Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Tue, 06 February 2024 21:29 UTC
Return-Path: <rdd@cert.org>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C33C14F702; Tue, 6 Feb 2024 13:29:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VEVau4ynsn1s; Tue, 6 Feb 2024 13:29:28 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0042.outbound.protection.office365.us [23.103.209.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E0A8C14F6FC; Tue, 6 Feb 2024 13:29:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=LOWTTJkleGkzprQrhqAT2GnJQd31CpPRy6R31g7EL8waD2k8W5cAcSrhp74hccrHP41ycCN9mN08rJD9oR2NlWZVFFxhWH/jTDYsexulPJSx8ONWwVCnUT69Uk6YBgmygHWez+6zHNs0xFGYSxv/3+MaD2JRTwllZI7S60EYHfHKuaQv4Xaa3RnRUd+z0eJoJ4d2+A75q63oaxzKXJC1UbzMMBhW5d51nbnR0Sa+/WIWdW7Sr9Xmyf1pWhyY017EmXTuVS1plvCG8efpjfSxP8g/iJsZhq2ERBuKVwe5Dxw5TuEdXF5UkOGIVWeGkKzADLK36xQmzrm7W7EnNERYrw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bACVbxqjQotr9ccHfXtbO46ylmkMpwppT9d0anPerk8=; b=x7VZQ1kAcDTWvB2Nd6dQd+lD/E/4+gyR5YuGGH+rqpUM8dbKsIj3QNuzwP5RDEkxENlxzTgT0nbnHg0ywyL8c7fpqtRH1UFze2guNSGMsHCcxnDfh/Abtw/lbFN0dvJIp8u5yDPIT9tkPISLAJN6p0I8WZJP4dyu0TRFOTqiJDrpvY+vwWjM2/0r/km4SpKbkDFGpVzUh2sKIXSNDdxIymGjGRzTn6hhatDFnX0lNd2i3CK6FaSY2m7VVYmGgdAk4fTDnAT8HpnbChDVPL0roPkT14QOFq+o3MJZwnO18fMWlzXU/lsGIuHTC6zD0WNBe47iIiIdlwqtgMgHlBAM2g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bACVbxqjQotr9ccHfXtbO46ylmkMpwppT9d0anPerk8=; b=WKT6jolQmhWcF8osspB1ruGF/bfCaY2HTQsCWOnLEI0rCvCjTXMaqVs5uahJQZ2WWZTyKb2776dt4/3/1vX22QACJxDYJJMk+L8d2/PmuAGLbRYEB8uRKdRjNZxuvaQ4qSxhoaYOLenX04ILBLwVhhQgOesjZyaHGGthDsvk1wg=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1638.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:178::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.33; Tue, 6 Feb 2024 21:29:26 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f%4]) with mapi id 15.20.7249.032; Tue, 6 Feb 2024 21:29:26 +0000
From: Roman Danyliw <rdd@cert.org>
To: Kent Watsen <kent+ietf@watsen.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-netconf-trust-anchors@ietf.org" <draft-ietf-netconf-trust-anchors@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
Thread-Topic: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
Thread-Index: AQHaU5wLMrZxP6x14UyYG2aR2xKo47D0Z3eAgAl4bmA=
Date: Tue, 06 Feb 2024 21:29:26 +0000
Message-ID: <BN2P110MB11074D96D5A34B8CB1610729DC46A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <170663325496.44925.1682814616077470749@ietfa.amsl.com> <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@email.amazonses.com>
In-Reply-To: <0100018d614b05ef-bcac43ce-c7ad-44a6-9297-c9a7cd7dd861-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1638:EE_
x-ms-office365-filtering-correlation-id: ea831d46-c627-418f-6e21-08dc275ab1f9
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uj396ifVl2b54NzVipJkaEEwymN5L4UK+aQa0Oq/AYkAMtPEb3M1+jD6r/KoTo0UwWNwYbhq47nIShLH0eoGKnONdQToYsS0R/80txBQZMjMwcY4cI1f282VqjlEhPXDPt/0YIrhd/xDvuebh9pnkjIbstXPNa4Tcpz/qK23CdpAPDUTAFDawFqU8GfSuQyKFhpYrdRQK+sygbO79xn0NACth9W/OPKuurzO6UfdWgwTwJ1lBOnVTT0M/alX5a18z9Bi8zzNvIclGFzZosMIs6wY6Ordg+1bDX1yDhAHM1QBqAvCjm/KYpjmbpBmwZsMHTtOKwlxVMCHJKk9FIeHOGzmydnEOILH5QchVYP3giB6+5K+EGOOSF4SOuk5ZWNYlOQAsTuJEcucuKTV2FD3ZFfExKSSO9F5ZpOeCCAI+0psZAh24Q9LYhv3GUH7cnLRQCqesB2Y2baj+5OIjo/HnQ2WLwglAFBXwkjhRDxxtfKP7N6dsz5d8NGbdzZgfNdaCGNTxhgsPpks1jUH1DpNTMy3CceUPU9JLNxQ5gmTWrrRvh0G542gR+jLQ+iag3smXNKDQdo5FsEUQSmmSM8UCgLR8z4EEnnzmSLoaEwRVys=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(39830400003)(136003)(396003)(366004)(230922051799003)(1800799012)(451199024)(64100799003)(186009)(53546011)(9686003)(71200400001)(26005)(83380400001)(52536014)(8936002)(8676002)(41300700001)(4326008)(966005)(5660300002)(508600001)(54906003)(66476007)(76116006)(66946007)(66556008)(64756008)(66446008)(7696005)(122000001)(82960400001)(86362001)(33656002)(166002)(38070700009)(6506007)(2906002)(38100700002)(55016003)(41320700001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZFGJFjGjmWccARyihqUZx0qvJZdaaHmR1/4Eph6xZtPcfxjhjGtWBKvP3W4dPtUMLNcSIsV1sXgun+OVkW+Kp8mvZoPEYIkanqwSDYnNNsteqg0HTmJfpwGEsuYFJlzxaU3s6AN0CQl/7VCXAhN/JB7dg3ObFykG+ytTcY6aUuv4sR2xrM8rDu3nINY0bD9Rkr2A7ZZz6XTR4HVYi4cv1qQdEd6YZv8rsnyXcs08+2Fn3iHEiPCLR4WT6gpoWZ1rwsNWM85AODla3++Q007POHGzTU0/XpshV6caF1YxMY61nwtKz1ObFmGt4ILGpfn7oKuJLdPqLJdTBqqvtamnOaAba9GI4H1SqdemGdcIeA+vrFyeklm7J4vcxMmS6Y78LNC0fZWfQFONEUp4HX9wF6XGEquhAw3A+WVuplpLpZkrOw2C6DADx2zgIJwWrn/5JW/JBktLhrl1siozftFUTwjhO/jSycx4SFJEoht1R/2sLW5z4uoqHNaTaQ31CMUZHiBW9T1H4V4vftTzNxTC1ZA8DIHVpQ6/AFO12y/bI+BZ4N78waTig/IRIbPEQvPzXTdb5jXQGpIID69Su9vaDo9xI6NHc2q5QR60QUxHeM5DZSSgkaHZCAC2efXKT1nY6vOeDzM6MRbBx5emLNKuh6qENLlrG1VvrlA1ZkT2h4c0QfUXrAf/1dZKD9H1zTBv4e+g9CbV+oMrdvAtZPMNBpxd+3om8KSvwErm9qDaCpLGaMmoLdORyInzCbk3AtWJoNze4F0YyaCeqQ0dK7SgkiiTlaMUMt0zMf7uJBbWC2cOGkXWvagqQM+3z5zRaY++mlJvGUz+E3wZT/EdjgZw4h3310B8iQZSBqYNqDYesttmjhNjG6od2NNiMEdT39wiKIno3T8rhLQrw5MgHhPPUJjfVcToiCrim2DOG1iYrexvjQYmrd6BFkGnfRjoh9vno9XZpmTAxVXYyxUKjcNNGF26sMnzMHR6kShuRNkI/ErilL2mXXKscovQbhllNsgI3OyGCrIQjEYjjmlfj/snl3WA806D1V0QTWNQsuKgzAjat57TcI7+lQtSFeGpoPPiyamigCU1S3yMAOz+Jqohce/k1+BXKrFRVcl7YO+5Lht8TlGQJSupb4oHL4Ci6S3NlscPpIA2v5CV/S46lE5WxHoyCga2uavd9weTLArtKIESglDp1EBpcHf9liW5N/uyHS4PkCE6W/DeQVNuKO4XCm05c9kOdiJcr1YXCT115EhrTIzOzWWcziQzhVOEFqRALceqSm+GRYfTdJynFwGC4CNMyPgUtP8E+WSQDmy7WtyTQewQajwE2+MaQApB8xNskyvaD0PbURnaZKM3MdG/rsU7mGTx9qJCF8SHtnbjnbPXC816EiM6J+PXP0JMhEan2brwmkzMaul78VNp3wZAdqXcRv6aZuijJOgmP2k9aMbPyoWbS/TaBoZ9JsZ1fNB3nMFzwVDFfKolNiCj3LyM5pfCQ7L8c1pvCx/faLzvuoE=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB11074D96D5A34B8CB1610729DC46ABN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ea831d46-c627-418f-6e21-08dc275ab1f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2024 21:29:26.5998 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1638
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/waX6k91rO5ws_mpIDBKyoyKKWmE>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 21:29:32 -0000
Hi Kent! Thanks for the revised -24. I’ve cleared my DISCUSS position. A bit more inline … From: Kent Watsen <kent+ietf@watsen.net> Sent: Wednesday, January 31, 2024 3:52 PM To: Roman Danyliw <rdd@cert.org> Cc: The IESG <iesg@ietf.org>; draft-ietf-netconf-trust-anchors@ietf.org; netconf-chairs@ietf.org; netconf@ietf.org; Qin Wu <bill.wu@huawei.com>; Mahesh Jethanandani <mjethanandani@gmail.com> Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-trust-anchors-23: (with DISCUSS and COMMENT) Hi Roman, Thank you for your valuable comments. Please find responses below. Kent On Jan 30, 2024, at 11:47 AM, Roman Danyliw