IETF Logo Mail Archive

Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Tue, 06 February 2024 21:29 UTC

Return-Path: <rdd@cert.org>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C33C14F702; Tue, 6 Feb 2024 13:29:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEVau4ynsn1s; Tue, 6 Feb 2024 13:29:28 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0042.outbound.protection.office365.us [23.103.209.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0A8C14F6FC; Tue, 6 Feb 2024 13:29:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=LOWTTJkleGkzprQrhqAT2GnJQd31CpPRy6R31g7EL8waD2k8W5cAcSrhp74hccrHP41ycCN9mN08rJD9oR2NlWZVFFxhWH/jTDYsexulPJSx8ONWwVCnUT69Uk6YBgmygHWez+6zHNs0xFGYSxv/3+MaD2JRTwllZI7S60EYHfHKuaQv4Xaa3RnRUd+z0eJoJ4d2+A75q63oaxzKXJC1UbzMMBhW5d51nbnR0Sa+/WIWdW7Sr9Xmyf1pWhyY017EmXTuVS1plvCG8efpjfSxP8g/iJsZhq2ERBuKVwe5Dxw5TuEdXF5UkOGIVWeGkKzADLK36xQmzrm7W7EnNERYrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bACVbxqjQotr9ccHfXtbO46ylmkMpwppT9d0anPerk8=; b=x7VZQ1kAcDTWvB2Nd6dQd+lD/E/4+gyR5YuGGH+rqpUM8dbKsIj3QNuzwP5RDEkxENlxzTgT0nbnHg0ywyL8c7fpqtRH1UFze2guNSGMsHCcxnDfh/Abtw/lbFN0dvJIp8u5yDPIT9tkPISLAJN6p0I8WZJP4dyu0TRFOTqiJDrpvY+vwWjM2/0r/km4SpKbkDFGpVzUh2sKIXSNDdxIymGjGRzTn6hhatDFnX0lNd2i3CK6FaSY2m7VVYmGgdAk4fTDnAT8HpnbChDVPL0roPkT14QOFq+o3MJZwnO18fMWlzXU/lsGIuHTC6zD0WNBe47iIiIdlwqtgMgHlBAM2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bACVbxqjQotr9ccHfXtbO46ylmkMpwppT9d0anPerk8=; b=WKT6jolQmhWcF8osspB1ruGF/bfCaY2HTQsCWOnLEI0rCvCjTXMaqVs5uahJQZ2WWZTyKb2776dt4/3/1vX22QACJxDYJJMk+L8d2/PmuAGLbRYEB8uRKdRjNZxuvaQ4qSxhoaYOLenX04ILBLwVhhQgOesjZyaHGGthDsvk1wg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1638.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:178::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.33; Tue, 6 Feb 2024 21:29:26 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f%4]) with mapi id 15.20.7249.032; Tue, 6 Feb 2024 21:29:26 +0000
From: Roman Danyliw <rdd@cert.org>
To: Kent Watsen <kent+ietf@watsen.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-netconf-trust-anchors@ietf.org" <draft-ietf-netconf-trust-anchors@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
Thread-Topic: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
Thread-Index: AQHaU5wLMrZxP6x14UyYG2aR2xKo47D0Z3eAgAl4bmA=
Date: Tue, 06 Feb 2024 21:29:26 +0000
Message-ID: <BN2P110MB11074D96D5A34B8CB1610729DC46A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <170663325496.44925.1682814616077470749@ietfa.amsl.com> <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@email.amazonses.com>
In-Reply-To: <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1638:EE_
x-ms-office365-filtering-correlation-id: ea831d46-c627-418f-6e21-08dc275ab1f9
