IETF Logo Mail Archive

Re: [Netconf] regarding keystore and related drafts

Qin Wu <bill.wu@huawei.com> Sun, 18 March 2018 08:50 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF4CD1243F6 for <netconf@ietfa.amsl.com>; Sun, 18 Mar 2018 01:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.23
X-Spam-Level:
X-Spam-Status: No, score=-4.23 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JhDwJqPkl0ZC for <netconf@ietfa.amsl.com>; Sun, 18 Mar 2018 01:50:35 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9361A1200FC for <netconf@ietf.org>; Sun, 18 Mar 2018 01:50:35 -0700 (PDT)
Received: from lhreml703-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id DD2FADC3A8754 for <netconf@ietf.org>; Sun, 18 Mar 2018 08:50:32 +0000 (GMT)
Received: from NKGEML411-HUB.china.huawei.com (10.98.56.70) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.382.0; Sun, 18 Mar 2018 08:50:33 +0000
Received: from NKGEML513-MBS.china.huawei.com ([169.254.2.231]) by nkgeml411-hub.china.huawei.com ([10.98.56.70]) with mapi id 14.03.0361.001; Sun, 18 Mar 2018 16:50:30 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Kent Watsen <kwatsen@juniper.net>
CC: Netconf <netconf@ietf.org>
Thread-Topic: Re: regarding keystore and related drafts
Thread-Index: AdO+liCmmHyj7xdhRPe3iQ/VjmqZ8g==
Date: Sun, 18 Mar 2018 08:50:30 +0000
Message-ID: <B8F9A780D330094D99AF023C5877DABA9AD8D39C@nkgeml513-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.83.100]
Content-Type: multipart/alternative; boundary="_000_B8F9A780D330094D99AF023C5877DABA9AD8D39Cnkgeml513mbschi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/vE8NYIQEymtow8BL8HjW6xSWeOY>
Subject: Re: [Netconf] regarding keystore and related drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 08:50:37 -0000

发件人: Kent Watsen
收件人: Qin Wu<bill.wu@huawei.com<mailto:bill.wu@huawei.com>>;netconf<netconf@ietf.org<mailto:netconf@ietf.org>>
主题: Re: regarding keystore and related drafts
时间: 2018-03-17 23:37:42

Hi Qin,



> Would it be great to see crypto types covers all application requiring
> asymmetric key.

What do you mean by "all application"?

[Qin]: My impression, the application is SSH specific application, please correct me if I am wrong.

<KENT> the immediate need is to support both SSH and TLS, as they are the transports for NETCONF and RESTCONF, but the hope is that the crypto types could be used for other purposes as well.


[Qin]: Good, nice to have some text to clarify this.


> For trust anchors, I think this draft is more related to certificates

It will likely be used mostly for certificates, but the model SSH host keys can be configured as well.

[Qin]: So SSH host keys are not mandatory parameter, correct?

<KENT> there is a list of pinned certificates and there is a list of pinned host-keys (see below for the tree diagram).  Neither of which are mandatory on their own, but something would need to be configured if using one of the SSH or TLS based client or server modules (e.g., ietf-tls-client), as those modules have leafrefs to the trust anchors.  Makes sense?

[Qin]: Looks good to me, thanks for clarification.

   module: ietf-trust-anchors
     +--rw trust-anchors
        +--rw pinned-certificates* [name]
        |  +--rw name                  string
        |  +--rw description?          string
        |  +--rw pinned-certificate* [name]
        |     +--rw name    string
        |     +--rw data    binary
        +--rw pinned-host-keys* [name]
           +--rw name               string
           +--rw description?       string
           +--rw pinned-host-key* [name]
              +--rw name    string
              +--rw data    binary

Kent

v2.23.0 | Report a Bug | By Email