Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 28 July 2017 07:39 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D182E132059; Fri, 28 Jul 2017 00:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxmVQBl7dDc3; Fri, 28 Jul 2017 00:39:26 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD3C6129AF9; Fri, 28 Jul 2017 00:39:25 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id A5B01F7A; Fri, 28 Jul 2017 09:39:24 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id OPABa4SPNwZP; Fri, 28 Jul 2017 09:39:19 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Fri, 28 Jul 2017 09:39:24 +0200 (CEST)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 7D1BD200B8; Fri, 28 Jul 2017 09:39:24 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id mMpTNMA3hGQd; Fri, 28 Jul 2017 09:39:23 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 793D8200AA; Fri, 28 Jul 2017 09:39:23 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 4B0A74000931; Fri, 28 Jul 2017 09:39:23 +0200 (CEST)
Date: Fri, 28 Jul 2017 09:39:23 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kwatsen@juniper.net>
Cc: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20170728073923.GA28870@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kwatsen@juniper.net>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/-tCM6F4m0YSK-PBjJOfpZ31Sv68>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 07:39:28 -0000
On Fri, Jul 28, 2017 at 02:12:33AM +0000, Kent Watsen wrote: > > Assuming people will figure out that ... is just a marker, what about > > this? > > > > <private-key>...</private-key> <!-- base64 encoded key --> > > For this case, it works out nicely. But, still, there are other > cases where the string is longer the net result doesn't work out > great. > > Rob had an idea of using a footnote to keep the line lengths within > limit. I'm hoping to not do this, though, as it would be hard to > automate the compilation of the draft, while maintaining validate- > able files. > > Here's another idea, it turns out that the string "base64encoded===" > is itself a valid base64 string. This could be used everywhere. > We would lose information about the structure encoded, but maybe > that's okay, since the examples are in the same section where the > YANG module is located. Maybe we only need to worry if 1) is it > readable enough? and 2) are folks still going to copy/paste it > into examples without thought? > > Recap: we're trying to avoid having real base64 encoded data > examples because the net-result is a whole lot of unintelligible > text. > > Not that it has bearing, but I never seriously tried to encode > the binary structures used in the action statements. If we > decided to have real base64 encoded data examples, we'd have > to write custom code for them, which would be a good proof > point of sorts. That said, it'd be even better if the entire > keystore module were implemented. Running code, right? Using <private-key>base64encoded===</private-key> sounds like an interesting option since this should allow tools to validate the instance documents (and this is what I am really looking for). > >> - I am not sure I understand trusted-host-keys. On systems that have > >> multiple user accounts, you usually have a per account list of > >> trusted host keys in addition to a global system wide list. Perhaps > >> make it clear that this models the global known hosts list only? > >> > >> <KENT> it's a list of lists, so there can be many different > >> sets a host-keys defined, with each application/use pointing > >> to its own entry. The ietf-ssh-client module's grouping has > >> a leafref to a specific entry. FWIW, this grouping is > >> used by ietf-netconf-client module. At the moment, there > >> no other uses of this grouping. I think that you may be > >> getting confused between the key the server presents (the > >> host-key) versus the key user presents. > >> . > > > > I though these are the authorized host keys? Yes, I am confused. If > > these are user public keys, they should not be called host keys. But > > yes, I am confused (but I started to read the other documents). > > This leaf encodes an SSH public key (RFC4253, 6.6), same as used in > /ietf-system/system/user/authorized-key/key-data (and I have changed > this leaf's type to match it in my local copy already), but the uses > are different. In ietf-system, the authorized-key is configured on > a server in order to authenticate subsequent SSH-client connections. > Here, we're taking about the key that that SSH-server presents to > the client. These are the host keys that OpenSSL often puts into the > ~/.ssh/known-hosts file. I understand what you are modeling is /etc/ssh/ssh_host_rsa_key.pub and friends. Make sure it is described clearly. Or do you actually mean the clients cache of authenticated keys that goes into an account's known-hosts file? In this case, the keystore may be the wrong place. > >> - Should the document title be aligned with other YANG module > >> definitions, so it is easier to spot it? > >> > >> <KENT> I don't understand, what do you mean? > > > > We often use "[A] YANG Data Model for ....". > > > > https://en.wikipedia.org/wiki/YANG#Usage_in_Standards > > > > The current name does not say YANG (sometimes I search for YANG > > in the RFC index) and Keystore is also pretty broad given the > > related work we have. > > Gotcha, how about "YANG Data Model for Keystores"? Yes, except that 'keystores' leaves readers unclear about the scope. I commented several times that the names of this module and the other module for symmetric keys are unfortunate. Concerning the SSH keys, I am still concerned that we would be better off to have a separate SSH module that takes care about managing an SSH server's host keys and then this module would be X509 certificate specific, i.e., a 'YANG Data Model for Managing X.509 Keys and Certificates' would be a clear and well defined scope. > >> - Since crypto algorithms come and go, is it reasonable to have the > >> identities defined in a rather static RFC? Would an IANA maintained > >> identity module perhaps make more sense? > >> > >> <KENT> Unsure, but I wouldn't suspect needing to make that > >> kind of update for a long time. If we were to define a > >> module for algorithm identities, it might lead to us wanting > >> to define every algorithm (not just public-key algs), which > >> could take some time... > > > > I think an IANA maintained registry can be as incomplete or complete > > as the I-D. I understand that the mechanics of working out the proper > > registry can be painful (there likely are already N registries) but > > clearly crypto algorithm identities must be easily extensible. > > In another thread, we concluded that we might want to ask SecDir. Or just acknowledge that in the longer term an IANA solution may be needed but we do this later. > >> - Since the certs of a key do not contain a signature, where are signed > >> certificates stored or are they outside the scope of the model? > >> > >> <KENT> I'm confused, certificates are signed structures already... > > > > Well, the description of certificates/certificate/value says: > > > > An unsigned PKCS #7 SignedData structure, as specified > > by Section 9.1 in RFC 2315, containing just certificates > > (no content, signatures, or CRLs), encoded using ASN.1 > > distinguished encoding rules (DER), as specified in > > ITU-T X.690. > > > > Yes, I am confused how this works. > > Okay, now I understand your confusion. I believe the text is > accurate. Think of the PKCS#7 structure being a little like a > TAR file that contains a directory structure like this: > > pkcs7: > /signed-info > /signature - this sig is only over 'signed-info' ... > /extra-certificates > /extra-revocation-objects > > So, in this case, we're using a degenerate form of the pkcs7 > structure that has no content (signed-info), signature, or CRLs > (revocation-objects), it only contains the certificates. Perhaps > my use of the word "unsigned" isn't clear enough? So why pkcs7, is this what implementations use? The certificates I find in /etc/ssl/certs on my Debian system seem to be in PEM format. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [yang-doctors] Yangdoctors last call review of dr… Jürgen Schönwälder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Mehmet Ersue
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Kent Watsen
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen