IETF Logo Mail Archive

[netconf] ietf-crypto-types: read-only nodes to provide fingerprints of public keys and certificates

"maurice.angermann@siemens.com" <maurice.angermann@siemens.com> Mon, 16 March 2020 12:20 UTC

Return-Path: <maurice.angermann@siemens.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FA883A003A for <netconf@ietfa.amsl.com>; Mon, 16 Mar 2020 05:20:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=siemens.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUN6UbyBkRUC for <netconf@ietfa.amsl.com>; Mon, 16 Mar 2020 05:20:36 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0607.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::607]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B34EB3A0033 for <netconf@ietf.org>; Mon, 16 Mar 2020 05:20:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KD7a20fJnnvXqHu/bR5vfxMaAmfApch2LAIYv6pOpTqTamefvJOIuAlewAqs/VEE7cOXS/7MfeMAji1xf305dgb0conzT2C4XvoaC0fWwaTRonVg4kwlbCFtEQ5FTG5wvuc5euUtN7OZXmFcx9YG76Am+Wn+F7v3PZZ+bNNjcr/HkPO5sLhpwjlREJWNBXCYJqilEg1XoOqThGo/TLmPFx8qQcRYiUc3fs9/vkyTvBYVXBsT//seYrKqB14CnKDIcBfDqJfI7cUX54IQ0hpnA/9kLlUEnFGkXsIFrtNuEsLAgZP+ojXUMU0Hqj5+OgTsfkpvkb+aFqmrash9jBFX3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=V0bFZxctAq+wsV5EAJb2Oei3TjyWlvNvS56TSnxPRzw=; b=PI4NtunsyEJJAzXLCZn99rALlpG5Ih1ht366cg4HzzqGz9IZS1KMnsaH1l5GnaH1nrXTAF4oDZiD/anI/l6lSovgJB5gYD+muYeK/nxh/0NtUk3Wzuv0U1LmqT4B9CKJBN88FJE/09qL1lXOKF9sdJC7xWFZ2bv96RTU54gZ8rBSqoHEowJUMS6IbU1JB0fQtPJXJVFSknPw8q8qfGtvSEHNvOm2mfYmr2Fge9sgHpfFv6Gk9erRty3+wd6RQMLKmoDGdF0/O8WWZ6zTpU94uNA28UxmAlhkjPI9DUUE66cB72xplttB6LoUK6OfmdVXWlh3CF114EMUpUzhU8gHlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.onmicrosoft.com; s=selector1-siemens-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=V0bFZxctAq+wsV5EAJb2Oei3TjyWlvNvS56TSnxPRzw=; b=h3uR44A2i3lyW9FpvI9C88jng7Os7pe3ycvR+xr80bcuqmrd0uGYnJtvN+GZd/ekoQn398sw9ucL3QQAqZCTLSQ2IORuZ8kxvGUX3eCG9RvC2G/yn3nv9mQM9fKitMBolKE0W+pkPBtwVujsy3dR3DgTVMwvQtkM3eWt4MPc9wQ=
Received: from AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM (10.255.30.161) by AM0PR10MB2468.EURPRD10.PROD.OUTLOOK.COM (20.177.110.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.21; Mon, 16 Mar 2020 12:20:30 +0000
Received: from AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM ([fe80::783c:4827:7672:bdfd]) by AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM ([fe80::783c:4827:7672:bdfd%4]) with mapi id 15.20.2814.021; Mon, 16 Mar 2020 12:20:30 +0000
From: "maurice.angermann@siemens.com" <maurice.angermann@siemens.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: ietf-crypto-types: read-only nodes to provide fingerprints of public keys and certificates
Thread-Index: AdX7jUN25LCA5qrYQ8icRH3S/nGkRg==
Date: Mon, 16 Mar 2020 12:20:30 +0000
Message-ID: <AM0PR10MB3378F579924AE0D6A3EA79DDE6F90@AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=maurice.angermann@siemens.com;
x-originating-ip: [109.250.136.43]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2592ec59-ce7c-44d4-8086-08d7c9a46b5f
x-ms-traffictypediagnostic: AM0PR10MB2468:
x-microsoft-antispam-prvs: <AM0PR10MB246859D5861F7E5A7A0577A9E6F90@AM0PR10MB2468.EURPRD10.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03449D5DD1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(366004)(39860400002)(346002)(376002)(199004)(9686003)(86362001)(2906002)(76116006)(8676002)(8936002)(55016002)(81166006)(71200400001)(81156014)(316002)(7696005)(478600001)(26005)(186003)(52536014)(5660300002)(66476007)(66446008)(33656002)(6506007)(6916009)(66556008)(64756008)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR10MB2468; H:AM0PR10MB3378.EURPRD10.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: siemens.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kc3A8vFxsBkcflUphYJDriePax3Kl5c1Vqz/SW+elaz07FJ9E8QkFENXjacOAhyWHc7Pyy5lDHlAFtFHeSpz8D3pNjNUewTEAveUfdkwbNMIXNjM1xhPwgFABaQWBButCcKYh9bVhUzcOqAEZT/ZcmvOYijllD43Xj34tdxHwsjW6/G67iOJymF9eFNIq9SQITjJNq+L5FkWm30cByZkBhbjYoeDi8uKpK0Cv1+c0ZAHwJxjbIUJG7cGH+HrJT4VcZ8z6OeEHs+GV1b/e9x5OD/KAQ0DLfBHWKiw9FJVdl/XuErfBTaEZtmVClKtMcXL8NP7nZhO/O0R9voto4bio04C89qSnez23crQlgjsewFVswkOPyYQC8RjfZKvApPewOdELzjnpUIIlz/xHbi1YMNk34aXKNjdTR2/iR+AIvA7mMwn+w9XlNz12qNuUc3H8kFLkK6MJrsCLOXK6/cF48K8OvVLtOqBSY6L6JHrLXX5Df6vK4fYk/6CqLqyMhGRiJe/JGvP+KbuFRWxRcstVw==
x-ms-exchange-antispam-messagedata: NbEcqtfdhVOCEoPdlUuf7nZq6ZangHj5ioicFKKEpXGUQzfy1QrY2IAS+xIzH4QqUPLicCIWxjjz5n//fXBe7iDXV2/qT5h073AzD2wllkM/k1TqNtq5hH/OhN5kwFvR2umfA8m0l30PKinn8aS+fA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR10MB3378F579924AE0D6A3EA79DDE6F90AM0PR10MB3378EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2592ec59-ce7c-44d4-8086-08d7c9a46b5f
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2020 12:20:30.8555 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1vW1d/YyGJw2JIUpd8mm6iLrVylOmo2Gz5BMg+UpdMO1ukoHezSaoLuCHGoaMT4EKI/js7Oql7gfkhAwMqNDc5QPvj+jN4JeIVmGo8ZUivk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR10MB2468
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/F7CobC5Htcx00hTWERO-bygFLGs>
Subject: [netconf] ietf-crypto-types: read-only nodes to provide fingerprints of public keys and certificates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2020 12:20:39 -0000

