IETF Logo Mail Archive

Re: [netmod] Stephen Farrell's No Objection on draft-ietf-netmod-yang-json-09: (with COMMENT)

Eliot Lear <lear@cisco.com> Mon, 21 March 2016 17:11 UTC

Return-Path: <lear@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6F1212D766; Mon, 21 Mar 2016 10:11:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XV0DVN9uyNKr; Mon, 21 Mar 2016 10:11:07 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CB7112D90C; Mon, 21 Mar 2016 10:11:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13158; q=dns/txt; s=iport; t=1458580261; x=1459789861; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=hpVyo5XaCowhiYawYZ3WAATAS7sXrdb79xoSK5/CZLM=; b=TDYkednG5uPOBrM0M7M5QqqFbxFMsQ8T2JRUCr+JTExxQdhdJMq38TWd 6XWGOKDzsnrqJ1c80IscVnNSsvGlrk/Kkc7qpz2uaDHERIV3yEC+wasZy Ply+wAFME4O7Zwbp9cMwgfXP1u/cAScdTksOAs6H+6i3wB7DO3jA4mNui 8=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DiBQDRKfBW/xbLJq1ehAcuRLU3gl+EDSGFbAKBdwEBAQEBAWUnhEIBAQQjSA0BEAsOCgkWCAMCAgkDAgECATQRBg0GAgEBiCMOr3ePJwEBAQEBAQEBAQEBAQEBAQEBAQEBAQ0EBIpihAwRAQaDGIJWBZdXgx6BZm2IE4kzhVSPBmKCMIE2Oy4BiGKBMgEBAQ
X-IronPort-AV: E=Sophos;i="5.24,372,1454976000"; d="asc'?scan'208,217";a="636444584"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Mar 2016 17:10:59 +0000
Received: from [10.61.216.70] ([10.61.216.70]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id u2LHAwa0023364; Mon, 21 Mar 2016 17:10:58 GMT
To: Kent Watsen <kwatsen@juniper.net>
References: <20160317113347.3650.38937.idtracker@ietfa.amsl.com> <m2d1qnj2ec.fsf@birdie.labs.nic.cz> <20160321151914.GA62880@elstar.local> <56F0137B.3090103@cisco.com> <72154E94-3C00-438B-B177-35DB9216DF03@juniper.net>
From: Eliot Lear <lear@cisco.com>
Message-ID: <56F02B21.3080103@cisco.com>
Date: Mon, 21 Mar 2016 18:10:57 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <72154E94-3C00-438B-B177-35DB9216DF03@juniper.net>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="TuR2vXPhoBwiQcLXhm9Etplm1I0nwKNDt"
Archived-At: <http://mailarchive.ietf.org/arch/msg/netmod/w2IDW1iJ7VUShV4yhDIBHN2NlOs>
Cc: "netmod-chairs@ietf.org" <netmod-chairs@ietf.org>, "netmod@ietf.org" <netmod@ietf.org>, "draft-ietf-netmod-yang-json@ietf.org" <draft-ietf-netmod-yang-json@ietf.org>, The IESG <iesg@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Subject: Re: [netmod] Stephen Farrell's No Objection on draft-ietf-netmod-yang-json-09: (with COMMENT)
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 17:11:10 -0000

Hi Kent,

Thanks for the pointer.  The zeroconf draft is cool beans to be sure. 
That describes an enrollment mechanism for devices that make use of
802.1AR.  Very ANIMAesque.  What I'm suggesting, and perhaps it's a bit
late for this draft, is just a statement in this draft along the lines
that "signing and verifying happens at the JSON level; see [ref] for how
to do it", and for extra credit an example would be exceedingly cool. 
That way we as developers know what to do (again, I'm neither a JSON nor
netmod expert - just trying to make use of what's there for what I am
expert at (or so I think)).

Eliot




On 3/21/16 4:55 PM, Kent Watsen wrote:
>
> the zerotouch draft uses object signing.   XMLSIG was used in earlier
> draft, but was replaced with a binary type leaf called 'signature'
> having the following description:
>
>
>
> description "A PKCS #7 SignedData structure as specified by RFC
> <https://tools.ietf.org/html/rfc2315> 2315
> <https://tools.ietf.org/html/rfc2315>, Section 9.1
> <https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-07#section-9.1>
> encoded using the ASN.1 distinguished encoding rules (DER), as
> specified in ITU-T X.690. This signature is generated using the
> owner's private private key and an owner-selected digest algorithm
> over the redirect-information or the bootstrap-information nodes,
> which ever is present, and in whatever encoding they are presented in
> (e.g., XML, JSON, etc.)."; // is there a canonical format? reference
> "RFC 2315 <https://tools.ietf.org/html/rfc2315>: PKCS #7:
> Cryptographic Message Syntax Version 1.5 ITU-T X.690: Information
> technology - ASN.1 encoding rules: Specification of Basic Encoding
> Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding
> Rules (DER)."; }
> Note a question regarding canonical format.  As the draft stands, no
> format is canonical format is required.  The data can be however the
> data is provided, by the server when pulling on the RESTCONF resource
> URL, or how it is encoded in a message buffer, or encoded to a file on
> disk.
>
> The use of PKCS #7 signing was selected to simplify implementations,
> especially on resource-constrained devices.  Use of DER encoded ASN.1
> structure was selected to be consistent with other parts of the draft
> as well as parts of the server-model draft (in the keychain section). 
>
> Thanks,
> Kent
>
> On Mar 21, 2016, at 11:30 AM, Eliot Lear <lear@cisco.com
> <mailto:lear@cisco.com>> wrote:
>
>>
>>
>> On 3/21/16 4:19 PM, Juergen Schoenwaelder wrote:
>>> Lada, I think Stephen asks about JSON encoded YANG-defined data that
>>> is signed, that is, the JSON serialization itself is signed. What
>>> happens to the signature if you convert the JSON to corresponding XML
>>> serialization. I think the answer is that the signature is broken in
>>> this case and I think this is quite natural.
>>>
>>> Object signatures so far never came up in the NETCONF/YANG context
>>> (well not quite correct, I think there is some related discussion
>>> aroud the zero-config draft) but even if they do, I think we will have
>>> to accept that signatures are encoding specific. And I think this is
>>> not a big deal; if I sign my HTML encoded email, then the signature
>>> likely won't apply to a text-only rendering of the same email.
>>>
>>
>> However this goes, it should be well documented somewhere.  This will
>> not be the first time this comes up (he says, knowingly).
>>
>> Eliot
>>

v2.23.0 | Report a Bug | By Email