Re: [netconf] draft-ietf-keystore - certificate leafref

Balázs Kovács <balazs.kovacs@ericsson.com> Fri, 14 June 2019 08:02 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 618F9120196 for <netconf@ietfa.amsl.com>; Fri, 14 Jun 2019 01:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.03
X-Spam-Level:
X-Spam-Status: No, score=-1.03 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17nOKuQrzTcy for <netconf@ietfa.amsl.com>; Fri, 14 Jun 2019 01:02:47 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130079.outbound.protection.outlook.com [40.107.13.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED7AD12001E for <netconf@ietf.org>; Fri, 14 Jun 2019 01:02:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3gG4vZXCGWbZO708/FpNJ3mwcBOEDY2+DhksACnjYAs=; b=bPf4bBpTKDSqsAL6m4ipzIAZQNH5F3LlUhn1FxzEGp6C2Q0By1pj/NxMkrg2a1R2jNad5MZS1t+K/Q/6oizu4J3z+entKSGMASRnopMlQ5k/AKGL/bBR8QX3Hp4xft+moZHqROAKcDaFns9hBRdbY3koJjUxssViWKvaxwrSiLY=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB4176.eurprd07.prod.outlook.com (20.176.6.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.9; Fri, 14 Jun 2019 08:02:43 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::95e8:7ebf:d9f5:d887]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::95e8:7ebf:d9f5:d887%7]) with mapi id 15.20.2008.002; Fri, 14 Jun 2019 08:02:43 +0000
From: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: draft-ietf-keystore - certificate leafref
Thread-Index: AdUg/wQfhESajPS8T5Sh1FhhaRcq1wADB/mAAF7gPGA=
Date: Fri, 14 Jun 2019 08:02:42 +0000
Message-ID: <VI1PR07MB47354FC9864D17493A0359E983EE0@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <VI1PR07MB4735046FD5C54DF0763BA80583EC0@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016b4b459a4b-58d12364-7b0d-4f73-8fb4-66a9d8595079-000000@email.amazonses.com>
In-Reply-To: <0100016b4b459a4b-58d12364-7b0d-4f73-8fb4-66a9d8595079-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [176.63.31.233]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 46e71bcf-5d58-4edc-8fc7-08d6f09eadd0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR07MB4176;
x-ms-traffictypediagnostic: VI1PR07MB4176:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <VI1PR07MB41767DE3A0F0BC84E770315083EE0@VI1PR07MB4176.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0068C7E410
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(376002)(396003)(136003)(346002)(366004)(189003)(199004)(71190400001)(966005)(64756008)(606006)(26005)(71200400001)(86362001)(4326008)(6246003)(9326002)(33656002)(2906002)(8676002)(102836004)(73956011)(66446008)(53936002)(81156014)(14454004)(8936002)(478600001)(186003)(6916009)(7696005)(76176011)(99286004)(66556008)(66946007)(7736002)(66476007)(316002)(11346002)(76116006)(66066001)(85202003)(256004)(85182001)(25786009)(3846002)(446003)(476003)(5660300002)(74316002)(68736007)(9686003)(54896002)(6306002)(52536014)(790700001)(55016002)(81166006)(229853002)(6436002)(53546011)(6506007)(236005)(6116002)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4176; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PFcLvgR2ljhc7Fv2ci3a/qdW6xVZL34EsoIui+gNF2QNo+S9xjKYAf9fixereu1Y+JVyHkGKN4irEX1RbJrPiF+Px7RMU/UGJtfZUlpBei4hY0VEe78JXXnFggvkgfhgBJMpZIFb3tN1PkmrThl4e9kCuxtX2fSorAiX9WHr1cTgcY79+gxc7iJERoNUicRVnnIbP5ZZ4ympnXUG9J5Y2BAbaUzv/+o3CW729a+S5t8uKNDtYLKh5WDsWYgYMm54iJvFTIPXdIPNJGlt/CzR67iSffAH6PD9IwPUmT/DcGUdhEOwyQ4JsS0lQilT5DDArJaJ5c2cbR0xEDd3nUga4Fd6qUm6JXBrul27nJrKvogrQGKidxfiu43GqLvLzK7MV9/Fav9N5stitwxTb1CkB6CnpNXZJGCpUdqOrOAv7zc=
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB47354FC9864D17493A0359E983EE0VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 46e71bcf-5d58-4edc-8fc7-08d6f09eadd0
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2019 08:02:42.9890 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: balazs.kovacs@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4176
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/l9xoAZqs8IChjuH6pUkWtJqvCKk>
Subject: Re: [netconf] draft-ietf-keystore - certificate leafref
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jun 2019 08:02:51 -0000

Hi Kent,

I hope it is ok this way.


  1.  I changed local-or-keystore-end-entity-cert-with-key-grouping (see container ‘keystore-reference’).


  grouping local-or-keystore-end-entity-cert-with-key-grouping {
    description
      "A grouping that expands to allow an end-entity certificate
       (and its associated private key) to be either stored locally,
       within the using data model, or be a reference to a specific
       certificate in the keystore.";
    choice local-or-keystore {
      mandatory true;
      case local {
        if-feature "local-keys-supported";
        container local-definition {
          must '(algorithm and public-key and private-key)
                or not (algorithm or public-key or private-key)' {
            description
              "These descendent nodes are not mandatory because they
               MAY be defined in <operational>.  Implementations MUST
               assert that these values are either configured or that
               they exist in <operational>.";
          }
          description
            "Container to hold the local key definition.";
          uses ct:asymmetric-key-pair-grouping;
          uses ct:end-entity-cert-grouping;
        }
      }
      case keystore {
        if-feature "keystore-supported";
        container keystore-reference {
          description
            "A reference to a specific certificate, and its
             associated private key, stored in the keystore.";
          leaf asymmetric-key {
            type ks:asymmetric-key-ref;
            description
              "A reference to an asymmetric key that exists in
               the keystore.";
          }
          leaf certificate {
            type leafref {
                path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[name = current()/../asymmetric-key]/ks:certificates/ks:certificate/ks:name";
            }
            description
              "A reference to a specific certificate of the
               asymmetric key in the keystore.";
          }
        }
      }
      description
        "A choice between an inlined definition and a definition
         that exists in the keystore.";
    }
  }


  1.  I would recommend to remove ks:asymmetric-key-certificate-ref
  2.  The client server model examples would need to be updated, but those I have not touched.

Br,
Balazs

From: Kent Watsen <kent@watsen.net>
Sent: Wednesday, June 12, 2019 12:40 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>
Cc: netconf@ietf.org
Subject: Re: draft-ietf-keystore - certificate leafref


Hi Balazs,

Yes, that would be better.  Please provide the NEW text needed.

Kent

Sent from my iPhone

On Jun 12, 2019, at 5:14 AM, Balázs Kovács <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:
Hi Kent,

Ietf-keystore model contains this leafref:


     typedef asymmetric-key-certificate-ref {

       type leafref {

         path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"

            + "/ks:certificates/ks:certificate/ks:name";

       }

       description

         "This typedef enables modules to easily define a reference

          to a specific certificate associated with an asymmetric key

          stored in the keystore.";

     }

Shouldn’t the leafref be constrained to point to a certificate within a specific asymmetric-key list element?

Example:
https://mailarchive.ietf.org/arch/msg/netmod/m0s9xAcDpJVm1a0-eWyTDvpXtZ0

Best Regards,
Balazs