Re: [netconf] ietf crypto types - permanently hidden

Kent Watsen <kent+ietf@watsen.net> Tue, 30 April 2019 12:03 UTC

Return-Path: <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99A512004F for <netconf@ietfa.amsl.com>; Tue, 30 Apr 2019 05:03:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id laWoIQVQ7zHv for <netconf@ietfa.amsl.com>; Tue, 30 Apr 2019 05:03:51 -0700 (PDT)
Received: from a8-32.smtp-out.amazonses.com (a8-32.smtp-out.amazonses.com [54.240.8.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75497120045 for <netconf@ietf.org>; Tue, 30 Apr 2019 05:03:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556625830; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=jC0BAQjrdLnCyaFqzkz9um3S84pA54ZCKE1bL/qz1iw=; b=baFIdcPwNW48ENLuxKQG4Q4J+2IVu540j+XK0hXs+qzR23QN0W+N/QQzpfNHVnYK +wdMihPUt+D0ipwDxV2cIxP42M/d0BY0hLMKU02oKVnN2cPOnvoNyEjt95iL2sYRjDA yL1rEsICmEAkEM8xekXLAx2bgTuexgLmeFtGenXY=
Content-Type: multipart/alternative; boundary=Apple-Mail-2DBF3C4E-7DA7-403A-A52B-12647CDE84B1
Mime-Version: 1.0 (1.0)
From: Kent Watsen <kent+ietf@watsen.net>
X-Mailer: iPad Mail (16E227)
In-Reply-To: <VI1PR07MB47353B20AF138B5B8B702285833A0@VI1PR07MB4735.eurprd07.prod.outlook.com>
Date: Tue, 30 Apr 2019 12:03:50 +0000
Cc: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: 7bit
Message-ID: <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@email.amazonses.com>
References: <20190404164929.fsfga7s4izn7ucx5@anna.jacobs.jacobs-university.de> <20190404.194623.1178346313710501110.mbj@tail-f.com> <01dd01d4eb9c$b9a04160$4001a8c0@gateway.2wire.net> <20190405.142201.707949273328784535.mbj@tail-f.com> <413d5725-9c27-e50b-2622-1b0e2f35cdb1@ericsson.com> <VI1PR07MB4735949BE61335ACC8A975E7833C0@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016a5019d7f9-7f737c63-d07c-4c7f-b12e-c5b19d50eeaf-000000@email.amazonses.com> <20190424180513.gtxmreicd7iydrpr@anna.jacobs.jacobs-university.de> <0100016a510a3038-7671e146-e23f-4bc9-9f93-ea2314b5d4e7-000000@email.amazonses.com> <VI1PR07MB4735FEEE1303E361B3B44FA983390@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016a69e36565-37279712-e5de-4c48-9a8a-7397d54c11b3-000000@email.amazonses.com> <VI1PR07MB47353B20AF138B5B8B702285833A0@VI1PR07MB4735.eurprd07.prod.outlook.com>
To: =?utf-8?Q?Bal=C3=A1zs_Kov=C3=A1cs?= <balazs.kovacs@ericsson.com>
X-SES-Outgoing: 2019.04.30-54.240.8.32
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/wYbWqOSiXTrl0WJEAfPUN1XfFcQ>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 12:03:54 -0000

Correct, as I didn’t think there was consensus yet.  Perhaps there is rough-consensus, and it may be that the only way to gauge that is to try and see how much push back there is.

Okay, so how about this, based on this thread, there appears to be support to add a flag to control if a key should be “permanently hidden” or not, in which case configuration is created.

This change will be in the next update, in about a week’s time, if no objections are raised.

Kent // contributor


> On Apr 30, 2019, at 7:30 AM, Balázs Kovács <balazs.kovacs@ericsson.com>; wrote:
> 
> Hi Kent,
>  
> I don’t see the your proposal below addressed in latest update  (keystore-09). Was it missed?
>  
> My recommendation is to modify the "generate/install-hidden-key"
> (renamed to just "generate/install-key") actions to have a flag indicating if
> the key should be "permanently hidden" (perhaps by using a TPM) or not, in
> which case configuration is created, same as if the client had used <edit-
> config>, but without needing to touch the key.
> 
> 
> I agree that having a flag to control the behavior is useful and I
> think there should be explicit text how the action fails in case the
> requested action cannot be performed.
>  
> Br,
> Balazs