Re: [netconf] FIXMEs in ietf-crypto-types and client/server models

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 06 November 2019 07:56 UTC

Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8071A120BFF for <netconf@ietfa.amsl.com>; Tue, 5 Nov 2019 23:56:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0PCRD6yFH0r for <netconf@ietfa.amsl.com>; Tue, 5 Nov 2019 23:56:12 -0800 (PST)
Received: from mailext.sit.fraunhofer.de (mailext.sit.fraunhofer.de [141.12.72.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 037F7120C01 for <netconf@ietf.org>; Tue, 5 Nov 2019 23:56:11 -0800 (PST)
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id xA67u7fB015319 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 6 Nov 2019 08:56:08 +0100
Received: from [192.168.16.50] (79.234.112.245) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.468.0; Wed, 6 Nov 2019 08:56:02 +0100
To: Kent Watsen <kent+ietf@watsen.net>, =?UTF-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
References: <AM0PR07MB5187A1438941A29D28CE3486837E0@AM0PR07MB5187.eurprd07.prod.outlook.com> <0100016e3ed10fbb-8a5a44a9-6df6-4ac1-9b56-8dbf61ec64cc-000000@email.amazonses.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <2b0daa52-10e4-566b-6e66-760dbd47c24b@sit.fraunhofer.de>
Date: Wed, 6 Nov 2019 08:56:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <0100016e3ed10fbb-8a5a44a9-6df6-4ac1-9b56-8dbf61ec64cc-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.234.112.245]
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/tO7pqgdRLIsEocbvuTKAs6s39Vg>
Subject: Re: [netconf] FIXMEs in ietf-crypto-types and client/server models
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 07:56:16 -0000

Hi Balázs,
hi list,

Item 3.) is on me, I think. Sorry!

For me personally, there are a few technical questions that have to be 
resolved on the list first.

Under the assumption that the trust stores will be used for TLS (maybe 
potential other things), I am not sure if the YANG module is an 
appropriate place to make some (maybe implicit?) 
"mandatory-to-implement" decisions. If there can be (and I think 
effectively there should be, but I do not know the appropriate place for 
them) prescriptive statements here, I would recommend the following 
proposals for the use with TLS:

1.) With respect to the format of the "raw" pub-key, I propose that the 
structure defined in section 3 of RFC 7250 MUST be used.

2.) With respect to cipher suite and interoperability, I propose to make 
RFC 7151 and RFC 4492 (basically the NIST curve and its format 
extensions) mti for raw pub-key and to point to RFC 7250 for guidance & 
to make RFC6635 mti for psk.

3.) With respect to key identities, I propose that raw pub-key 
identities as specified in RFC 6920 and a minimum hash length enabled by 
mode sha-256-120 MUST be used & to support and recommend the use of 
Identity Hints (section 5.2. in RFC 4279) for PSKs and refer to the 
corresponding security considerations (section 7 in RFC 4279).

My first question - on a technical level: do these proposals in the 
context of using TLS sound reasonable to the group?

My second question - on a semantic level: do these normative 
requirements belong here?

My third question - on a noob level :) If they belong here, where would 
these mandatory requirements be spelled out?

Viele Grüße,

Henk


On 06.11.19 04:45, Kent Watsen wrote:
> 
> Hi Balázs,
> 
> 
>> I see some FIXMEs in ietf-crypto-types and related models. I would be 
>> interested about the current state of them and possibility to clean 
>> them up.
> 
> Yes!  thanks for taking this up.
> 
> 
>>  1. Key-format (symmetric-key, public-key, asymmetric-key-pair)
>>
>> I assume the idea here is to make it possible to have choices for the 
>> ASN.1 types holding the keys. If this flexibility for formats is 
>> necessary I don’t have any objection to them but having a single 
>> agreed type for these different use cases would also suffice.
> 
> I believe here you're referring to the 3 instances of lines like:
> 
>        leaf key {
>          nacm:default-deny-all;
>          type binary;
>          //must "../key-format";  FIXME: remove comment if approach ok
>          ...
>        }
> 
> FWIW, the whole "key-format" leaf is still being sussed out (your 
> opinion would be helpful on that thread as well) but, so far it seems 
> promising.  The reason these lines are commented out is because 1) the 
> WG hasn't committed to this path yet and 2) I didn't want to update all 
> the examples in all the drafts (other than truststore and keystore) to 
> add a "key-format" leaf until the WG had more consensus on the 
> "key-format" leafs.
> 
> I don't understand your last comment/sentence.  Can you provide an example?
> 
>> 2.attributes in asymmetric-key-pair-with-cert(s)-grouping
>> I think attributes should be kept optional. If there is anything else 
>> besides subject seen mandatory maybe it should be extracted out from 
>> attributes and be spelled out a separate leaf, but I don’t think there is.
> 
> I believe here you're referring to the 2 instances of lines like:
> 
>          leaf attributes {
>            type binary; // FIXME: does this need to be mandatory?
>            ....
>          }
> 
> These are in the "generate-certificate-signing-request" actions found 
> inside the asymmetric-key-pair-with-cert(s)-grouping.
> 
> Hmmm, are you claiming that "attributes" are not required in order to 
> generate a CSR?  I think the CSR itself MUST have attributes (right?) 
> so, if not specified, what default values are used?
> 
> 
> 
>>  3. PSK and raw public keys
>>
>> The use case of PSK and raw public keys are not the most urgent in my 
>> opinion which now slows a bit the progress of these drafts, but let’s 
>> make an attempt to finalize them.
> 
> Agreed, but they are legal for TLS and a WG member stated that they were 
> needed in order to support another IETF WG's efforts.  A quick 
> resolution would be best!
> 
> 
>> raw-public-keys: I see these were added due to RFC 7250 and 8446. I 
>> guess in truststore this is a separate container to distinguish from 
>> SSH host keys. For configuring the private part I think keystore 
>> already gives support for this case with the asymmetric key (w/o cert) 
>> and in the client/server drafts Kent’s proposal could be used (I 
>> replaced raw public key with existing type, shouldn’t that be useable 
>> straight away?)
>>     container <client-identity or server-identity> {
>>       choice auth-type {
>>          uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
>>          uses ks:local-or-keystore-asymmetric-key-grouping;
>>
>> I would also prefer if these choices are in features, so that an 
>> implementation can choose.
> 
> To your first sentence, yes, "psk" (and "raw-public-key") are top-level 
> nodes in truststore, as can be seen here 
> (https://tools.ietf.org/html/draft-ietf-netconf-trust-anchors-07#section-2.1). 
>    Note, the trust-anchors draft accidentally doesn't include the 
> ietf-truststore.yang module.
> 
> The body of your comment above seems to be about supporting the 
> secret-half of the PSK and RPK within the Keystore.  I've raise this 
> question a couple times previously to Henk (who's asking for the PSK/RPK 
> add), but he's not responded yet as to if doing so is important (though 
> I can only imagine that it does).   With that said, I think your YANG 
> snippet is meant to be in ietf-tls-server and ietf-tls-client modules 
> (right?).  I'm having a hard time following the "I replaced raw public 
> key with existing type, shouldn’t that be useable straight away?" comment.
> 
> To your last sentence regarding features, could you provide an example 
> of what you mean?
> 
> PS: none of this goes to the FIXME in the ietf-crypto-types.  I had 
> previously asked Henk to provide some text here as well but, apparently, 
> like all of us at this time, he's been busy!
> 
> 
>> psk: given that the asymmetric keys without certs were covered by host 
>> keys and raw public keys, I think psk should only be symmetric keys. 
>> Symmetric keys are then sensitive/secret data and as such I believe 
>> they should only be referenced from keystore. Seeing them in 
>> truststore was unexpected for me. When it comes to their use, clients 
>> and servers should be extended with following configuration (and I 
>> assume we talk of TLS clients and servers only):
>>     container <client-identity or server-identity> {
>>       choice auth-type {
>>          uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
>>          uses ks:local-or-keystore-asymmetric-key-grouping;
>>                        uses ks:/local-or-keystore-symmetric-key-grouping/;
>> Latter grouping would be a new one, but it would use existing 
>> constructs and terms from keystore. I don’t think we need new ones. 
>> Selected cipher suites will need to have PSK in them for using 
>> symmetric key (similar match needed for the others). Note that 
>> symmetric keys can be used for other cases than TLS PSK, for example 
>> SNMPv3 USM. Again, features would be necessary (those could be saying 
>> x.509 or raw-public-key or psk).
> 
> 
> Correct, I said the same (that PSKs are essentially symmetric keys) 
> before as well.  Regarding only being referenced to keystore, why not 
> also support them being local-definitions too?  Certainly not a problem 
> if encrypted and, even when not encrypted, then they can be "protected" 
> by NACM-like mechanisms, right?   Why was/is seeing them in truststore a 
> surprise, perhaps because they're not encryptable there?  I agree that 
> symmetric keys can be used beyond PSK (and encryption of the asymmetric 
> keys, the original use case).  Regarding features, again, please provide 
> a YANG-snippet so it is clear to me (and all) what you mean.
> 
> 
> Thanks!
> Kent
> 
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>