Re: [netconf] draft-ietf-netconf-keystore-09.txt
Nick Hancock <nick.hancock@adtran.com> Fri, 03 May 2019 13:55 UTC
Return-Path: <nick.hancock@adtran.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55171200C5 for <netconf@ietfa.amsl.com>; Fri, 3 May 2019 06:55:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vDnB-4jtXl7g for <netconf@ietfa.amsl.com>; Fri, 3 May 2019 06:55:08 -0700 (PDT)
Received: from us-smtp-delivery-128.mimecast.com (us-smtp-delivery-128.mimecast.com [216.205.24.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D2C12002F for <netconf@ietf.org>; Fri, 3 May 2019 06:55:08 -0700 (PDT)
Received: from ex-hc1.corp.adtran.com (ex-hc1.adtran.com [76.164.174.81]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-289-LWyd_xibNNyfrWws5CjWtw-1; Fri, 03 May 2019 09:55:05 -0400
Received: from ex-mb3.corp.adtran.com ([fe80::60aa:f95:ad49:a0f1]) by ex-hc1.corp.adtran.com ([fe80::a43f:7ea6:7688:37b%13]) with mapi id 14.03.0382.000; Fri, 3 May 2019 08:55:04 -0500
From: Nick Hancock <nick.hancock@adtran.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] draft-ietf-netconf-keystore-09.txt
Thread-Index: AdT/Ypeae5Jx2/tnSQGaoI1kbpVxTQBV+RMAAAPy5nA=
Date: Fri, 03 May 2019 13:55:03 +0000
Message-ID: <BD6D193629F47C479266C0985F16AAC7011EA774DE@ex-mb3.corp.adtran.com>
References: <BD6D193629F47C479266C0985F16AAC7011EA6CCF7@ex-mb1.corp.adtran.com> <0100016a766b430d-005d7041-a607-42d6-b91a-558bbb93e4c6-000000@email.amazonses.com>
In-Reply-To: <0100016a766b430d-005d7041-a607-42d6-b91a-558bbb93e4c6-000000@email.amazonses.com>
Accept-Language: en-US, en-GB
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0FEVFJBTiIsImlkIjoiOWJlN2VhYzUtYWQ1OS00ZTE2LTljMGUtZjU1NGFmZGJiNTcxIiwicHJvcHMiOlt7Im4iOiJDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiR0IifV19LHsibiI6IlF1ZXN0aW9uMSIsInZhbHMiOltdfSx7Im4iOiJRdWVzdGlvbjIiLCJ2YWxzIjpbXX0seyJuIjoiUXVlc3Rpb24zIiwidmFscyI6W119XX0sIlN1YmplY3RMYWJlbHMiOltdLCJUTUNWZXJzaW9uIjoiMTcuMi4xMS4wIiwiVHJ1c3RlZExhYmVsSGFzaCI6InEyNkV6UzcyaFVJb2pncjRPSFNzXC9jYkhcL0YyY0VxQnZPV1wvZTBCanpKVXNUem9GdkNISkcyWFA5aEwwRE82SU4ifQ==
x-originating-ip: [172.20.62.161]
MIME-Version: 1.0
X-MC-Unique: LWyd_xibNNyfrWws5CjWtw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qzhzehTbhFPgo-UkJ78roeqsONE>
Subject: Re: [netconf] draft-ietf-netconf-keystore-09.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 13:55:12 -0000
Hi Kent, > -----Original Message----- > From: Kent Watsen <kent+ietf@watsen.net> > Sent: 02 May 2019 04:42 > To: Nick Hancock <nick.hancock@adtran.com> > Cc: netconf@ietf.org > Subject: Re: [netconf] draft-ietf-netconf-keystore-09.txt > > > Hi Nick, > > You are correct that something is amiss, but I'd like to discuss the fix more. > > Your proposal looks (squinting my eyes) right (have you tested it?), but I'm > wondering if there isn't a lower-level and potentially more useful fix... No, I haven't tested it. However, we have implemented similar YANG to access an entry of a list that itself is within a list in the same way successfully in the past. > > In particular, note that 'ks:asymmetric-key-certificate-ref' points to a > certificate in the the keystore that comes from the 'uses ct:asymmetric-key- > pair-with-certs-grouping' statement. The idea behind this grouping is that, > whenever a certificate is configured, whether in the keystore or not, that the > 'asymmetric-key-pair-grouping 3-tuple (alg, pub key, private key) is also > configured. This suggests that ct:asymmetric-key-pair-with-certs-grouping > may be missing a 'must' statement or, more likely (due to the fact that the 3- > tuple may only exist in <operational>), its 'description' statement is missing > that precondition in its text. > > Thoughts? Given that a client has the required permissions, the current model allows a client to create an entry in the list 'asymmetric-key' without the 3-tuple leafs 'algorithm', 'public-key' and 'private-key' as allowed via the must statement on the list. At this point there would be no 3-tuple in <operational> either. Defining the 3-tuple in <intended> or <operational> would be a second step, such as invoking the action 'generate-hidden-key'. Since there is, as you indicated, no 'must' statement relevant to the 'certificate' list, the model also allows a client to configure a certificate (chain) on an entry in the list 'asymmetric-key' without the 3-tuple in either <intended> or <operational>. The asymmetric key entry would not be able to be used to establish a TLS session due to the missing 3-tuple, of course. Is this a valid use case? Possibly. I could argue that a client may wish to 'park' certificate chains in the keystore without necessary immediately using them on the server or even just pre-provision them and then provide the actual public key later maybe through some other process based on an operator's security policies? It makes no sense to reference a certificate in the keystore that is missing the 3-tuple as the server identity of a NETCONF server or client identity of a NETCONF client as it cannot be used, so the question is whether it would make more sense to constrain the actual reference to reference certificates that have 3-tuple, if this is at all possible considering that the 3-tuple may only be in <operational>? During analysis of deploying the keystore and truststore in our implementation, I have made some further observations that may be of interest: 1. There is nothing in the model to prevent a client configuring a certificate to an asymmetric key that is not applicable to that asymmetric key or even a certificate chain in the keystore or truststore that is incompatible to the required type ('end-entity-cert-cms' or 'trust-anchor-cert-cms' respectively) or is this to be rejected by the implementation, in which case this behavior is not described in the YANG? 2. I am not convinced whether the use of the prefix 'pinned-' on the containers and lists in ietf-trust-anchors is correct. The certificates are available in the truststore for pinning, yes, but does not the 'pinning' actually take place when the certificates are configured for client authentication on a server or server authentication on a client? So I would argue that a certificate may be in the trust store, but not necessarily pinned, so the name may be misleading or am I missing something? Thus, I would have expected the containers and lists to be without the 'pinned-' prefix within the truststore itself. The 'pinned-' prefix being only on the references, which is the case in the NETCONF client and server models. 3. As an initial step we are analyzing the standalone use of the keystore in truststore modules and were considering some proprietary notifications that would include the certificate (chain) received during TLS session establishment, but could not 'use' the groupings in ietf-crypt-types because they include actions and notifications, which are not allowed in notifications. Maybe it would be advantageous to provide basic groupings without actions and notifications for use in proprietary RPCs and notifications and provide refined versions of these groupings that include the actions and notifications? Obviously this would mean even more groupings, but wouldn't this increase their reusability? Regards Nick > > Kent // contributor > > > > > On Apr 30, 2019, at 11:39 AM, Nick Hancock > <mailto:nick.hancock@adtran.com> wrote: > > Hi Kent, > > I have just noticed a issue with the leaf 'keystore-reference' used > in the grouping 'local-or-keystore-end-entity-cert-with-key-grouping' > in ietf-keystore. > > This leafref uses the typedef 'asymmetric-key-certificate-ref', but, > unless I am missing something, this alone will not work, because a > predicate for the list 'asymmetric-key' is missing. > > I would expect something like the following: > > case keystore { > if-feature "keystore-supported"; > leaf asymmetric-key-name { > type ks:asymmetric-key-ref; > description > "A reference to an asymmetric key that exists in > the keystore. "; > } > leaf certificate-name { > type leafref { > path > "/ks:keystore" > + "/ks:asymmetric-keys" > + "/ks:asymmetric-key" > + "[ks:name=current()/../" > + "asymmetric-key-name]" > + "/ks:certificates" > + "/ks:certificate/ks:name"; > } > description > "A reference to a specific certificate associated > with the given private key, stored in the keystore."; > } > } > > Regards > Nick
- [netconf] draft-ietf-netconf-keystore-09.txt Nick Hancock
- Re: [netconf] draft-ietf-netconf-keystore-09.txt Kent Watsen
- Re: [netconf] draft-ietf-netconf-keystore-09.txt Nick Hancock
- Re: [netconf] draft-ietf-netconf-keystore-09.txt Kent Watsen
- Re: [netconf] draft-ietf-netconf-keystore-09.txt Nick Hancock
- Re: [netconf] draft-ietf-netconf-keystore-09.txt Kent Watsen