IETF Logo Mail Archive

Re: [Netconf] PKCS7 --> CMS

Kent Watsen <kwatsen@juniper.net> Wed, 14 February 2018 21:16 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D59BF126DED for <netconf@ietfa.amsl.com>; Wed, 14 Feb 2018 13:16:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrpSm_q5VuFE for <netconf@ietfa.amsl.com>; Wed, 14 Feb 2018 13:16:47 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5C5D126C0F for <netconf@ietf.org>; Wed, 14 Feb 2018 13:16:47 -0800 (PST)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w1ELEDTR013210; Wed, 14 Feb 2018 13:16:46 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=prL6AC0jDHvVjbtBJ/Z6MWZxY75PPav/WOfFGcwoPp4=; b=aBmkBKJBDZCt9F2RDW5lmCK2TPXYgfqcr2jcv8UNp4+uLAJ/b1+yAm9+yUZAqqbszxwl 3odSfmQ9fHXrI9cq98FvzdhK1NfZPTOwMzvjDcm+tXjdOnx5VekFpFwT5zgHNbFiHF58 TdVBkFXPheG1JGTj2xsv88UR/7qmG2obuezr9Nyz532eu5GWI2uyn1/IzAGOFMqvHB07 yIOwrC6jBuBVoEhFHslhVBiQLNVe1ne4RPX9k24BxAqUah9bdj13PjyBPD4cuUWthYvB +xyry/j9RXHcOoojAJH3HSbVa9a6OmiqQJp9sV+9Q9t3y/oTv5W3S+tO/95tt+i90DOa lw==
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0021.outbound.protection.outlook.com [216.32.181.21]) by mx0a-00273201.pphosted.com with ESMTP id 2g4vsa80ar-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 14 Feb 2018 13:16:45 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3305.namprd05.prod.outlook.com (10.174.191.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.506.7; Wed, 14 Feb 2018 21:16:43 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::7433:3915:f20d:6747]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::7433:3915:f20d:6747%13]) with mapi id 15.20.0506.013; Wed, 14 Feb 2018 21:16:43 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] PKCS7 --> CMS
Thread-Index: AQHTpCyx8yqBhSZxuEy4tdotbWzQv6OjVhCAgAC//AA=
Date: Wed, 14 Feb 2018 21:16:43 +0000
Message-ID: <3C98EB5C-4DB7-49A3-A751-CB0855AB41D0@juniper.net>
References: <D00C0834-397B-47B8-9868-54D5F6E64E20@juniper.net> <26E63C76-8928-461D-B331-97AFBF1334BC@gmail.com>
In-Reply-To: <26E63C76-8928-461D-B331-97AFBF1334BC@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3305; 7:8ipv37ZzBFNP2Gdfh+J1n3B7QUJmd8pnx4fN0nK7zMvtA2gMfhF1qX4J2TG/3XEv8YsBSEzvG/kxPQ+zPX18T6MONlO7QHudcmqWUCSGm+zKPisFf/yWX8Ww0V0PulhvusGekXqtypePoep/OSZvo5zxYh+2EX2WEhTQD98kus6XGnP7hXyagVbfryHjAvMe8NectsCKyRysHj0bigj07lYY9seHTMMsIinlNJJAUc5CgM3J2YcKar2ncfy64s7x
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: aaf7e955-b57c-4705-396c-08d573f03f32
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB3305;
x-ms-traffictypediagnostic: DM5PR05MB3305:
x-microsoft-antispam-prvs: <DM5PR05MB3305D06235B055D1A72AF7F9A5F50@DM5PR05MB3305.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(60795455431006)(158342451672863)(10436049006162)(166708455590820)(138986009662008)(85827821059158);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001020)(6040501)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231101)(2400082)(944501161)(6055026)(6041288)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123564045)(6072148)(201708071742011); SRVR:DM5PR05MB3305; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3305;
x-forefront-prvs: 0583A86C08
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(396003)(376002)(39380400002)(366004)(189003)(199004)(53754006)(377424004)(51444003)(2950100002)(6246003)(6116002)(83716003)(966005)(36756003)(478600001)(6436002)(2501003)(2900100001)(561944003)(316002)(7736002)(83506002)(3280700002)(106356001)(53936002)(82746002)(58126008)(305945005)(33656002)(6512007)(110136005)(6306002)(2906002)(99286004)(97736004)(186003)(6486002)(66066001)(229853002)(105586002)(8676002)(14454004)(5250100002)(68736007)(39060400002)(81166006)(81156014)(59450400001)(76176011)(3660700001)(3846002)(86362001)(8936002)(6506007)(5660300001)(25786009)(575784001)(102836004)(53546011)(26005)(6346003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3305; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: l9sGEfYqnwM5ArD7/8iqqvT9iaY2tpwWIiOZHoOi9aN3Qyvq5hENGwHczmUjXKnHNM3NBsxj09fe5b7XrmN47w==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <5B3EB1FC01A7A148B7039B6FD4E7BAD1@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: aaf7e955-b57c-4705-396c-08d573f03f32
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Feb 2018 21:16:43.1769 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3305
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-14_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802140249
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/nnIbH2pKGIxlIPAZbV7luOOA_h4>
Subject: Re: [Netconf] PKCS7 --> CMS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 21:16:51 -0000