Hi,



I would like to make a suggestion regarding the groupings for public keys and certificates in draft-ietf-netconf-crypto-types-14:



Especially in case of manual server verification in applications like (Open)SSH or HTTPS (self-signed certs), it is quite common to compare fingerprints of an (remote) identity.

Therefore it might be useful to add operational data ("config false") nodes to those groupings to provide the fingerprints of a public key/certificate.

That would provide easy manual verification, e.g. of a whole certificate chain stored in <running>.



Any feedback on this proposal is much appreciated.



Please find an example of how a generic realization in the crypto-types module could look like below:



Since "x509c2n:tls-fingerprint" is probably not an appropriate namespace to describe a public-key fingerprint, an according datatype could look like that:

  typedef fingerprint {

    type yang:hex-string {

      /* max string range of x509c2n:tls-fingerprint's pattern restriction */

      length "min .. 764";

    }

  }



A new grouping to provide fingerprints depending on the available hashing algorithms:

  grouping fingerprints-grouping {

    description

      "A set of fingerprints of a public key or a certificate.

       Implementations SHOULD NOT provide a list entry for an algorithm
       that is not being listed as supported in iana-hash-algs.";

   container fingerprints {

      description

        "A set of fingerprints of a public key or a certificate.";

      list fingerprint {

        key "algorithm";

        description

          "A fingerprint.";

        leaf algorithm {

          type iha:hash-algorithm-type;

          description

            "The hashing algorithm.";

        }

        leaf hash {

          type fingerprint;

          description

            "The fingerprint value.";

        }

      }

    }

  }



The resulting updated groupings would look like that: (*) indicates the new nodes

  grouping public-key-grouping
    +-- algorithm                 iasa:asymmetric-algorithm-type
 (*)+--ro fingerprints
 (*)|  +--ro fingerprint* [algorithm]
 (*)|     +--ro algorithm             iha:hash-algorithm-type
 (*)|     +--ro hash                  fingerprint
    +-- public-key-format?        identityref
    +-- public-key                binary



  grouping trust-anchor-cert-grouping
    +-- cert?                     trust-anchor-cert-cms
 (*)+--ro fingerprints
 (*)|  +--ro fingerprint* [algorithm]
 (*)|     +--ro algorithm             iha:hash-algorithm-type
 (*)|     +--ro hash                  fingerprint
    +---n certificate-expiration
       +-- expiration-date    yang:date-and-time



  grouping end-entity-cert-grouping
    +-- cert?                     end-entity-cert-cms
 (*)+--ro fingerprints
 (*)|  +--ro fingerprint* [algorithm]
 (*)|     +--ro algorithm             iha:hash-algorithm-type
 (*)|     +--ro hash                  fingerprint
    +---n certificate-expiration
       +-- expiration-date    yang:date-and-time



Please note that leaf-lists as used in "trust-anchor-certs-grouping" or "end-entity-certs-grouping" wouldn't be considered by that approach.



Again, any feedback is appreciated.



Thanks

BR Maurice







With best regards,
Maurice Angermann

Siemens AG
Digital Industries
Process Automation
Software House Khe
DI PA CI R&D 2
Oestliche Rheinbrueckenstr. 50
76187 Karlsruhe, Germany
mailto:maurice.angermann@siemens.com
www.siemens.com/ingenuityforlife<http://www.siemens.com/ingenuityforlife>

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Cedrik Neike, Michael Sen, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

v2.23.0 | Report a Bug | By Email