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uj396ifVl2b54NzVipJkaEEwymN5L4UK+aQa0Oq/AYkAMtPEb3M1+jD6r/KoTo0UwWNwYbhq47nIShLH0eoGKnONdQToYsS0R/80txBQZMjMwcY4cI1f282VqjlEhPXDPt/0YIrhd/xDvuebh9pnkjIbstXPNa4Tcpz/qK23CdpAPDUTAFDawFqU8GfSuQyKFhpYrdRQK+sygbO79xn0NACth9W/OPKuurzO6UfdWgwTwJ1lBOnVTT0M/alX5a18z9Bi8zzNvIclGFzZosMIs6wY6Ordg+1bDX1yDhAHM1QBqAvCjm/KYpjmbpBmwZsMHTtOKwlxVMCHJKk9FIeHOGzmydnEOILH5QchVYP3giB6+5K+EGOOSF4SOuk5ZWNYlOQAsTuJEcucuKTV2FD3ZFfExKSSO9F5ZpOeCCAI+0psZAh24Q9LYhv3GUH7cnLRQCqesB2Y2baj+5OIjo/HnQ2WLwglAFBXwkjhRDxxtfKP7N6dsz5d8NGbdzZgfNdaCGNTxhgsPpks1jUH1DpNTMy3CceUPU9JLNxQ5gmTWrrRvh0G542gR+jLQ+iag3smXNKDQdo5FsEUQSmmSM8UCgLR8z4EEnnzmSLoaEwRVys=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(136003)(396003)(366004)(230922051799003)(1800799012)(451199024)(64100799003)(186009)(53546011)(9686003)(71200400001)(26005)(83380400001)(52536014)(8936002)(8676002)(41300700001)(4326008)(966005)(5660300002)(508600001)(54906003)(66476007)(76116006)(66946007)(66556008)(64756008)(66446008)(7696005)(122000001)(82960400001)(86362001)(33656002)(166002)(38070700009)(6506007)(2906002)(38100700002)(55016003)(41320700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZFGJFjGjmWccARyihqUZx0qvJZdaaHmR1/4Eph6xZtPcfxjhjGtWBKvP3W4dPtUMLNcSIsV1sXgun+OVkW+Kp8mvZoPEYIkanqwSDYnNNsteqg0HTmJfpwGEsuYFJlzxaU3s6AN0CQl/7VCXAhN/JB7dg3ObFykG+ytTcY6aUuv4sR2xrM8rDu3nINY0bD9Rkr2A7ZZz6XTR4HVYi4cv1qQdEd6YZv8rsnyXcs08+2Fn3iHEiPCLR4WT6gpoWZ1rwsNWM85AODla3++Q007POHGzTU0/XpshV6caF1YxMY61nwtKz1ObFmGt4ILGpfn7oKuJLdPqLJdTBqqvtamnOaAba9GI4H1SqdemGdcIeA+vrFyeklm7J4vcxMmS6Y78LNC0fZWfQFONEUp4HX9wF6XGEquhAw3A+WVuplpLpZkrOw2C6DADx2zgIJwWrn/5JW/JBktLhrl1siozftFUTwjhO/jSycx4SFJEoht1R/2sLW5z4uoqHNaTaQ31CMUZHiBW9T1H4V4vftTzNxTC1ZA8DIHVpQ6/AFO12y/bI+BZ4N78waTig/IRIbPEQvPzXTdb5jXQGpIID69Su9vaDo9xI6NHc2q5QR60QUxHeM5DZSSgkaHZCAC2efXKT1nY6vOeDzM6MRbBx5emLNKuh6qENLlrG1VvrlA1ZkT2h4c0QfUXrAf/1dZKD9H1zTBv4e+g9CbV+oMrdvAtZPMNBpxd+3om8KSvwErm9qDaCpLGaMmoLdORyInzCbk3AtWJoNze4F0YyaCeqQ0dK7SgkiiTlaMUMt0zMf7uJBbWC2cOGkXWvagqQM+3z5zRaY++mlJvGUz+E3wZT/EdjgZw4h3310B8iQZSBqYNqDYesttmjhNjG6od2NNiMEdT39wiKIno3T8rhLQrw5MgHhPPUJjfVcToiCrim2DOG1iYrexvjQYmrd6BFkGnfRjoh9vno9XZpmTAxVXYyxUKjcNNGF26sMnzMHR6kShuRNkI/ErilL2mXXKscovQbhllNsgI3OyGCrIQjEYjjmlfj/snl3WA806D1V0QTWNQsuKgzAjat57TcI7+lQtSFeGpoPPiyamigCU1S3yMAOz+Jqohce/k1+BXKrFRVcl7YO+5Lht8TlGQJSupb4oHL4Ci6S3NlscPpIA2v5CV/S46lE5WxHoyCga2uavd9weTLArtKIESglDp1EBpcHf9liW5N/uyHS4PkCE6W/DeQVNuKO4XCm05c9kOdiJcr1YXCT115EhrTIzOzWWcziQzhVOEFqRALceqSm+GRYfTdJynFwGC4CNMyPgUtP8E+WSQDmy7WtyTQewQajwE2+MaQApB8xNskyvaD0PbURnaZKM3MdG/rsU7mGTx9qJCF8SHtnbjnbPXC816EiM6J+PXP0JMhEan2brwmkzMaul78VNp3wZAdqXcRv6aZuijJOgmP2k9aMbPyoWbS/TaBoZ9JsZ1fNB3nMFzwVDFfKolNiCj3LyM5pfCQ7L8c1pvCx/faLzvuoE=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB11074D96D5A34B8CB1610729DC46ABN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ea831d46-c627-418f-6e21-08dc275ab1f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2024 21:29:26.5998 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1638
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/waX6k91rO5ws_mpIDBKyoyKKWmE>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 21:29:32 -0000

