Re: [secdir] Secdir early partial review of draft-ietf-netconf-crypto-types-10

Watson Ladd <> Tue, 23 July 2019 03:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EAEFC12003E; Mon, 22 Jul 2019 20:16:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 02rVA72uOH46; Mon, 22 Jul 2019 20:16:18 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 21445120091; Mon, 22 Jul 2019 20:16:15 -0700 (PDT)
Received: by with SMTP id m23so39495089lje.12; Mon, 22 Jul 2019 20:16:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CGVFJmEl3lbnKEHvV6Er0ndwtckAG+UVXPBsMmiVEi0=; b=d+F8rL0doDJPAA8xtxxZ8umFQMmZCq7ckLnhg4UrT4E5lgjVeVmmKSvbcdGA+UDXXG mMBpqsBldkquDJyHmfrxXDZ42vGOkf3QKJJ2tB5VdHEF/uFclAJ8wdnLU/+4HtDaX8a6 VvNoarxUPzdO41jMyXdw9oyyEHeUGNVZvzR32d9watNUqVWclc74cqVevhWicLyDf6Sg t+jIENI4Z2IWEF1Ivgw2RiudUot+iyOM/sP/BavwEVp7vDKTL6WGD37bOkSIZm+QMAI7 yvPVXdNG+HYNARpYcwoFFtG5QUV4XlWm1mYPyACgKRJurL29c+ezxW7gJIMUhNo1WJOi 7OTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CGVFJmEl3lbnKEHvV6Er0ndwtckAG+UVXPBsMmiVEi0=; b=V65CpFTFJuJFNW0TGxpSjw5Fy644vFRA3Lbzkp3ZqZYZvKop2qvDqj0RyPxCBFJMuW dEdIZEzmyqaVSAoIig1t5H3lLyRnIsELODRMXzBfZ/00q1CWwoy1Ixj+F4sjX1X0a2BE XmK8NDoqhzqUQ6c7NZHwTpXEN44ORzM1PBpjQWsA9bNMvV5anOfbIyFBC7vl3Jp7KovB PNTnO2p51njzY08qhevS+WSK/wtYka9wI2tWmTL1nRf8slI4vDVLK63ES7eGfTFo6ILW DKRP7rau8d777Jlg4rQuS4R35eQ9MG0pndTGVVXqaE2e3Glyi+kMzDk+FVzPg+BxvHTN nOSw==
X-Gm-Message-State: APjAAAVasLHeMeY3SdDoUKf/OJbUhGKn0Tt2kSbFdPkD3s2dL8+5nBP4 PLWfD9AD7mMOnY/cODWjhZwP4mmxXTQjhw/Le3Q=
X-Google-Smtp-Source: APXvYqwWVE5i/t7ELDQ7tPX4XAAcl5LyMkUUXkARyynapHSOY6ZMgk96zFYAvVXyYgDsNCMctiVCw/Xq4nZ9dhdRP54=
X-Received: by 2002:a2e:8602:: with SMTP id a2mr36327259lji.206.1563851773207; Mon, 22 Jul 2019 20:16:13 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Watson Ladd <>
Date: Mon, 22 Jul 2019 20:16:01 -0700
Message-ID: <>
To: Rifaat Shekh-Yusef <>
Cc: secdir <>,,, "<>" <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [secdir] Secdir early partial review of draft-ietf-netconf-crypto-types-10
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jul 2019 03:16:20 -0000

On Mon, Jul 22, 2019 at 7:57 PM Rifaat Shekh-Yusef via Datatracker
<> wrote:
> Review is partially done. Another assignment may be needed to complete it.
> Reviewer: Rifaat Shekh-Yusef
> Review result: Not Ready
> There is the open issue of the proper structure of this YANG model, which was
> discussed with the security ADs and IESG, and still to be discussed with IANA.
> Meanwhile, I have the following comments:
> Page 6, hash-algorithm_t
> Why would you include SHA1 and indicate that it is obsolete? why not just drop it?
> Page 8, hash-algorithm-t
> Why would the default be 0, i.e. NONE?
> I think you should select a minimum algorithm that would be considered acceptable as the default.

Along those lines why is RSA-1024 in there? The asymmetric algorithm
doesn't differentiate between encryption and signing or other more
exotic things, which I guess is defensible but raises some potential
gotchas. We also have an IANA registry for AEAD schemes: why not use
that? This would have avoided some omissions such as AES-SIV mode.

Lastly one nit: it's elliptic curve not elliptical curve.