IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

"Salz, Rich" <rsalz@akamai.com> Wed, 11 September 2019 20:27 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612C0120227 for <netconf@ietfa.amsl.com>; Wed, 11 Sep 2019 13:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R91RSVLIiM9G for <netconf@ietfa.amsl.com>; Wed, 11 Sep 2019 13:27:07 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10D7F1201CE for <netconf@ietf.org>; Wed, 11 Sep 2019 13:27:06 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id x8BKR2HB012376; Wed, 11 Sep 2019 21:27:05 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=f4RL/rLUzLinaXJAOUcIduzLUM3Mx94TB2Og3nfeHvA=; b=MeiVJmc3dObLZ8uugZEyS73aPuFhhMaV2PcZKuDAQ+j8Q/bQMZg7ptBlMLqjU6/ZYM/f oU83SltNxdnU1sxUC7mPYWvU3zIGs8n04QbrG/dTEN6jA4jaL+16L5FBo/ec25DH1OYv 4WHhUEGwGFOLIBSPBXA+KswIUCv4Wxi8MHi2CeHvRHY0xXWzKqEEFv7bYbYc3heCewo6 Yqq4qufo3idjIJuhFXGXGMQfqbLyJjYzfYc7AtT9KjBOygEDBjhaKDNHJ/tW31wCw4+R J3dJo158y4v/yxk+U6E18KRZS76sKjyobuAbVWFaKCBvoFwAoT2ghFjREz2MXhoUCebC qw==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2uv4y8mhw7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 11 Sep 2019 21:27:05 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x8BKHt77027510; Wed, 11 Sep 2019 16:27:04 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint1.akamai.com with ESMTP id 2uv7vwe8s5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 11 Sep 2019 16:27:04 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 11 Sep 2019 16:27:03 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Wed, 11 Sep 2019 16:27:03 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
CC: Russ Housley <housley@vigilsec.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxGVhFlbERW30moo9Q8WhnpJqcm7NKA
Date: Wed, 11 Sep 2019 20:27:03 +0000
Message-ID: <47C71B4D-DC22-4090-B60C-5AC7B1ECF4B9@akamai.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com>
In-Reply-To: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.33.227]
Content-Type: multipart/alternative; boundary="_000_47C71B4DDC224090B60C5AC7B1ECF4B9akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-11_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=962 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1906280000 definitions=main-1909110182
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-11_10:2019-09-11,2019-09-11 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 impostorscore=0 lowpriorityscore=0 mlxlogscore=942 adultscore=0 malwarescore=0 clxscore=1011 phishscore=0 spamscore=0 bulkscore=0 mlxscore=0 suspectscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1906280000 definitions=main-1909110184
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/n_TnqKAKe-o3tdYPi8FyG_tszHU>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 20:27:09 -0000

  *   It seems that there is little appetite to pursue a solution that entails defining many algorithm identifiers/enumerations in YANG.

I am glad of this.

An important thing to realize is that many cryptographic datatypes were designed for special purposes, and breaking everything down into its component parts defeats some of the security (separating the parameters from an RSA-PSS key, for example), or deployment issues (such as separating the signature from the certificate request or splitting up a CA cert chain into the individual certs).

Do not try for an omnibus of cryptographic types – any given application will almost definitely never have to use all the types in a module. Start with something small, such as what is needed to configure an HTTPS server – a cert chain, an end-entity cert, and a private key.  All of these can be handled by OpenSSL command-line.  Future modules could add SSH provisioning, VPN key management, Kerberos login actions, and suchlike.

Starting with the HTTPS server, all of those objects are, as you point out, structures defined in ASN1 and encoded in DER. For configuration, they are generally maintained as base-64 encoded files, with a known header and trailer line. This is popularized by OpenSSL as the PEM format, which harkens back to RFC 1421. RFC 7468 is an excellent starting point for actual use of that.

Hope this helps.  I would be glad to contribute to a draft developed along these lines.

v2.23.0 | Report a Bug | By Email