Re: [netconf] draft-ietf-netconf-keystore-09.txt

Nick Hancock <nick.hancock@adtran.com> Fri, 03 May 2019 13:55 UTC

Return-Path: <nick.hancock@adtran.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55171200C5 for <netconf@ietfa.amsl.com>; Fri, 3 May 2019 06:55:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDnB-4jtXl7g for <netconf@ietfa.amsl.com>; Fri, 3 May 2019 06:55:08 -0700 (PDT)
Received: from us-smtp-delivery-128.mimecast.com (us-smtp-delivery-128.mimecast.com [216.205.24.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D2C12002F for <netconf@ietf.org>; Fri, 3 May 2019 06:55:08 -0700 (PDT)
Received: from ex-hc1.corp.adtran.com (ex-hc1.adtran.com [76.164.174.81]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-289-LWyd_xibNNyfrWws5CjWtw-1; Fri, 03 May 2019 09:55:05 -0400
Received: from ex-mb3.corp.adtran.com ([fe80::60aa:f95:ad49:a0f1]) by ex-hc1.corp.adtran.com ([fe80::a43f:7ea6:7688:37b%13]) with mapi id 14.03.0382.000; Fri, 3 May 2019 08:55:04 -0500
From: Nick Hancock <nick.hancock@adtran.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] draft-ietf-netconf-keystore-09.txt
Thread-Index: AdT/Ypeae5Jx2/tnSQGaoI1kbpVxTQBV+RMAAAPy5nA=
Date: Fri, 3 May 2019 13:55:03 +0000
Message-ID: <BD6D193629F47C479266C0985F16AAC7011EA774DE@ex-mb3.corp.adtran.com>
References: <BD6D193629F47C479266C0985F16AAC7011EA6CCF7@ex-mb1.corp.adtran.com> <0100016a766b430d-005d7041-a607-42d6-b91a-558bbb93e4c6-000000@email.amazonses.com>
In-Reply-To: <0100016a766b430d-005d7041-a607-42d6-b91a-558bbb93e4c6-000000@email.amazonses.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0FEVFJBTiIsImlkIjoiOWJlN2VhYzUtYWQ1OS00ZTE2LTljMGUtZjU1NGFmZGJiNTcxIiwicHJvcHMiOlt7Im4iOiJDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiR0IifV19LHsibiI6IlF1ZXN0aW9uMSIsInZhbHMiOltdfSx7Im4iOiJRdWVzdGlvbjIiLCJ2YWxzIjpbXX0seyJuIjoiUXVlc3Rpb24zIiwidmFscyI6W119XX0sIlN1YmplY3RMYWJlbHMiOltdLCJUTUNWZXJzaW9uIjoiMTcuMi4xMS4wIiwiVHJ1c3RlZExhYmVsSGFzaCI6InEyNkV6UzcyaFVJb2pncjRPSFNzXC9jYkhcL0YyY0VxQnZPV1wvZTBCanpKVXNUem9GdkNISkcyWFA5aEwwRE82SU4ifQ==
x-originating-ip: [172.20.62.161]
MIME-Version: 1.0
X-MC-Unique: LWyd_xibNNyfrWws5CjWtw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qzhzehTbhFPgo-UkJ78roeqsONE>
Subject: Re: [netconf] draft-ietf-netconf-keystore-09.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 13:55:12 -0000

Hi Kent, 


> -----Original Message-----
> From: Kent Watsen <kent+ietf@watsen.net>;
> Sent: 02 May 2019 04:42
> To: Nick Hancock <nick.hancock@adtran.com>;
> Cc: netconf@ietf.org
> Subject: Re: [netconf] draft-ietf-netconf-keystore-09.txt
> 
> 
> Hi Nick,
> 
> You are correct that something is amiss, but I'd like to discuss the fix more.
> 
> Your proposal looks (squinting my eyes) right (have you tested it?), but I'm
> wondering if there isn't a lower-level and potentially more useful fix...

No, I haven't tested it. However, we have implemented similar YANG to 
access an entry of a list that itself is within a list in the same 
way successfully in the past.

> 
> In particular, note that 'ks:asymmetric-key-certificate-ref' points to a
> certificate in the the keystore that comes from the 'uses ct:asymmetric-key-
> pair-with-certs-grouping' statement.   The idea behind this grouping is that,
> whenever a certificate is configured, whether in the keystore or not, that the
> 'asymmetric-key-pair-grouping 3-tuple (alg, pub key, private key) is also
> configured.   This suggests that ct:asymmetric-key-pair-with-certs-grouping
> may be missing a 'must' statement or, more likely (due to the fact that the 3-
> tuple may only exist in <operational>), its 'description' statement is missing
> that precondition in its text.
> 
> Thoughts?

