Re: [netconf] ietf crypto types - permanently hidden

"Rob Wilton (rwilton)" <> Wed, 01 May 2019 10:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6DFE41200E0 for <>; Wed, 1 May 2019 03:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Zk0cj26xk-5v for <>; Wed, 1 May 2019 03:17:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD9A21200B9 for <>; Wed, 1 May 2019 03:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=29232; q=dns/txt; s=iport; t=1556705851; x=1557915451; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=fLHW35YA2cSI61q0eIk5eLHcijh6eHAybtRksBVTG08=; b=G4GxZ22VogF8QrGsCQ/YFO2EARXGPvZ+KPsUx3KyuTfbhwVODxY82Qbj UtY/Ned8UnESaFT/tEkRw1Jb0DiHTSb6eJ59u0M8954WZsOm19fkBsdnu hWpxOha9IW+4ODyIU3hNUNwu4hPcUbmw6NOcYSGM6qQiOqLQ3uEi7hgxt k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.60,417,1549929600"; d="scan'208,217";a="265805074"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 May 2019 10:17:28 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id x41AHSOt011370 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 1 May 2019 10:17:28 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 1 May 2019 05:17:27 -0500
Received: from ([]) by ([]) with mapi id 15.00.1473.003; Wed, 1 May 2019 05:17:27 -0500
From: "Rob Wilton (rwilton)" <>
To: Kent Watsen <>
CC: "" <>, Martin Bjorklund <>
Thread-Topic: [netconf] ietf crypto types - permanently hidden
Date: Wed, 01 May 2019 10:17:27 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_acef56d17fc64102ae24bb8fcb8c828dXCHRCD007ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 May 2019 10:17:33 -0000

Hi Kent,

Iā€™m slightly lost here, so my comments may not be that helpful šŸ˜Š

I donā€™t understand why do we need an explicit action to create/install the key?  In particular, why canā€™t there just be a regular (intend based) configuration leaf that is ā€œuse-system-defined-keyā€?  The key values could be reported in <intended> and/or <operational>, suitably protected via NACM, or they could be kept entirely hidden.

I also agree with Martin/Andy that it is highly desirable to allow a device to be configured with a single configuration input file, provided from <startup> or <edit-config|data>.  I think that anything that would require, or encourage, multiple RPC interactions to setup the device would seem to be a big backwards step in terms of device management.

Iā€™m not opposed to RPCs or actions to manage hidden keys on the device if:

(i)               these donā€™t get written to <running> (because they are not regular configuration), and

(ii)              there is a sensible/secure mechanism to configure the device without requiring any extra RPCs/actions to configure the device.  I.e. the RPCs/actions should only be used for exceptional management of the keys on the device.


From: netconf <> On Behalf Of Kent Watsen
Sent: 30 April 2019 18:57
To: Martin Bjorklund <>
Subject: Re: [netconf] ietf crypto types - permanently hidden

I (still) object to this.  Actions shouldn't create config.  We
already have generic protcol operations to do this.  We go from a
document-oriented configuration model towards a command-oriented
model.  Not good.  In RESTCONF, the generic methods support things
like ETags, which I suspect you don't want to replicate in this
action?   Will the action support all error-options of edit-config,
like rollback-on-error?

The specifics for how this could work would need to be defined.  Given that it is a special case, I think that we could constrain it heavily and target simple solution.   Depending how much text is required to describe it, it might be good to define an extension statement that could be placed on the actions.  While an extension statement may seem like it opens the gates for general use, we could further define the extension statement as being something that MUST NOT be used when general purpose operations are suitable such that, at least with the IETF, it could only be used in extraordinary circumstances.

Some comments on the new text:

In action generate-hidden-key, it should be stated that the public-key
will be populated, and that the private-key will exist but report

Okay, but before making the edit, see comment below about lifetimes...

In action install-hidden-key, shouldn't both public-key and
private-key be mandatory?  Also state that the private-key will report

Indeed, fixed.

In leaf private-key, the type binary part of the union doesn't have a
description, and the description for the leaf itself says:

      A binary that contains the value of the private key.

which is not quite correct.

I think we should state that the enum 'permanently-hidden' is only
reported in operational state.

The 'type' statement doesn't have 'description' as a substatement,
but, point taken, two updates:

In leaf private-key:
      A binary that contains the value of the private key.
      Either a binary that contains the value of the private key or, in
      the case of a hidden key, the value 'permanently-hidden'.

In enum permanently-hidden:
       The private key is inaccessible due to being protected by the
       system (e.g., a cryptographic hardware module).
       The private key is inaccessible due to being protected by the
       system (e.g., a cryptographic hardware module).  Since hidden
       keys are only ever reported in <operational>, the value
       'permanently-hidden' never appears in <intended>.

The new descriptions say:

           [...] present only in
           <operational> and bound to the lifetime of the parent
           'config true' node.

Aren't all nodes bound to the lifetime of their parent?
The action is invoked in a node that exists in <operational> and it
creates a key.  What does the statement tell me?

This seems like something new (and maybe wrong) and hence needs to be explained.  This seems new because we are saying that the lifetime of an operational value is tied to the lifetime of a configured value.  Normally we talk about how operational values exist on their own and that, if one wants to override/extend them (e.g., associate a certificate to the private key created by the manufacturer), configuration would overlay the operational values.  By extension, if the configuration is removed, the operational values go back to their original state (i.e., existing on their own).   Here we're saying that, if the configuration (for the parent node) is removed, the operational values are removed as well.

Note that this statement was added because Juergen asked about how hidden keys could be removed/replaced.   We iterated towards not wanting to support the "replace" case, and this seemed like an easy way to handle the "remove" case.  Another way to do this would be via another action such as 'remove-hidden-key'.   What do you think would be best?

Kent // contributor