxVt3xIUURXVYjcM/ezPDUEKGz8x79arTnrG7/QJf2P2i8Wb9FwtSdUWYZkmFdDFSVlNCJbz2SWcpTBqca/VXMIQhFNsULJaa5hFhv4qlu1tugFECvHKEKzymfg9Z0O8ObPSrB2Z8bicPVatMhiCRTxBOAy7ZtTYdZGv0OqEA+2OJim2IMpAA44zXwW5hjpZZKbJwFtHd8YVwGX9IEdsETi4fgmG9x4bJKfr6scPp/jkjqakfi+ehp+202+XjWZ+/cQTmp4ckkyl1txjUWAkszdmAv0AMco/jED9qGmHcE4fPBJZMnQ0o8IUqaQrzdHmqopl+5GoGBSy6u+MjdTRwZ4ma5UnNu6ZKtve2u0wbpnNCh/9U7UtDd2LwPI6DrHAd8yBJrdjysFJd4sFijY/wvZzvnWJtKmMMXWHRIexEJ6xq
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR07MB5187A1438941A29D28CE3486837E0AM0PR07MB5187eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fb940188-f4d5-42c8-853c-08d762034047
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2019 15:17:19.8587 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: T2LdjIL0HdfIaAFFcmzeV/AIzZO9yMY5CoC2Mip1hDHCcVgs4QRb+tKJazeIsSly/75mtIIR650e1laz2xId9ejzSgJgjuT7iwGsGs8H+kU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4547
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/nYGf7FMQTJnXF-fpUP7ibt9ojkc>
Subject: [netconf] FIXMEs in ietf-crypto-types and client/server models
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 15:17:26 -0000

Hi,

I see some FIXMEs in ietf-crypto-types and related models. I would be interested about the current state of them and possibility to clean them up.


  1.  Key-format (symmetric-key, public-key, asymmetric-key-pair)

I assume the idea here is to make it possible to have choices for the ASN.1 types holding the keys. If this flexibility for formats is necessary I don't have any objection to them but having a single agreed type for these different use cases would also suffice.


2.       attributes in asymmetric-key-pair-with-cert(s)-grouping

I think attributes should be kept optional. If there is anything else besides subject seen mandatory maybe it should be extracted out from attributes and be spelled out a separate leaf, but I don't think there is.


  1.  PSK and raw public keys

The use case of PSK and raw public keys are not the most urgent in my opinion which now slows a bit the progress of these drafts, but let's make an attempt to finalize them.



raw-public-keys: I see these were added due to RFC 7250 and 8446. I guess in truststore this is a separate container to distinguish from SSH host keys. For configuring the private part I think keystore already gives support for this case with the asymmetric key (w/o cert) and in the client/server drafts Kent's proposal could be used (I replaced raw public key with existing type, shouldn't that be useable straight away?)


                    container <client-identity or server-identity> {
                      choice auth-type {
                         uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
                         uses ks:local-or-keystore-asymmetric-key-grouping;


I would also prefer if these choices are in features, so that an implementation can choose.



psk: given that the asymmetric keys without certs were covered by host keys and raw public keys, I think psk should only be symmetric keys. Symmetric keys are then sensitive/secret data and as such I believe they should only be referenced from keystore. Seeing them in truststore was unexpected for me. When it comes to their use, clients and servers should be extended with following configuration (and I assume we talk of TLS clients and servers only):


                    container <client-identity or server-identity> {
                      choice auth-type {

                         uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
                         uses ks:local-or-keystore-asymmetric-key-grouping;

                       uses ks:local-or-keystore-symmetric-key-grouping;



Latter grouping would be a new one, but it would use existing constructs and terms from keystore. I don't think we need new ones. Selected cipher suites will need to have PSK in them for using symmetric key (similar match needed for the others). Note that symmetric keys can be used for other cases than TLS PSK, for example SNMPv3 USM. Again, features would be necessary (those could be saying x.509 or raw-public-key or psk).


Br,
Balazs