FWIW, the ANIMA Voucher draft includes this text (note the *** part):

   Note that Section 5.1 of [RFC5652] includes a discussion about how to
   validate a CMS object which is really a PKCS7 object (cmsVersion=1).
   Intermediate systems (such the BRSKI Registrar) which might need to
   evaluate the voucher in flight MUST be prepared for such an older
   format.  ***No signaling is necessary, as the Manufacturer knows the
   capabilities of the pledge, and will use an appropriate format
   voucher for each pledge.***

This means that there is already a mechanism for a system to pass XML
encoded data if need be.

My local draft has similar support in this text:

   When the bootstrapping data is unsigned, as it might be when
   communicated over trusted channels, the CMS structure's top-most
   content type MUST be one of the OIDs described in Section 11.3 or the
   OID id_data (1.2.840.113549.1.7.1), in which case the encoding (JSON,
   XML, etc.)  SHOULD be communicated externally.  In either case, the
   associated content is an octet string containing zerotouch-
   information data in the expected encoding.

   (and mirror-like text for the case when the bootstrapping data is signed)

I don't know, but given that the ability to send XML is already there, maybe it's better for us to be explicit and keep both "content type" registrations?

Personally, I still (relative to when I mentioned it in my email to Russ) think it best to have a generic "id-ct-YangEncodedData" for an ASN.1 structure like this:

   YangEncodedData {
     moduleName           string        // e.g., "ietf-zerotouch-information"
     moduleRevision       string        // e.g., "2017-12-09"
     encoding             enum          // XML, JSON, etc.
     data                 octet string  // the YANG-encoded data
   }

which would cover *all* YANG encoded data.  Imagine, doing so would mean that any YANG-encoded data artifact (yang-data?), could be fully-typed while also being:

  1) unsigned
  2) signed
  3) encrypted
  4) signed and encrypted

The only thing I don't like is that it entails needing to quickly write a new I-D and get it adopted so that this draft can have a normative reference to it.  That said, it would be a *very* small draft - something like 5 pages...

Kent // contributor



On 2/13/18, 11:49 PM, "Mahesh Jethanandani" <mjethanandani@gmail.com> wrote:

Dear WG, 

Does anyone have objection to the proposal below for the envelope information to be JSON format only, for now, with the idea that if XML support is needed, it can be added later?

Barring any objections, we want to close on this issue and send the draft for publication.

Thanks


On Feb 12, 2018, at 10:09 AM, Kent Watsen <kwatsen@juniper.net> wrote:


Hi all,

Line 1704 of the commit here [1] shows both XML and JSON content types being registered.

id-ct-zerotouchInformationXML
id-ct-zerotouchInformationJSON


But the ANIMA Voucher draft only defines a single content type for JSON.  Their rational for supporting just one was that it would promote interoperability, though XML support could be added at any time.

But having one artifact (zerotouch-information) support two encodings while the other (ownership-voucher) can only support one doesn't seem helpful either.  What to do?

To be clear, this decision has no impact on if the bootstrap server supports XML or JSON, or even what the bootstrapping device's NETCONF/RESTCONF protocols support.  But it does mean that, in the worst case, a native-XML server may need to process a JSON document during the bootstrapping process.

[1] https://github.com/netconf-wg/zero-touch/commit/3d938e4d539407c8bb2b4e162dca497b01d8315c#diff-ac14b4845b3be918b874f2d3564d5d09R1704

Thoughts?  - should we again go back to only supporting JSON?   - or should we go ahead and define both now, with the assumption and the ownership voucher will someday support XML too?

Kent // contributor



[moving Russ to BCC]

All,

The PKCS7 --> CMS change is reflected here:

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_netconf-2Dwg_zero-2Dtouch_commit_3d938e4d539407c8bb2b4e162dca497b01d8315c&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=A-qDS0CYdeZjFh3qD4jW4CyOwFIr_KmezgiLDovTZbw&s=YcPdTFTtK-LwGeIHtUMmazXzme-WkaIpGzibJMVdVHQ&e=

I plan to automatically merge this branch into -20, as already the shepherd asked for this update.

Kent // author



===== original message=====

I think that defining the two content types would be better.  If you use id-data, then you need another way to figure out what content type is embedded.

