draft-ietf-rtgwg-yang-key-chain was: Re: [Netconf] Draft Charter Proposal for NETCONF WG
t.petch <ietfa@btconnect.com> Fri, 24 March 2017 10:52 UTC
Return-Path: <ietfa@btconnect.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE34E12957B; Fri, 24 Mar 2017 03:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.588
X-Spam-Level:
X-Spam-Status: No, score=-4.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.796, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdK4nlnb-E-l; Fri, 24 Mar 2017 03:52:35 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00097.outbound.protection.outlook.com [40.107.0.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CC1312940A; Fri, 24 Mar 2017 03:52:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fxlNeplFg/ii9brAgiOEX3B3VqleO9lbDPz7v0LetF8=; b=ZG4XafiHA83EoQQMyKFn5HEFLNFaKLLZzMrgvuRex+IUIiyowsogArhMt7UE2KKyOk/48ap32lnKdKDEbbvyoBgQdEX5rfGjiZss//2djGrdRXuwxUZPtGjhwqn1vxPca8H+7RdqwJZvTedYEYT/3F//tLZ2315f10gqfS+t3Lc=
Authentication-Results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=btconnect.com;
Received: from pc6 (86.185.203.75) by VI1PR0701MB2766.eurprd07.prod.outlook.com (10.173.81.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.2; Fri, 24 Mar 2017 10:52:31 +0000
Message-ID: <02d601d2a48c$82a82500$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfa@btconnect.com>
To: "Acee Lindem (acee)" <acee@cisco.com>, Kent Watsen <kwatsen@juniper.net>, rtgwg@ietf.org
CC: draft-ietf-rtgwg-yang-key-chain.all@ietf.org
References: <CABCOCHSacn15vfo8MR0K-UJJo6E0AZ14Gwj3M43KYkgbtwK8Kg@mail.gmail.com> <005101d2975f$ae87ac20$0b970460$@ndzh.com> <017d01d29769$0df70b20$29e52160$@gmail.com> <010701d29771$a45f66e0$ed1e34a0$@ndzh.com> <026601d2977f$8d059600$a710c200$@gmail.com> <685B9088-7557-4C6E-9A8F-54C3208DB312@juniper.net> <7217bc23-0e1e-c250-929d-e18c3f0a800f@cisco.com> <07b601d2a197$9865d5b0$c9318110$@gmail.com> <02ee01d2a22b$295b2be0$4001a8c0@gateway.2wire.net> <BA52FB19-D4B9-4E1A-BFE5-7CCE6F5554B1@juniper.net> <20170321174358.GA36769@elstar.local> <65E2B5E1-A1D0-45C1-94E8-F10A35042295@juniper.net> <FF00B7D1-0418-49C5-93AF-59D837354879@gmail.com> <4A73C3C3-61F3-4988-B163-264B29EE1BA0@juniper.net> <445D4A52-0EC8-4AAD-ABC4-22CAC3B3169A@juniper.net> <03a101d2a3fd$35353ae0$4001a8c0@gateway.2wire.net> <C429E3CA-891F-4EEF-B96C-B85EE0F64FC4@juniper.net> <D4F9AB80.A3DFF%acee@cisco.com>
Subject: draft-ietf-rtgwg-yang-key-chain was: Re: [Netconf] Draft Charter Proposal for NETCONF WG
Date: Fri, 24 Mar 2017 10:24:16 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.185.203.75]
X-ClientProxiedBy: DB6P18901CA0004.EURP189.PROD.OUTLOOK.COM (10.169.208.142) To VI1PR0701MB2766.eurprd07.prod.outlook.com (10.173.81.138)
X-MS-Office365-Filtering-Correlation-Id: 28b465c8-dd7d-468a-7f9c-08d472a3df95
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:VI1PR0701MB2766;
