[netconf] Enterprise was Re: crypto-types: why symmetric keys?
tom petch <ietfc@btconnect.com> Tue, 08 October 2019 10:06 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBAA01200D7 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 03:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.247
X-Spam-Level:
X-Spam-Status: No, score=0.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3agISnjDZjX7 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 03:06:39 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70110.outbound.protection.outlook.com [40.107.7.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 880181200C3 for <netconf@ietf.org>; Tue, 8 Oct 2019 03:06:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EO4tFy2/FuxeCXaDXStHRqgRJjLo881lmK4+roboHJgl5iHf29K+SILEknVjvYJcDAsUTRGKuhjFCz4d9GloZTh0YjszU43iSJj3ndKGUxHYWJ0Swj4DDzAMbXhBoIcDVK290px53LdCvDbLwtbgTMp94tAX8uii23RL/6pAacQlVtsk2VDITgtETps2DB17UR4trFR8lpjAE4CtSmcx5bRpZry3LjbObGmz6vjoLl13McSslOGXhjN+mB40vxv1aRwqIej8JM17Z/VdtlC2OWPXyYHSZlQ3m0i3CCrlHRDMKhSAkeVHrbrIWiQNZWNMl1PJ9mVOpm6XNQ/riemqkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+qqYpnIG5zHhb6wSf8s28nPmo/s6jRfop6dtP91ei5s=; b=GS3Ex5/e0oDzMZqTEIj2GYTBYWao5yjA65fzl0zr0CMgicNTdFei8K7VNCC95bpC9Gxz3e3IyLSTsyIA7vIRfAXEbvXyNf6RRntDBwkybwFwvuSNin2MQQyYDSCuOX7XGU2kViR4wochC4xoxfAVQobARYflHgbd4M0dXMy6j5FdCrBfnwcsz0035572elbgYgqGS/dePzGx+lGkO3gzf2LroqebvMbs9ZujIJ78CHsqMnWLLg/LTNUtg3ohgUUc0Aw7j5xUSgNVzcPmHHLKxGiow2b6bkHTVBxmQxrI/K97OXqPgk39lrBgBpkERVaTQ29Lc1tB/4iywNsyA2CE4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+qqYpnIG5zHhb6wSf8s28nPmo/s6jRfop6dtP91ei5s=; b=F8mxyZN1sRDF8wGznxTOoF05nrOsLoz5rK8lqDgTgM5uqpkpqrWOZLWe01VMwFD80lo5tCA+tn0g+mVpFvhYdHad+hQYSBKLOREBaXvEddV05agg9/pV7mojOg5cfXmk0dLJ659sk/+yBSUiGlyDX0QEYMn0BYL0xzcHoVJt3DY=
Received: from DB7PR07MB5147.eurprd07.prod.outlook.com (20.178.42.32) by DB7PR07MB6185.eurprd07.prod.outlook.com (20.178.43.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.15; Tue, 8 Oct 2019 10:06:35 +0000
Received: from DB7PR07MB5147.eurprd07.prod.outlook.com ([fe80::d5a9:784f:d667:ef14]) by DB7PR07MB5147.eurprd07.prod.outlook.com ([fe80::d5a9:784f:d667:ef14%4]) with mapi id 15.20.2347.016; Tue, 8 Oct 2019 10:06:35 +0000
From: tom petch <ietfc@btconnect.com>
To: "Salz, Rich" <rsalz@akamai.com>, Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Enterprise was Re: [netconf] crypto-types: why symmetric keys?
Thread-Index: AQHVfcARvDXLmYc9z0ap0qpoWC22Cg==
Date: Tue, 08 Oct 2019 10:06:35 +0000
Message-ID: <053801d57dbf$c4887380$4001a8c0@gateway.2wire.net>
References: <B840CB4A-3DF9-4C1B-825D-F24A72EFC90F@akamai.com> <84a2ff74-67fb-069b-a9bc-4bd4187ee1bc@alumni.stanford.edu> <017A9541-641B-4826-983B-7C47AFA1A3AD@akamai.com> <0100016d97eb99fe-d6ce4ac2-7c9d-4653-833b-cb9471591e68-000000@email.amazonses.com> <13627E1C-A6D0-49B9-8277-55713E1958BD@akamai.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P265CA0471.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a2::27) To DB7PR07MB5147.eurprd07.prod.outlook.com (2603:10a6:10:68::32)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: [86.139.211.103]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5af82308-5ee2-4d90-1873-08d74bd733b5
x-ms-traffictypediagnostic: DB7PR07MB6185:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB7PR07MB618597156D355BA2CDE5C455A09A0@DB7PR07MB6185.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(396003)(366004)(136003)(51914003)(199004)(189003)(13464003)(86362001)(14444005)(1556002)(6512007)(5660300002)(99286004)(64756008)(66556008)(66946007)(66476007)(66446008)(71190400001)(6506007)(71200400001)(44736005)(6486002)(8676002)(386003)(14454004)(52116002)(6436002)(256004)(478600001)(6306002)(81816011)(81686011)(9686003)(76176011)(966005)(476003)(26005)(4720700003)(66066001)(316002)(102836004)(110136005)(486006)(8936002)(7736002)(50226002)(25786009)(14496001)(186003)(305945005)(4326008)(81156014)(446003)(2906002)(81166006)(6116002)(44716002)(3846002)(61296003)(62236002)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB6185; H:DB7PR07MB5147.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k+tl5SBzLr8iC5dQZvjTLWwadTnwIRuI9YrL7cMFiIYRZ62U8wjCb0T1Exy6c+5v9MOEFtujc9hCv1xMRNIK4j+GTje6qQ/lFRumNOCuP5Y+ykvKn+HR3SPSTlkcxNzZRUrL61Sjsb2Tcc7v+t5aHgviEtOYn3elqVSSJjFSt2DiwbL2zr9lipJcTvEeb2dvTVOEG04Rr7bDH+rfy3A8342UHTpMjxL9dv/xV86PxxDlJejfF0pwO1UQ52bvqD7rQyM4Vt2+/zgjIi9UyLtg9HIwDEyC+r/X1NU+6GXJeh9HBPuoflKqMhgNKHwMDMm3knxYvuuZCKX0TXy+oVzPIDi3ozlACGc4vIyYdn/K7rkZD6iiLderEQziF5nbf4Tgqv3h6OsOxludtlVySPAOnsI+DLVUbjuGQ5UgQnz204vxqeyMD3EUUCYWdz0sDH1Bb9CG1JbSmDZ5TT/CYX3qkw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FEA1563DD760D04EB15065A9AE8E545C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5af82308-5ee2-4d90-1873-08d74bd733b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2019 10:06:35.7820 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +kNXzAZ/c36o/4lQvdLdiyTezmBqNVk7qlIsZsZ4tkhOuN62bQWwCa/QT5Wi3f3fPcaIe7PWeIoifVoOvuTYew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB6185
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/zF5Q9ohnHjE574YIfRKuDDBa6Co>
Subject: [netconf] Enterprise was Re: crypto-types: why symmetric keys?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 10:06:41 -0000
----- Original Message ----- From: "Salz, Rich" <rsalz@akamai.com> Sent: Friday, October 04, 2019 7:06 PM > Thanks for the clarification. > > I continue to urge development of small models that meet most (*not all*) needs of service configuration. TLS’s PSK keys need to be shared by the server and client(s), so I am not sure about the utility of “so not even the administrator knows it” I am ignorant if PSK’s are actually needed for enterprise use of TLS. Rich From my (limited) experience of Enterprise, and assuming that PSK is Pre-Shared Key, a string of unspecifed length, I see SSH used, mostly, for Systems and Network Management with HTTPS used, mostly, for operational systems, user access, with two-factor authentication where user authentication is needed. Almost all user access is to a web server with little or no raw e-mail, file transfer or such like protocols. I see device - not user - certificates used to secure VPN access. I do also see configuration of PSK when a new departmental server comes along, and is configured with user-id and one-time passwords which are e-mailed out to the users; sometimes the PSK is a four-digit pin. (Real-world security as opposed to IETF standards security:-) One other thought. The Enterprises I know are just migrating from Windows 7 to Windows 10 since support for the former expires this year. Over the past year or so, they have migrated from TLS 1.0 to TLS1.2. This suggests to me that TLS 1.3, which is rather different, for PSK and everything else, is some way off and that our focus should be on TLS 1.2 but I do not know if that would get past a Secuirty AD - the YANG boilerplate now mandates TLS 1.3. Tom Petch ------------------------------------------------------------------------ -------- > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf >
- [netconf] crypto-types: why symmetric keys? Salz, Rich
- Re: [netconf] crypto-types: why symmetric keys? Randy Presuhn
- Re: [netconf] crypto-types: why symmetric keys? Salz, Rich
- Re: [netconf] crypto-types: why symmetric keys? Kent Watsen
- Re: [netconf] crypto-types: why symmetric keys? Salz, Rich
- [netconf] Enterprise was Re: crypto-types: why sy… tom petch