Russ



On Feb 6, 2018, at 8:44 PM, Kent Watsen <kwatsen@juniper.net> wrote:

Hi Russ,

Drilling down a little, I can imagine us defining a couple content types:

id-ct-zerotouchInformationXML
id-ct-zerotouchInformationJSON

But, in both cases, the "content" would be just an octet string (i.e.,
an XML or JSON encoded document).  In particular, we would not define
an ASN.1 structure to represent the "zerotouch information" structure.

Is defining two types such as above the expectation or, since it's
just an octet string, perhaps we should use "id-data"?  RFC 5652
section 4 says this about the 'data' type (I added the quotes):

 "The 'data' content type is intended to refer to arbitrary octet
 strings, such as ASCII text files; the interpretation is left to the
 application.  Such strings need not have any internal structure
 (although they could have their own ASN.1 definition or other
 structure)."

Or, do you think we should look to do something even more generic,
such as:

id-ct-YangEncodedData

    YangEncodedData {
      moduleName           string        // e.g., "ietf-zerotouch-information"
      moduleRevision       string        // e.g., "2017-12-09"
      encoding             enum          // XML, JSON, etc.
      data                 octet string  // the YANG-encoded data
    }

Which would allow for the brokering of any YANG data.  Such a type 
could've, for instance, also been used by the ANIMA voucher draft.

Thoughts?  - anyone?

Kent



===== original message =====

Kent:

Yes.  This is the approach takes for signed firmware packages in RFC 4108.

Russ



On Feb 6, 2018, at 3:40 PM, Kent Watsen <kwatsen@juniper.net> wrote:

Russ,

I like it.  I didn't know that it was possible to set the top-level content
type value like that.  Is the net-result still considered a CMS structure?

Thanks,
Kent


===== original message =====

I suggest that ContentInfo is always present, then for the signed case:

   ContentInfo {
     contentType          id-signedData, -- (1.2.840.113549.1.7.2)
     content              SignedData
   }

   SignedData {
     version              CMSVersion, -- always set to 3
     digestAlgorithms     DigestAlgorithmIdentifiers, -- Only one
     encapContentInfo     EncapsulatedContentInfo,
     certificates         CertificateSet, -- Signer cert. path
     crls                 CertificateRevocationLists, -- Optional
     signerInfos          SET OF SignerInfo -- Only one
   }

   SignerInfo {
     version              CMSVersion, -- always set to 3
     sid                  SignerIdentifier,
     digestAlgorithm      DigestAlgorithmIdentifier,
     signedAttrs          SignedAttributes, -- Required
     signatureAlgorithm   SignatureAlgorithmIdentifier,
     signature            SignatureValue,
     unsignedAttrs        UnsignedAttributes -- Optional
   }

   EncapsulatedContentInfo {
     eContentType         <your-netconf-content-type>
     eContent             OCTET STRING
   }                            -- Contains the content

The unsigned case:

   ContentInfo {
     contentType          <your-netconf-content-type>
     content              -- Contains the content
   }

Russ



On Feb 6, 2018, at 11:53 AM, Kent Watsen <kwatsen@juniper.net> wrote:

Hi Russ,

I'm looking into switching from PKCS7 to CMS change in the NETCONF
zerotouch draft.  This update would be similar to the change to the
ANIMA voucher draft.  However, I noticed that RFC 5652 says in 
Section 5.2:

"In the degenerate case where there are no signers, the
EncapsulatedContentInfo value being "signed" is irrelevant.  In this
case, the content type within the EncapsulatedContentInfo value being
"signed" MUST be id-data (as defined in Section 4), and the content
field of the EncapsulatedContentInfo value MUST be omitted."

Note, this text is similar to the last paragraph in RFC 2315 Section 
9.1, though there it is just a "recommendation" that the value be
omitted.

This is a problem for the NETCONF zerotouch draft, where we currently
have a PKCS7 object that is sometimes signed.  We choose this approach
because then, in all cases, a PKCS7 object is being communicated.  But
it's no longer allowed in CMS?

Questions:

1) Can the zerotouch draft explicitly allow the "eContent" field 
again for the degenerate case?

2) If having a eContent value for the degenerate case is no longer
allowed, can we use it as grounds for not migrating to CMS?

3) Are there any other generic "envelop" structure that can be 
"sometimes signed"?


Thanks,
Kent









_______________________________________________
Netconf mailing list
Netconf@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=A-qDS0CYdeZjFh3qD4jW4CyOwFIr_KmezgiLDovTZbw&s=o18ndrwnbD62ZZH5zVUoH7nk1Y0SPkdaxROvPs3_wrc&e=


_______________________________________________
Netconf mailing list
Netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email