Re: [netmod] x509c2n:cert-to-name problem
Kent Watsen <kent+ietf@watsen.net> Wed, 30 October 2019 00:25 UTC
Return-Path: <0100016e1a0d419b-b221bfcc-d3cd-4386-a016-474e2303fba0-000000@amazonses.watsen.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF75F12008B for <netmod@ietfa.amsl.com>; Tue, 29 Oct 2019 17:25:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jluuEH5301YE for <netmod@ietfa.amsl.com>; Tue, 29 Oct 2019 17:25:08 -0700 (PDT)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 297BF120059 for <netmod@ietf.org>; Tue, 29 Oct 2019 17:25:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1572395106; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=/BZs59t4Z9tQ5x2huIYtI+QNdxiRDCaPVC93aa/DHtY=; b=Ake0I0Yjp2PJKu3S7Yt0RygcvxuHuDymYnrdDqaiy7L3x0yuUUsBEHxY/jq2NlkE WlzFQib16MTgA+g65bsgS9wToYFGzpg0XNh9hlhK288/HnYEzSc6498GzAUVfEL55aS 00r0IwtB+ghrhWjtW5R/eXxd/YsxdXrJxxbm09Dg=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016e1a0d419b-b221bfcc-d3cd-4386-a016-474e2303fba0-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D239E38E-A208-42B3-8CD4-56705AD658AA"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 30 Oct 2019 00:25:06 +0000
In-Reply-To: <20191029.211356.1886721657930464996.mbj@tail-f.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016e130d724c-9d02480e-901f-4e5a-90b4-6acd1095bb26-000000@email.amazonses.com> <20191029.105145.1576535683983216532.mbj@tail-f.com> <0100016e18283926-a00d7d13-4539-4ab0-afe8-9b9575659f6c-000000@email.amazonses.com> <20191029.211356.1886721657930464996.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.10.30-54.240.8.96
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/hPpmL6_aZx2XBKIvhAOJPr6qmUo>
Subject: Re: [netmod] x509c2n:cert-to-name problem
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 00:25:10 -0000
>> First, let me demote (2) from a SHOULD to a MAY, since there is a
>> workaround.
>>
>> The thinking is that it may be common for deployments to use the same
>> "cert-to-name" strategy everywhere (e.g., IDevID certificates), and
>> hence there is no need to specify a "fingerprint" in order to lookup
>> what strategy to use. For these cases, it would be better to not
>> specify a fingerprint at all. If this remains "mandatory true", the
>> best fallback would be to specify the fingerprint for the *root* CA
>> certs spanning the end-entity certs connecting to that endpoint.
>
> Are we still talking about the usage of cert-to-name in
> ietf-netconf-server?
...and ietf-restconf-server, yes.
> If so we have (as one example):
>
> +--rw netconf-server
> +--rw listen! {ssh-listen or tls-listen}?
> ...
> +--rw endpoint* [name]
> ...
> +--rw (transport)
> ...
> +--:(tls) {tls-listen}?
> +--rw tls
> ...
> +--rw netconf-server-parameters
> +--rw client-identification
> +--rw cert-maps
> +--rw cert-to-name* [id]
> +--rw id uint32
> +--rw fingerprint x509c2n:tls-fingerprint
> +--rw map-type identityref
> +--rw name string
>
> [we can discuss if this is the best structure, but that's another
> thread]
>
> What would a "cert-to-name" entry mean if the fingerprint isn't present?
Your snippet excludes "tis-server-perameters". Here is a more complete view:
+--rw restconf-server
+--rw listen! {http-listen or https-listen}?
+--rw endpoint* [name]
+--rw name string
+--rw (transport)
+--:(http)
| +--rw http
| ...
+--:(https)
+--rw https
+--rw tcp-server-parameters
| ...
+--rw tls-server-parameters
| +--rw server-identity
| | ...
| +--rw client-authentication!
| | +--rw (required-or-optional)
| | | ...
| | +--rw (local-or-external)
| | +--:(local)
| | | +--rw ca-certs!
| | | | ...
| | | +--rw client-certs!
| | | ...
| | +--:(external)
| | ...
| +--rw hello-params
| | ...
+--rw http-server-parameters
| +--rw server-name? string
| +--rw protocol-versions
| | +--rw protocol-version* enumeration
| +--rw client-authentication!
| ...
+--rw restconf-server-parameters
+--rw client-identification
+--rw cert-maps
+--rw cert-to-name* [id]
+--rw id uint32
+--rw fingerprint
| x509c2n:tls-fingerprint
+--rw map-type identityref
+--rw name string
The "tls-server-parameters" container defines the certificates used to authenticate the client's cert. In many deployments, regardless how the client cert is authenticated, the "client-identification" section only needs to explain extract the "name" from the cert, a fingerprint isn't needed to identify either the client's end-entity or some intermediate cert.
>
>> New issue. Why isn't "list cert-to-name" order-by user given:
>>
>> "The id specifies the order in which the entries in the
>> cert-to-name list are searched. Entries with lower
>> numbers are searched first.";
>>
>> I suspect that this is for SNMP compatibility, but then your earlier
>> response on this thread said regarding "mandatory true" and empty
>> fingerprint values suggested that more appropriate YANG-isms should be
>> used, in general. "ordered-by user" vs "ordered by id" seems like
>> such a case.
>
> Yes I agree. I don't recall but I also suspect the motivation was
> simple mapping to the MIB. (mapping a zero-length string to/from an
> optional leaf is straightforward).
Is it too late to fix? No reason to hold onto SNMP compatibility, given SNMP is now deprecated...
Kent // contributor
- [netmod] x509c2n:cert-to-name problem [WAS: [netc… Martin Bjorklund
- Re: [netmod] x509c2n:cert-to-name problem [WAS: [… Kent Watsen
- Re: [netmod] x509c2n:cert-to-name problem Martin Bjorklund
- Re: [netmod] x509c2n:cert-to-name problem Kent Watsen
- Re: [netmod] x509c2n:cert-to-name problem Randy Presuhn
- Re: [netmod] x509c2n:cert-to-name problem Martin Bjorklund
- Re: [netmod] x509c2n:cert-to-name problem Martin Bjorklund
- Re: [netmod] x509c2n:cert-to-name problem
- Re: [netmod] x509c2n:cert-to-name problem Kent Watsen
- Re: [netmod] x509c2n:cert-to-name problem
- Re: [netmod] x509c2n:cert-to-name problem Randy Presuhn
- Re: [netmod] x509c2n:cert-to-name problem Martin Bjorklund
- Re: [netmod] x509c2n:cert-to-name problem Kent Watsen
- Re: [netmod] x509c2n:cert-to-name problem
- Re: [netmod] x509c2n:cert-to-name problem Martin Bjorklund
- Re: [netmod] x509c2n:cert-to-name problem Kent Watsen