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB2766; 3:Ro3pJNKhSMMnjXJWj7fBiMXK/VxAA4tSwER9g2tljxGJnwubcrl8Eul3ocnDBRHDaHn3X+eqmQH9xBsOUXGLSpUiOmkuomJsmR6dHOlXa/qOiEPnkDRT6i/g5j808IrcNTwVNKjyGLRZD4f5YCZLDtN3Q+COzlDeuruArAqVTdv0a0J45ycs43RNJXeMWiEq+vk2MKb2TPkZM9tzEGnIj4jXadxDtWTvF0Y1GXv3Cs1gJnaVBoiWQiIHovE5Cq+LF4iLTzBYT7tPCTU6T+quew==; 25:beZByTiUaMAzmcKu91bWDsUQzYBgUzRwpoeS2d/9muPD4DsKMOBShJhCa6X1h32Bk7o7Q1wRKVaO6sq68FPgPH12Rtpjd/oyS5FX2Ftwtck+JwlaXOvCWIwGG0f6PiRoy7Ti5i6WEoUt2+xSigKWfPZFGtbDBjhXTneH4vT93wWjWQ5J+Nxx7tQqYpZSBJQtnVbgOA5l3uJmgoX72bipXjmbbFrZQOav8P7fwv14/2ALkABjipMCPEtS6KEPtP271obRYScpiJCcdH7UySNNTiX/zXcBhbjTV4AMVzJn5ENFUhCS2gZjl+koJ1qPqr1R40/gq9rvsCmA4CqEUdwwFaKYehu997EtXrHh+Swm5knRPdcv1VLUfnkbemjgNV5ZQftr4Guvzg/sE+We4BHogSigHtWTR1Pxy+kdwiva3bIJ9heokutVmk0eRp3izlcFvu02H942uQFKgIsk51znHA==
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB2766; 31:YfBiocGi35u5o8omCC+VGY13A/s4JZWM2zIG4JVzJrHDqUSCMrnQQ7yAWG9z6nTHKHeGJ1S/XTmdVULhivQp+Scwp1SDj68n44R+oAur/H4beWGsSP+PccNsLN5AYdTbH0oGQdUM0FqYilbSoC7tRq8mrTfto6ACJT2pRMKzWUDm10/3XCTnK/VWZKvBvXaN0h5RPgo8eMEvGb53Udg0T+NsZCYz6lEu3cCIvNtAvwvLiFgYVdT7225phg8AAhLl2H7PsoD8Tq53svjK40waIZoxobx4r3tMNO4nJxT43/w=
X-Microsoft-Antispam-PRVS: <VI1PR0701MB2766C2B7517BB2E800DCC4A2A23E0@VI1PR0701MB2766.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(278428928389397)(192374486261705)(131327999870524)(138986009662008)(95692535739014);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123558025)(20161123562025)(20161123555025)(20161123560025)(6072148); SRVR:VI1PR0701MB2766; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB2766;
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB2766; 4:qKKOI74fDElb7oEeS0V1NA/DTc8YLNJTYm/8exZQp0XAlfoeHLIZiYOBwEurfxx9uP7vtdUju7WJRfnCeunjRqVTOM/Yy3PVcyeeDuJRWY+Pu3f4OYYwMJle20gJDT4u+OUHQKoKvPRd8yJn8sfJkgvXF4Dmt1ENAjM5xgRKgmqrRLCP9bk/QLcG5YCEZJJkhkUVCOHpY8TmFX8ylOoC0Nr6T/ml2W52Rs1g+2l97rxDwn9CvvsrmDdkmTzNuBvhLzlSeRSNr6pCBTztOZg8nHUG20HTHFc5gSca8H0g9a62IMdJqp589tNRq81JZPUWs+W4VYEdhIZ+6gEbMxguahaMd55U3p8dws9ukk/AzYbNtIqYTQvyXbFWhJAPA1JAz1m+bx0o8dlm1IcWqjCyq9v9GE85Nx05ehfLgXpPZnYF4r3KfY4nlwan3kUEWYziqRg9pWW+qrd9LFRrq9/lVEGV9V+UrxIq84q8jF37gkfa/F85Vpo0Pgf8Pb/JncSqTYNNSL3dEijo1dQF+1607lrVh5Sqz3cbOv911q8InNMjA5MdmpztmArTEMxQR3/IsrflmU89GcQlxHtuEBInOCP6649eDvEzPezw4rMSz20hePWbQWS9FZ0qg/g1cOjNHz303TDzZarI8H5FwGcTQ8cvh38bQJ9gPjjWSr12ccBFOeBp2dbZFa733rd2PCLvGaXpb+at34BeHLLzQqVPMCvnDs4WYaI3hz62RL5bN7bDPuu8QARVXmwfOWqBW0A6+/0TMPM5pI5oCaQ+lSpp2VUu7Ce7uwsEN7enwtACpxo=
X-Forefront-PRVS: 0256C18696
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6009001)(39840400002)(39450400003)(39850400002)(39410400002)(39860400002)(377454003)(24454002)(13464003)(8676002)(1456003)(551544002)(6486002)(230783001)(53546009)(8666007)(189998001)(50226002)(4326008)(42186005)(6496005)(116806002)(62236002)(44716002)(81166006)(66066001)(5890100001)(9686003)(1556002)(33646002)(53936002)(86362001)(47776003)(6666003)(14496001)(1941001)(44736005)(93886004)(23756003)(76176999)(81816999)(38730400002)(6116002)(305945005)(81686999)(3846002)(50986999)(2906002)(50466002)(4720700003)(2870700001)(84392002)(25786009)(5660300001)(7736002)(61296003)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR0701MB2766; H:pc6; FPR:; SPF:None; MLV:nov; PTR:InfoNoRecords; LANG:en;