via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote: Roman Danyliw has entered the following ballot position for draft-ietf-netconf-trust-anchors-23: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/ ** YANG. list certificate-bag "A bag of certificates. Each bag of certificates SHOULD be for a specific purpose. For instance, one bag could be used to authenticate a specific set of servers, while another could be used to authenticate a specific set of clients."; Since normative language is used here, can additional guidance be provided on qualifying “specific purpose”. For example, can one put different applications for the same server in the same bag? Technically possible, yes. What is the consequence of incorrectly binning the certificate chains? A misconfiguration, possibly leading to trusting something in an undesirable context. More generally, I’m wondering about the significance of where certificates are binned. Because of natural language describing the purpose of these bags, I don’t see an obvious, interoperable, general purpose way to automatically parse this structure to know which certificate to use for a server beyond checking subjectAltNames in the certificate against a domain name (which precludes the need to even organize these certificates into bins beyond readability). Each bag has a “name” and “description” fields. From https://datatracker.ietf.org/doc/html/draft-ietf-netconf-trust-anchors-23#section-2.2.1: <certificate-bag> <name>trusted-server-ca-certs</name> <description> Trust anchors (i.e. CA certs) used to authenticate server certificates. A server certificate is authenticated if its end-entity certificate has a chain of trust to one of these certificates. </description> So it seems very easy for clients to know a bag’s purpose without having to look at, e.g., the SAN. Does this resolve your comment? [Roman] I’m primary drilling in on the text “Each bag of certificates SHOULD be for a specific purpose”. Since “specific purpose” has no clear, ambiguous definition, it seems like an argument could be made that almost might qualifies as a “specific purpose”. My simple fix would be s/SHOULD/should/. [snip] ** Section 4.3 None of the readable data nodes defined in this YANG module are considered sensitive or vulnerable in network environments. The NACM "default-deny-all" extension has not been set for any data nodes defined in this module. Doesn’t read-access to this module provide insight into which other resources/applications/servers this particular server communicates with by virtue of having their end-entity certificates or SSH keys? Wouldn’t this provide an attacker insight into potential targeting? or business relationships? Good point. Hmmm, but can you clarify, is the concern limited to just the “cert-data” node (i.e., the CMS), or does it include also, e.g., the bag’s “name” and “description” nodes too? [Roman] I’m not exactly sure how this YANG model would be used. The cert-data node seems like it would definitely be sensitive for the reason described above. I trust your judgement on what you anticipate the natural language descriptions might look like. I’m not sure. Roman
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Roman Danyliw
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen