Re: [Netconf] Mandatory local configuration in Keystore groupings
Kent Watsen <kwatsen@juniper.net> Mon, 17 September 2018 21:42 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA959130DC6 for <netconf@ietfa.amsl.com>; Mon, 17 Sep 2018 14:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcJ3UjlGWr89 for <netconf@ietfa.amsl.com>; Mon, 17 Sep 2018 14:42:08 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 784801293FB for <netconf@ietf.org>; Mon, 17 Sep 2018 14:42:08 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w8HLfR8k020121; Mon, 17 Sep 2018 14:42:05 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=uE/17n6ik1HMbJAgf+GJF+KFi3y1XBrOeSEhlV0Tkto=; b=lIw//p3ha5tgJJ83ZSwlvbHxIKAX0Otfh6fLHNvaZ6mYqYoxbDdlyOaBUEEFnRNYDiyo RVcYicdkAKTWUg1RJDkWvXoy3BXYbBJd5irw/0fT043BRQqF68J2ixhpklRd7WFRvmtc P9AMK1bHhT9niAikb2pNdfcJ1ln9+WIRYlU9KmqjTU0zBtzhxWVeM1JMe/z8d4OVFQlP WRVfGBRLqUDIGxNorCfRN6TRgfzJyQktYPIaKa2/seFebmWqHQX29wP3o+jTNkDacvor mqGO9LVV19eyA+mpSbJQipot5DxJjkh35X8L06hDiiBP4J1BUnUh5eUkS+2Q1R32E9wb lQ==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp0019.outbound.protection.outlook.com [216.32.180.19]) by mx0b-00273201.pphosted.com with ESMTP id 2mj9rkhcd9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 17 Sep 2018 14:42:05 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4603.namprd05.prod.outlook.com (20.176.109.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.11; Mon, 17 Sep 2018 21:42:01 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%5]) with mapi id 15.20.1164.014; Mon, 17 Sep 2018 21:42:01 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "balazs.kovacs@ericsson.com" <balazs.kovacs@ericsson.com>, "balazs.lengyel@ericsson.com" <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEACABC+ZAIAAwASAgAC9gACAAHNjgIAAFAaAgAEgEwCAAicPgIAF1PmAgAF1VYCACj3EgIAAtxgAgACClQCACVx+gIAAM1IA
Date: Mon, 17 Sep 2018 21:42:01 +0000
Message-ID: <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net>
References: <185C7E6D-7EF1-4FFE-9A9B-74BA7E16D946@juniper.net> <20180911.095334.2041631968993039535.mbj@tail-f.com> <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net> <20180917.163819.1278530557866964677.mbj@tail-f.com>
In-Reply-To: <20180917.163819.1278530557866964677.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4603; 6:s0eUu4S9IQZhKSKyayvqbeGfU1Ph0uJLk/B/bu0988xSEblr9qLNCcdwSX7WJj4tWDPR4OQgqjBR8GF6pe6pSTnSCWwC0HmiSsgFqmwtatRvBc1YROh+D1pRENgwJyxx+1x4g9Ow/JYyv7Tto4ofkA8gNVaeMvYhPEfbxrTKA2BniMwy40l97XWU5h4qZn71f2UyVnAmMREQcCDxjYvWd0l3DmZZyJ/FDh0sF2Lkk3cR+REgBmYrUbHGIIfesW2PGrRI2hQT+dfiiVeXY/FtzkOfq2wRM6L7pOakO5HDaWgf8PQ6g2X7ipiTosKPOwaZ8eLZprdSbBHSHmZYRM+JiqxStm/iJZg7Zg8n4m8TPzKQYPHHZRdVwrzMEXuE6MzIP5mJNV5IuoHwxooae+LG8l2aqz9MIffAfvtRuNCBR4HPPYPO1G8ab1dp5VX8qhT6Ku+/uJKlSZQL+93vkI6Vmg==; 5:a7Mkio/mlrKeSXvvmFcZ/O6b37SsfcQAMxyFgg6CJJ+Z0/lkoEOcK+ahFz3+R0txZfpYltVIbCAUN9V+tMsxIVpeyBpyTbjeTfUvLTLbGfA5JIs3qKJNKSy4m6DFDBmLXtc9IH1artsWZdXnzvy6YexC8d86hsvEfjQJCTeplL4=; 7:7WT4BAPtAWEblBw5y0GV8haYBT0zILoEyVDxmioL9OYdL7aHKOlfwBLpekGn1IeuFZYJL2lA/A7n+q5fob2bQhiBBbTJJcxbgecgjWjjFg1mFfG/a7p1QvZLVHzoNRNqHTXoxgk184z+PvK5gAuGNXukDasJHDxqiMcwq7939omS/69RKpd1kVnJDcHPwygzknqAxfwSokICn/uzBsna2eatBTLl0ZoCkZ5xuHFR9d3pTsZigWmUujfCMyAdoV8g
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d0c6ee94-cb87-4841-be83-08d61ce666db
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4603;
x-ms-traffictypediagnostic: DM6PR05MB4603:
x-microsoft-antispam-prvs: <DM6PR05MB4603BA54801520DA7416C490A51E0@DM6PR05MB4603.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231355)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699050); SRVR:DM6PR05MB4603; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4603;
x-forefront-prvs: 0798146F16
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(366004)(39860400002)(396003)(136003)(376002)(346002)(189003)(199004)(478600001)(25786009)(3846002)(66066001)(6436002)(7736002)(81156014)(81166006)(6916009)(99286004)(4326008)(76176011)(97736004)(5250100002)(486006)(316002)(6116002)(6486002)(6512007)(5660300001)(11346002)(2616005)(58126008)(86362001)(229853002)(54906003)(305945005)(68736007)(476003)(53936002)(446003)(6506007)(93886005)(14454004)(102836004)(82746002)(14444005)(256004)(8676002)(33656002)(186003)(8936002)(106356001)(36756003)(83716003)(26005)(2906002)(105586002)(6246003)(2900100001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4603; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: vTj23u60MlBqd20URAjv09VVRJ5PSFenHly86QTIghfAuJo7uHcOntx4cI7YRUoR/XFQwAx8ojf8LuHuG+yC/kXZNaSRiMBo2I2ovVH0XH1Isj53lz9vSRm8hnVFBiFzS7eeFYu9luCKfMxlPPrGQv2GMPy7J7sTBcaj7PMxal12C/WTK5beC2dU8SdZNol7tdEcurmZbVWn+qErhT3lOaF9aOJY5jvfwsxNFn3sOzzP4GSOZkVovuzEQDEZFyrNQjpPjX6Si1bs3THmIp0IDl7Zg7ttp0GHJWOI2h2LkpnYarohJicAD/O5RnxV83UnPEX7IlQB76jxlp6+5GkeGpwOgNWcjfCTf+FNOlCf0ag=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <BFFC4EA457C8BA49A6872A38BA656C1D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: d0c6ee94-cb87-4841-be83-08d61ce666db
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2018 21:42:01.1835 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4603
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-17_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809170215
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xt1vtzy-AjYenlLwVhKaT2MFpFw>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 21:42:11 -0000
> With (A), once you have generated the key, you first have to create > the config for it, then invoke the action. With (C) (99% of) the > keys already exist in the config, so you can just invoke the action. I don't follow. What I see is that, with (A), a hidden key can be created with a single action invocation while, with (C), first a configuration operation is needed to create the "asymmetric-key" (without the three leafs) followed by an action invocation (to populate the three leafs). > To summarize, A and C both get the job done. Which one is better is > probably subjective. I think (C) is might be easier to understand. Okay, let's see how it looks. Bubbling all the ideas to the top, I created the below tree-diagrams. Note, in both cases, the three "mandatory true" leafs are replaced with an all-or-nothing "must" expression: (A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden keys; and an action statement is used to delete all hidden keys. +--rw keystore +--rw asymmetric-keys +--rw asymmetric-key* [name] | +--rw name string | +--rw algorithm? ct:key-algorithm-ref | +--rw public-key? binary | +--rw private-key? union | +---m "(algorithm and public-key and private-key) | | or not (algorithm or public-key or private-key)"; | +--rw certificates | | +--rw certificate* [name] | | +--rw name string | | +--rw cert ct:end-entity-cert-cms | | +---n certificate-expiration | | +-- expiration-date? yang:date-and-time | +---x generate-certificate-signing-request | | +---w input // KEY MAY BE IN <OPERATONAL> | | | +---w subject binary | | | +---w attributes? binary | | +--ro output | | +--ro certificate-signing-request binary | +---x delete-hidden-key | // no params +---x generate-hidden-key | +---w input // RESULT IN <OPERATONAL> | +---w name string | +---w algorithm ct:key-algorithm-ref +---x load-hidden-key +---w input // RESULT IN <OPERATONAL> +---w name string +---w algorithm ct:key-algorithm-ref +---w public-key binary +---w private-key union (C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden keys created in <operational> (i.e., during manufacturing). But if there is even just one key created during Manufacturing, and it doesn't appear in <intended>, then leafrefs still need to be "require-instance false", right? Also, it seems that such keys could never be deleted, unlike other hidden keys, but that is probably okay (correct behavior). +--rw keystore +--rw asymmetric-keys +--rw asymmetric-key* [name] +--rw name string +--rw algorithm? ct:key-algorithm-ref +--rw public-key? binary +--rw private-key? union +---m "(algorithm and public-key and private-key) | or not (algorithm or public-key or private-key)"; +--rw certificates | +--rw certificate* [name] | +--rw name string | +--rw cert ct:end-entity-cert-cms | +---n certificate-expiration | +-- expiration-date? yang:date-and-time +---x generate-hidden-key | +---w input // RESULT IN <OPERATONAL> | +---w name string | +---w algorithm ct:key-algorithm-ref +---x load-hidden-key | +---w input // RESULT IN <OPERATONAL> | +---w name string | +---w algorithm ct:key-algorithm-ref | +---w public-key binary | +---w private-key union +---x generate-certificate-signing-request +---w input // KEY MAY BE IN <OPERATONAL> | +---w subject binary | +---w attributes? binary +--ro output +--ro certificate-signing-request binary Kent // contributor
- [Netconf] Mandatory local configuration in Keysto… Balazs Lengyel
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen