Re: [netconf] built-in trust anchors

Kent Watsen <kent+ietf@watsen.net> Thu, 14 January 2021 16:27 UTC

Return-Path: <0100017701b91b90-5b4fac25-1818-41c2-be81-4f57296fe9d2-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DB693A1341 for <netconf@ietfa.amsl.com>; Thu, 14 Jan 2021 08:27:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Level:
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ov6yN5h5oBu4 for <netconf@ietfa.amsl.com>; Thu, 14 Jan 2021 08:27:25 -0800 (PST)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA1D73A07C8 for <netconf@ietf.org>; Thu, 14 Jan 2021 08:27:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1610641644; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=1FQSaBqr5bJdZZGuKe/Kp/YWnRroq4qTHdlK6YAabwE=; b=FtSZfrLeEWJinGKwgZSsc8VeK/Efn4GG1pNlrIoUpaIBjXrkQB4ysKnh1Tdxt1WL n7ONuN2x8+C0mlWDYGFhL+XRREyODEi12vgBTARZU4pxYSZeqiZw6aESKUvE6O4wPpI fWCfNKcF2Zzv+drMzfs95bEuWBFGLRDg/VCM7D9k=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <20210114.084621.1561500589637511150.id@4668.se>
Date: Thu, 14 Jan 2021 16:27:24 +0000
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0100017701b91b90-5b4fac25-1818-41c2-be81-4f57296fe9d2-000000@email.amazonses.com>
References: <20210113.122655.1074482340604641202.id@4668.se> <20210113150934.pg7ptdm5ljfuuhpp@anna.jacobs.jacobs-university.de> <01000176fc95b165-e1e7254b-3895-4267-8470-854552276315-000000@email.amazonses.com> <20210114.084621.1561500589637511150.id@4668.se>
To: =?utf-8?Q?Martin_Bj=C3=B6rklund?= <mbj+ietf@4668.se>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-SES-Outgoing: 2021.01.14-54.240.48.110
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/vbLQSs5TA85LQ_UMNmf_JjuWOhs>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 16:27:27 -0000

Hi Martin,


> On Jan 14, 2021, at 2:46 AM, Martin Björklund <mbj+ietf@4668.se> wrote:
> 
> Kent Watsen <kent+ietf@watsen.net> wrote:
>> [Top-posting as this is a response to the entire thread, sans
>> draft-ma-netconf-with-system, which I haven’t looked at yet].

Update: I did look at this draft and found the motivation unclear.


>> Having "instance-required false” was an idea from before, but it
>> didn’t make sense to disable validation for the 99% use-case to enable
>> a 1% use-case.  There will only ever be a few built-in keys/certs
>> (typically at most just one of each, to enable bootstrapping), whereas
>> potentially many keys/certs will be configured over time (for normal
>> ops).
> 
> Ok.
> 
>> Hiding all the descendent nodes except “name” for built-in keys/certs
>> doesn’t work because the pubkey/cert is needed in order to encrypt
>> data that only a device can decrypt
> 
> I don't understand this.  The descendent nodes would not be present in
> 'running', but they would be present in <operational> (b/c they are
> present in the firmware).

I think that there is a misunderstanding somewhere.  It might be helpful for me to clarify that, at a high-level: 1) the drafts only present a *configuration* model, and that 2)  it’s possible that some “config” only shows up in <operational>, when the values are “built-in”.

For the “config” that only shows in <operational>, it’s necessary to promote them to <running> in order for leafrefs to resolve.  I agree that only the “name” is needed, but we lack a mechanism to just configure a name as otherwise 1) validation would fail because "mandatory true” descendants would fail validation and 2) there’s no way to tell “apply config” process to not-delete the missing values.


>> , as needed to support RMA
>> scenarios (see
>> https://tools.ietf.org/html/draft-ietf-netconf-keystore-20#section-4.3
>> <https://tools.ietf.org/html/draft-ietf-netconf-keystore-20#section-4.3>
>> starting with the 4th paragraph).
>> 
>> The built-in keys/certs are envisioned to be forever; they never
>> expire nor are affected by firmware updates.
> 
> :)
> 
>> For the example of a
>> list of public CAs (trust anchors such as Verisign, RSA, etc.), these
>> SHOULD be in <startup> and admins SHOULD be allowed (NACM permitting)
>> to add/remove entries.
>> 
>> I agree that the “illusion” text Martin quoted is "weird special
>> handling”, but this was the best that could be envisioned after
>> several tries.  You might recall there were two or three other
>> variations (inc. the "instance-required false” mentioned above) that
>> we tried before landing on this approach.
> 
> Since this problem comes up every now and then, it would be good with
> a design pattern that can work in other cases as well.  

I agree the patterns are good, but disagree that *this* come up once in awhile or, for that matter, ever before…and likely never again (at least not within my understanding).


> It seems that
> the "hidden" design already used in crypto-types can be used in this
> case, as Jürgen suggested.

Please note that the value is hidden in <operational> originally.   This is because, e.g., it is impossible to extract a private key value from a TPM.   Regardless, the net-net is that the value is “hidden” in both <operational> *and* <running> (when the asymmetric key has been copied into <running>).   To be clear, hidden private keys nodes still appear in <running> (they are *not* missing) and have the same value as appears in <operational>.


>  I don't remember this propsal from the
> previous discussion; was it discussed?

We’ve been discussing these drafts for a long time, and you know that I’ve been careful to communicate pretty much everything along the way…

Looking at the keystore draft's Change Log, I see that the “require-instance false” idea was added in -05 (June 2018) and removed in -07 (April 2019).  

As for “hidden”, the current approach arrived in crypto-types-08.  Previously, the node was a ‘union’ with "permanently-hidden” being an enumerated value.  This idea was moved into crypto-types-01 from 
keystore-06.  It was called "hardware-protected” in keystore 03-05, and “INACCESSIBLE” in keystore 01-02.

We also explored letting the private-key value be "mandatory false” somewhere along the line.  Without digging for dates, I’m sure the reason we backed out of it is because, again, it didn’t make sense to do it for a 1% use case.


K.