[netconf] ietf-crypto-types: read-only nodes to provide fingerprints of public keys and certificates
"maurice.angermann@siemens.com" <maurice.angermann@siemens.com> Mon, 16 March 2020 12:20 UTC
Return-Path: <maurice.angermann@siemens.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA883A003A for <netconf@ietfa.amsl.com>; Mon, 16 Mar 2020 05:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUN6UbyBkRUC for <netconf@ietfa.amsl.com>; Mon, 16 Mar 2020 05:20:36 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0607.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::607]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B34EB3A0033 for <netconf@ietf.org>; Mon, 16 Mar 2020 05:20:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KD7a20fJnnvXqHu/bR5vfxMaAmfApch2LAIYv6pOpTqTamefvJOIuAlewAqs/VEE7cOXS/7MfeMAji1xf305dgb0conzT2C4XvoaC0fWwaTRonVg4kwlbCFtEQ5FTG5wvuc5euUtN7OZXmFcx9YG76Am+Wn+F7v3PZZ+bNNjcr/HkPO5sLhpwjlREJWNBXCYJqilEg1XoOqThGo/TLmPFx8qQcRYiUc3fs9/vkyTvBYVXBsT//seYrKqB14CnKDIcBfDqJfI7cUX54IQ0hpnA/9kLlUEnFGkXsIFrtNuEsLAgZP+ojXUMU0Hqj5+OgTsfkpvkb+aFqmrash9jBFX3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=V0bFZxctAq+wsV5EAJb2Oei3TjyWlvNvS56TSnxPRzw=; b=PI4NtunsyEJJAzXLCZn99rALlpG5Ih1ht366cg4HzzqGz9IZS1KMnsaH1l5GnaH1nrXTAF4oDZiD/anI/l6lSovgJB5gYD+muYeK/nxh/0NtUk3Wzuv0U1LmqT4B9CKJBN88FJE/09qL1lXOKF9sdJC7xWFZ2bv96RTU54gZ8rBSqoHEowJUMS6IbU1JB0fQtPJXJVFSknPw8q8qfGtvSEHNvOm2mfYmr2Fge9sgHpfFv6Gk9erRty3+wd6RQMLKmoDGdF0/O8WWZ6zTpU94uNA28UxmAlhkjPI9DUUE66cB72xplttB6LoUK6OfmdVXWlh3CF114EMUpUzhU8gHlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=V0bFZxctAq+wsV5EAJb2Oei3TjyWlvNvS56TSnxPRzw=; b=h3uR44A2i3lyW9FpvI9C88jng7Os7pe3ycvR+xr80bcuqmrd0uGYnJtvN+GZd/ekoQn398sw9ucL3QQAqZCTLSQ2IORuZ8kxvGUX3eCG9RvC2G/yn3nv9mQM9fKitMBolKE0W+pkPBtwVujsy3dR3DgTVMwvQtkM3eWt4MPc9wQ=
Received: from AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM (10.255.30.161) by AM0PR10MB2468.EURPRD10.PROD.OUTLOOK.COM (20.177.110.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.21; Mon, 16 Mar 2020 12:20:30 +0000
Received: from AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM ([fe80::783c:4827:7672:bdfd]) by AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM ([fe80::783c:4827:7672:bdfd%4]) with mapi id 15.20.2814.021; Mon, 16 Mar 2020 12:20:30 +0000
From: "maurice.angermann@siemens.com" <maurice.angermann@siemens.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: ietf-crypto-types: read-only nodes to provide fingerprints of public keys and certificates
Thread-Index: AdX7jUN25LCA5qrYQ8icRH3S/nGkRg==
Date: Mon, 16 Mar 2020 12:20:30 +0000
Message-ID: <AM0PR10MB3378F579924AE0D6A3EA79DDE6F90@AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=maurice.angermann@siemens.com;
x-originating-ip: [109.250.136.43]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2592ec59-ce7c-44d4-8086-08d7c9a46b5f
x-ms-traffictypediagnostic: AM0PR10MB2468:
x-microsoft-antispam-prvs: <AM0PR10MB246859D5861F7E5A7A0577A9E6F90@AM0PR10MB2468.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03449D5DD1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(366004)(39860400002)(346002)(376002)(199004)(9686003)(86362001)(2906002)(76116006)(8676002)(8936002)(55016002)(81166006)(71200400001)(81156014)(316002)(7696005)(478600001)(26005)(186003)(52536014)(5660300002)(66476007)(66446008)(33656002)(6506007)(6916009)(66556008)(64756008)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB2468; H:AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kc3A8vFxsBkcflUphYJDriePax3Kl5c1Vqz/SW+elaz07FJ9E8QkFENXjacOAhyWHc7Pyy5lDHlAFtFHeSpz8D3pNjNUewTEAveUfdkwbNMIXNjM1xhPwgFABaQWBButCcKYh9bVhUzcOqAEZT/ZcmvOYijllD43Xj34tdxHwsjW6/G67iOJymF9eFNIq9SQITjJNq+L5FkWm30cByZkBhbjYoeDi8uKpK0Cv1+c0ZAHwJxjbIUJG7cGH+HrJT4VcZ8z6OeEHs+GV1b/e9x5OD/KAQ0DLfBHWKiw9FJVdl/XuErfBTaEZtmVClKtMcXL8NP7nZhO/O0R9voto4bio04C89qSnez23crQlgjsewFVswkOPyYQC8RjfZKvApPewOdELzjnpUIIlz/xHbi1YMNk34aXKNjdTR2/iR+AIvA7mMwn+w9XlNz12qNuUc3H8kFLkK6MJrsCLOXK6/cF48K8OvVLtOqBSY6L6JHrLXX5Df6vK4fYk/6CqLqyMhGRiJe/JGvP+KbuFRWxRcstVw==
x-ms-exchange-antispam-messagedata: NbEcqtfdhVOCEoPdlUuf7nZq6ZangHj5ioicFKKEpXGUQzfy1QrY2IAS+xIzH4QqUPLicCIWxjjz5n//fXBe7iDXV2/qT5h073AzD2wllkM/k1TqNtq5hH/OhN5kwFvR2umfA8m0l30PKinn8aS+fA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR10MB3378F579924AE0D6A3EA79DDE6F90AM0PR10MB3378EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2592ec59-ce7c-44d4-8086-08d7c9a46b5f
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2020 12:20:30.8555 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1vW1d/YyGJw2JIUpd8mm6iLrVylOmo2Gz5BMg+UpdMO1ukoHezSaoLuCHGoaMT4EKI/js7Oql7gfkhAwMqNDc5QPvj+jN4JeIVmGo8ZUivk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2468
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/F7CobC5Htcx00hTWERO-bygFLGs>
Subject: [netconf] ietf-crypto-types: read-only nodes to provide fingerprints of public keys and certificates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 12:20:39 -0000
Hi, I would like to make a suggestion regarding the groupings for public keys and certificates in draft-ietf-netconf-crypto-types-14: Especially in case of manual server verification in applications like (Open)SSH or HTTPS (self-signed certs), it is quite common to compare fingerprints of an (remote) identity. Therefore it might be useful to add operational data ("config false") nodes to those groupings to provide the fingerprints of a public key/certificate. That would provide easy manual verification, e.g. of a whole certificate chain stored in <running>. Any feedback on this proposal is much appreciated. Please find an example of how a generic realization in the crypto-types module could look like below: Since "x509c2n:tls-fingerprint" is probably not an appropriate namespace to describe a public-key fingerprint, an according datatype could look like that: typedef fingerprint { type yang:hex-string { /* max string range of x509c2n:tls-fingerprint's pattern restriction */ length "min .. 764"; } } A new grouping to provide fingerprints depending on the available hashing algorithms: grouping fingerprints-grouping { description "A set of fingerprints of a public key or a certificate. Implementations SHOULD NOT provide a list entry for an algorithm that is not being listed as supported in iana-hash-algs."; container fingerprints { description "A set of fingerprints of a public key or a certificate."; list fingerprint { key "algorithm"; description "A fingerprint."; leaf algorithm { type iha:hash-algorithm-type; description "The hashing algorithm."; } leaf hash { type fingerprint; description "The fingerprint value."; } } } } The resulting updated groupings would look like that: (*) indicates the new nodes grouping public-key-grouping +-- algorithm iasa:asymmetric-algorithm-type (*)+--ro fingerprints (*)| +--ro fingerprint* [algorithm] (*)| +--ro algorithm iha:hash-algorithm-type (*)| +--ro hash fingerprint +-- public-key-format? identityref +-- public-key binary grouping trust-anchor-cert-grouping +-- cert? trust-anchor-cert-cms (*)+--ro fingerprints (*)| +--ro fingerprint* [algorithm] (*)| +--ro algorithm iha:hash-algorithm-type (*)| +--ro hash fingerprint +---n certificate-expiration +-- expiration-date yang:date-and-time grouping end-entity-cert-grouping +-- cert? end-entity-cert-cms (*)+--ro fingerprints (*)| +--ro fingerprint* [algorithm] (*)| +--ro algorithm iha:hash-algorithm-type (*)| +--ro hash fingerprint +---n certificate-expiration +-- expiration-date yang:date-and-time Please note that leaf-lists as used in "trust-anchor-certs-grouping" or "end-entity-certs-grouping" wouldn't be considered by that approach. Again, any feedback is appreciated. Thanks BR Maurice With best regards, Maurice Angermann Siemens AG Digital Industries Process Automation Software House Khe DI PA CI R&D 2 Oestliche Rheinbrueckenstr. 50 76187 Karlsruhe, Germany mailto:maurice.angermann@siemens.com www.siemens.com/ingenuityforlife<http://www.siemens.com/ingenuityforlife> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322
- [netconf] ietf-crypto-types: read-only nodes to p… maurice.angermann@siemens.com
- Re: [netconf] ietf-crypto-types: read-only nodes … Kent Watsen
- Re: [netconf] ietf-crypto-types: read-only nodes … maurice.angermann@siemens.com