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB2766; 23:LJQquy1varbMjQYQm5Z4LH1mrsfTYUXdCbFoVHhsjeC5oPn55JvvMvRiVTf9yb8gET9EIFdk/ftulC6W+YbUqfGMymllrPFMsdUe3mPqVzX6qq4kVk/rdZb6a3UwQ9pcWER2oSXYJovL3+N5hm55uM3nkPY5LcEZlyVMiR2XoYmaun0dqeD86LnVYdaJIWoj3ZrCNHFT0px3SavDYYzI+JmkQA1a/IdtDUxyybiejeXGVHFaSTiZTkK9/69X3+zJ70ByMlChdIjCo+UbiGPkY/43dPY67XIPdMtSIo2oZ8F7KZkQU80d6EQAsYWsFTJ5e05n2y56MDKDL8l5LDVqiggiz6aVMYPBQEbnpWm9qJhdB4i23khBNWHHF5ErhMseOxsZrDlvK7Ny16j8NAYTaOpdfmba9vBXDaAK1MHtjn5jIlcKq93TKoAcN7/lGEi8ROfeEuvXE8mXuzh+JOcBuXfn6SnfzzGYvEPPXmr6Y9TIfNqCJus9RJVtGLmOqXddwWs8aKYQF/UlzRgpqtvrbr7BW1yfwgP1Dceh4Mb+dTry6hEWxnyIvhHLTOaCO35qZ6EoUhDUsYbvoyp5OnANVWSvOwUXmdpe1+v7LjixH/i8reAdEuz8tWqXmBELItT2Jf/2HzHYuYK26k3ZAN290ZrNyUvUfDpIAhYbBloAOq8RQ2brcImCqLfZwaIRP8ab8DscToszMDpR9345JhCWMobjkwjX8/PDzFTuSDu+MXDhz/MNkv1lI65bSacRuB8uUM3MTjO+gV46CKP6JAdpUtvioR1xCt+EiTovYPE6DmOJneOKV2n3rArVOGhi0tHKg5+Za8fMs0wb6+YReEYOzMgvVwFtM1Pf+is+KMqmLtvkowYvcd+7oS/UQMLvCUWusC+1cpzLPqlNp/wB2OpFAiw1aAKGePUKITGAGTot8IsoWeRMO/sy7RbDYkTKjqwsFH3mzgozifnbgy8hN9SkfLdn/o9kixL5lClmJtCHwdNQGCB6Fd5FPPud3p4qjXgLhAjKxWRGADuN+4qRf1T6cUzlOn7U7tDCYzrkPXEtpdYIQU5r8FndEu84DORkvsextJ10QpKmjeDhAJKnsz8ZW+67ki1IATylIio3s6vsexugrOxkghWhmUI92SuElaVrrySwgQ2V8JB/QjZgUs1ihsYFW1sVK8ddXuvBYqeaD/sSBROGSw3UybT3gK+zuUaUWtlrh3qtfc4j9LtM+s0nT0jEHKQhyaz63k7S7gDNvPlD0+gyDwBUhlh9mEaDPRY2I1L3Hy8DWSJ1BijdjuUte9Vl0Yfc5ysJh12EGdqrTK5xZgbkdZlKoD7DAwImemm9RlZtxXr1IewxupDxJLy28m8MlUSRMJTR4V8leucoSUgDLzUW0Ivd6RAfyrGwEvMWsGiIMO5Dsd3VSNxmB4fN9w==
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB2766; 6:2b1AEyh2DRTmrs3b58fZwR/Cf+Jl29/xRXv//OpL6AeyyzOMebgX0JxdCFc0EHdTABPYnpKn++EFsc6fhcA+xsItxgRabXMQJq/iJxAnU6ZRQ1B7no7Ie3/8iWNup+cgFIkcTvGipL9IrmtEBlqGM8UpaceFh1WJnHubrpw1Tff0DMulN1pwnxXoKDiebxtHCpFRhRt1fSQLkQ6Je+31fm50x+5kh/J5pcf+9eJR849yqQXgSPhm1I2rJlADdInDzzl8rD74NXgDOVhuhXVrnn3+gICTd6f/gjYysPTclQz9T0vMyjRMZz2fwvOqn9rE7/09DJvQ0RhdTkIu8QCMYSJL9UpEuN3Rty7ev+ASNRhG0JTMeBlbsGZlb/IZNtW3yh52AZdGNPkSRGNfBkcrzg==; 5:iTJSialYDrNrzppB+ZgqHkWN2gIOfRp1NLsVvBKfcUQHdoiIDTi14Wsy+XCz32xvM2DI5bhV8EdOuw8xl2Jp2Zupul0XqgPkndMfrxltxHylcjlRSKomt/plgn3xZIw39+uB7wZPCZPEvF60VzG15A==; 24:Y3Syhfx7tUk1zIaqlLvuLgg55ikWWo7ExTTRau7Ch5YzjNEpMw5KAFpKvXjTTSUoc//ROWW4pkKpNt95Fv8q00odjQ5qkmNr2dODPxlN6w0=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB2766; 7:/E3KT4Q9EpOhy1NK14BuaUblBu0sVEQg4Vs/sh3YO1LCh/Uks/9Aazhtr5KWMsJeo144IHt1CX1cE1uGXKHpcTq45wn4JJXhroV1jJR8gK9lr+S9qeT7p7PiEZdqbk9XrrD4o3ctSs4MvsqXOyArJEacfs7dhnHWwqCUAJhXlYqwi50MVHcvwgzIhyeip+7pTufeD/IAIQJKEUSk+LvrDAEOESAvYrtUFR1HcM/byd0d8PGVuHm2M4pUKtsgDHeKTyAjKtWgkant495NgRXM6WFNl3FsAL6SAp3rHXbHjtkR1u2E38XCpyBI6DrPkP2ifokJQSWRyg9yuo/etiPQ4Q==
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Mar 2017 10:52:31.6359 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2766
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/bpy8VzyUcmP1iawQNbrt32zlQjc>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 10:52:38 -0000
Acee Changing the title and switching to rtgwg! and inserting after <tp> Tom Petch ----- Original Message ----- From: "Acee Lindem (acee)" <acee@cisco.com> Sent: Thursday, March 23, 2017 9:01 PM Hi Kent, Tom, et al, On 3/23/17, 4:40 PM, "Kent Watsen" <kwatsen@juniper.net> wrote: >Hi Tom, > >> Sorry about mixing up keystore and keychain - I did download the >> updated draft last week but failed to find it when I was drafting >> my post. However, while I know the English semantics of store and >> chain, I do find it more difficult to attach different semantics >> to keystore and key-chain, and I do find the Abstracts of the two >> I-Ds rather similar which leaves me uncertain about the scope of >> the work in Netconf. > >understood. > >> When the proposed charter says >> " 1. Finalize the YANG data module for a system-level keystore >> mechanism, that can be used to hold onto asymmetric private >> keys and certificates that are trusted by the system >> advertising support for this module." >> >> I am still uncertain. > >understood. > >> You are saying symmetric keys may come in future but should this >> be part of the charter now? I am divided on this. > >I'm also divided on it, but it is the case that we had passwords >(read "symmetric keys") I wouldn¹t equate a password with a symmetric key. >in the previous version of the keystore >draft and, the reason that they're not there now is because we >moved the passwords to the ietf-ssh-client module in the current >version of the draft...a decision that I consider to be "under >review" and to be discussed in Chicago. > >> You are saying you are unsure about system-level but what is it >> then, not that I have ever realised what is meant by system-level >> (unless it means not just for routers, but then the Abstract of >> key-chain, for the first five sentences, sounds like a system-wide >> model with sentence six only saying it is commonly used for routing >> protocols, it does not say it is not also for system-wide use!). >> >> I would then avoid system-level, since I do not understand it:-( > >I agree, for the reasons you mentioned, hence why I've resisted >putting "system" into the draft's or the module's name. Admittedly, >the draft's abstract/intro currently say "system", which should >probably be removed. > >> "Generic keystore mechanism" perhaps. > >Perhaps, or just "keystore" with some more words around its >common uses, kind of like how Acee's key-chain draft says that >it's commonly used in routing protocols. > >> I note that the charter does say 'asymmetric' which I think needs >> saying and also adding to the I-D; and I do think that the Netconf >> I-D should recognise the existence of other I-Ds relating to the >> storage of keys, although that detail is not a matter for the >> charter. > >The draft currently says "private keys", which a veiled reference >to asymmetric keys. It certainly can say this more overtly. > >The draft used to have some words regarding the key-chain draft, >but Acee didn't think such sections were useful and so I took it >out in the most recent version. If we add something back in now, >it would be along the lines of how the key-chain module is >specialized for a narrow purpose, while the keystore module is >useful in several contexts. That would be fine. I have added ³applications using symmetric keys² to the Abstract and Introduction of the key-chain draft. While one could conceivably use key-chains for other purposes, I fully believe there are much more straight-forward ways to model keys and/or other security objects required for these usages. I don¹t see key-chains ever evolving to more than exactly as the Abstract describes them: This document describes the key chain YANG data model. A key chain is a list of elements each containing a key string, send lifetime, accept lifetime, and algorithm (authentication or encryption). By properly overlapping the send and accept lifetimes of multiple key chain elements, key strings and algorithms may be gracefully updated. By representing them in a YANG data model, key distribution can be automated. Key chains are commonly used for routing protocol authentication and other applications requiring symmetric keys. In some applications, the protocols do not use the key chain element key directly, but rather a key derivation function is used to derive a short-lived key from the key chain element key (e.g., the Master Keys used in the TCP Authentication Option(TCP-AO)). <tp> Yes, I like all key references to say either symmetric key or asymmetric key, such as 'the private key of an asymmetric key pair' a comment which I will make on the Netconf list for the Netconf I-D. For the rtgwg I-D, I would like you to reorder the Abstract to make its applicability clearer for the casual reader, to whit, NEW This document describes the key chain YANG data model. Key chains are commonly used for routing protocol authentication and other applications requiring symmetric keys. A key chain is a list of elements each containing a key string, send lifetime, accept lifetime, and algorithm (authentication or encryption). By properly overlapping the send and accept lifetimes of multiple key chain elements, key strings and algorithms may be gracefully updated. By representing them in a YANG data model, key distribution can be automated. In some applications, the protocols do not use the key chain element key directly, but rather a key derivation function is used to derive a short-lived key from the key chain element key (e.g., the Master Keys used in the TCP Authentication Option(TCP-AO)). as I have implied on the Netconf list, the current layout has me reading the first five sentences and thinking that this is an all-embracing key related model, then I get to sentence six and think, well, I am confused now. Putting that sentence about routing protocols earlier would leave me less confused. Tom Petch The only augmentations I¹d envision would be additional algorithms and potentially other key attributes. Of course, one can never fully predict the future. Thanks, Acee > > >Kent > >
- draft-ietf-rtgwg-yang-key-chain was: Re: [Netconf… t.petch
- Re: draft-ietf-rtgwg-yang-key-chain was: Re: [Net… Acee Lindem (acee)