Given that a client has the required permissions, the current model 
allows a client to create an entry in the list 'asymmetric-key' 
without the 3-tuple leafs 'algorithm', 'public-key' and 'private-key' 
as allowed via the must statement on the list. At this point there 
would be no 3-tuple in <operational> either. Defining the 3-tuple in 
<intended> or <operational> would be a second step, such as invoking 
the action 'generate-hidden-key'. Since there is, as you indicated, 
no 'must' statement relevant to the 'certificate' list, the model 
also allows a client to configure a certificate (chain) on an entry 
in the list 'asymmetric-key' without the 3-tuple in either <intended> 
or <operational>. The asymmetric key entry would not be able to be 
used to establish a TLS session due to the missing 3-tuple, of course.

Is this a valid use case? Possibly. I could argue that a client may 
wish to 'park' certificate chains in the keystore without necessary 
immediately using them on the server or even just pre-provision them 
and then provide the actual public key later maybe through some other 
process based on an operator's security policies? It makes no sense 
to reference a certificate in the keystore that is missing the 
3-tuple as the server identity of a NETCONF server or client identity 
of a NETCONF client as it cannot be used, so the question is whether 
it would make more sense to constrain the actual reference to 
reference certificates that have 3-tuple, if this is at all possible 
considering that the 3-tuple may only be in <operational>?


During analysis of deploying the keystore and truststore in our 
implementation, I have made some further observations that may be of 
interest:

1. There is nothing in the model to prevent a client configuring a 
   certificate to an asymmetric key that is not applicable to that 
   asymmetric key or even a certificate chain in the keystore or 
   truststore that is incompatible to the required type 
   ('end-entity-cert-cms' or 'trust-anchor-cert-cms' respectively) 
   or is this to be rejected by the implementation, in which case 
   this behavior is not described in the YANG?

2. I am not convinced whether the use of the prefix 'pinned-' on the 
   containers and lists in ietf-trust-anchors is correct. The 
   certificates are available in the truststore for pinning, yes, but 
   does not the 'pinning' actually take place when the certificates 
   are configured for client authentication on a server or server 
   authentication on a client? So I would argue that a certificate 
   may be in the trust store, but not necessarily pinned, so the name 
   may be misleading or am I missing something? Thus, I would have 
   expected the containers and lists to be without the 'pinned-' 
   prefix within the truststore itself. The 'pinned-' prefix being 
   only on the references, which is the case in the NETCONF client 
   and server models.

3. As an initial step we are analyzing the standalone use of the 
   keystore in truststore modules and were considering some 
   proprietary notifications that would include the certificate 
   (chain) received during TLS session establishment, but could not 
   'use' the groupings in ietf-crypt-types because they include 
   actions and notifications, which are not allowed in notifications. 
   Maybe it would be advantageous to provide basic groupings without 
   actions and notifications for use in proprietary RPCs and 
   notifications and provide refined versions of these groupings that 
   include the actions and notifications? Obviously this would mean 
   even more groupings, but wouldn't this increase their reusability?

Regards
Nick

> 
> Kent // contributor
> 
> 
> 
> 
> On Apr 30, 2019, at 11:39 AM, Nick Hancock
> <mailto:nick.hancock@adtran.com> wrote:
> 
> Hi Kent,
> 
> I have just noticed a issue with the leaf 'keystore-reference' used
> in the grouping 'local-or-keystore-end-entity-cert-with-key-grouping'
> in ietf-keystore.
> 
> This leafref uses the typedef 'asymmetric-key-certificate-ref', but,
> unless I am missing something, this alone will not work, because a
> predicate for the list 'asymmetric-key' is missing.
> 
> I would expect something like the following:
> 
> case keystore {
>  if-feature "keystore-supported";
>  leaf asymmetric-key-name {
>    type ks:asymmetric-key-ref;
>      description
>        "A reference to an asymmetric key that exists in
>         the keystore. ";
>  }
>  leaf certificate-name {
>    type leafref {
>      path
>        "/ks:keystore"
>        + "/ks:asymmetric-keys"
>        + "/ks:asymmetric-key"
>        + "[ks:name=current()/../"
>        + "asymmetric-key-name]"
>        + "/ks:certificates"
>        + "/ks:certificate/ks:name";
>    }
>    description
>     "A reference to a specific certificate associated
>      with the given private key, stored in the keystore.";
>  }
> }
> 
> Regards
> Nick