Hi Kent!

Thanks for the revised -24.  I’ve cleared my DISCUSS position.  A bit more inline …

From: Kent Watsen <kent+ietf@watsen.net>
Sent: Wednesday, January 31, 2024 3:52 PM
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>; draft-ietf-netconf-trust-anchors@ietf.org; netconf-chairs@ietf.org; netconf@ietf.org; Qin Wu <bill.wu@huawei.com>; Mahesh Jethanandani <mjethanandani@gmail.com>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)

Hi Roman,

Thank you for your valuable comments.
Please find responses below.

Kent



On Jan 30, 2024, at 11:47 AM, Roman Danyliw via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:

Roman Danyliw has entered the following ballot position for
draft-ietf-netconf-trust-anchors-23: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/




** YANG.  list certificate-bag
            "A bag of certificates.  Each bag of certificates SHOULD
             be for a specific purpose.  For instance, one bag could
             be used to authenticate a specific set of servers, while
             another could be used to authenticate a specific set of
             clients.";

Since normative language is used here, can additional guidance be provided on
qualifying “specific purpose”.  For example, can one put different applications
for the same server in the same bag?

Technically possible, yes.



What is the consequence of incorrectly binning the certificate chains?

A misconfiguration, possibly leading to trusting something in an undesirable context.



More generally, I’m wondering about the
significance of where certificates are binned.  Because of natural language
describing the purpose of these bags, I don’t see an obvious, interoperable,
general purpose way to automatically parse this structure to know which
certificate to use for a server beyond checking subjectAltNames in the
certificate against a domain name (which precludes the need to even organize
these certificates into bins beyond readability).

Each bag has a “name” and “description” fields.  From https://datatracker.ietf.org/doc/html/draft-ietf-netconf-trust-anchors-23#section-2.2.1:

    <certificate-bag>
      <name>trusted-server-ca-certs</name>
      <description>
        Trust anchors (i.e. CA certs) used to authenticate server
        certificates.  A server certificate is authenticated if its
        end-entity certificate has a chain of trust to one of these
        certificates.
      </description>

So it seems very easy for clients to know a bag’s purpose without having to look at, e.g., the SAN.
Does this resolve your comment?

[Roman] I’m primary drilling in on the text “Each bag of certificates SHOULD be for a specific purpose”.  Since “specific purpose” has no clear, ambiguous definition, it seems like an argument could be made that almost might qualifies as a “specific purpose”.  My simple fix would be s/SHOULD/should/.

[snip]

** Section 4.3
  None of the readable data nodes defined in this YANG module are
  considered sensitive or vulnerable in network environments.  The NACM
  "default-deny-all" extension has not been set for any data nodes
  defined in this module.

Doesn’t read-access to this module provide insight into which other
resources/applications/servers this particular server communicates with by
virtue of having their end-entity certificates or SSH keys?  Wouldn’t this
provide an attacker insight into potential targeting?  or business
relationships?

Good point.

Hmmm, but can you clarify, is the concern limited to just the “cert-data” node (i.e., the CMS), or does it include also, e.g., the bag’s “name” and “description” nodes too?

[Roman] I’m not exactly sure how this YANG model would be used.  The cert-data node seems like it would definitely be sensitive for the reason described above.  I trust your judgement on what you anticipate the natural language descriptions might look like.  I’m not sure.

Roman

v2.23.0 | Report a Bug | By Email