IETF Logo Mail Archive

Re: [yang-doctors] [Netconf] last call review of draft-ietf-netconf-keystore-02

Kent Watsen <kwatsen@juniper.net> Wed, 02 August 2017 21:37 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABEE2129ACD; Wed, 2 Aug 2017 14:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.012
X-Spam-Level:
X-Spam-Status: No, score=-3.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yeIR51XTHQ1m; Wed, 2 Aug 2017 14:37:17 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0100.outbound.protection.outlook.com [104.47.36.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCD2E124B0A; Wed, 2 Aug 2017 14:37:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=9qIyZybMLL+W9kuYAr5mz+GuP5aZPIjEQGhKXvRKzP0=; b=C5AJEihuhLrjUz+YGugG4PRbb3oznZYQyhTg9NQLIcxS1aHS+9Q5qJY25NhObxKplUqsa/e+TtFhPj9/4+ny/UUenRPGMT4CkcSwxYZ8jQMSza4hZ+xTVowpu+bBMsHcSyVIbX0n9rJ0oqOm3b2qkGlaLk9yCikweAKjUc5VZnM=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1521.namprd05.prod.outlook.com (10.161.217.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.10; Wed, 2 Aug 2017 21:37:15 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1320.010; Wed, 2 Aug 2017 21:37:15 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] last call review of draft-ietf-netconf-keystore-02
Thread-Index: AQHTCq8XkNqYUxlm6UGsbvnPncWRP6JvjmEAgAFOJnyAAHoOgA==
Date: Wed, 02 Aug 2017 21:37:14 +0000
Message-ID: <FE5D497F-2B78-4CFE-8517-6924C04FAD12@juniper.net>
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net> <20170728073923.GA28870@elstar.local> <701F31A6-9941-4DE4-AE7E-00E859F103F8@juniper.net> <20170728154008.GA29865@elstar.local> <53886D3E-8A0C-4664-A7BD-1E708A80EE9D@juniper.net> <20170728170930.GA30054@elstar.local> <04f301d30aae$7482e900$4001a8c0@gateway.2wire.net> <7C4C9B41-7343-4FCD-AB0F-0131F64B45BF@juniper.net> <07d301d30b78$50b9a0c0$4001a8c0@gateway.2wire.net>
In-Reply-To: <07d301d30b78$50b9a0c0$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1521; 6:RuTbir01IJ5cfBg4LIVWPkD/ZFPdrYpEpqIumLAAEF0jp87VIfbwyLr2Eb4Q6vAWQU0M7PCoh1FJvG+m9sB4KnzbF22rTkZCULYMnRl4HIyKC8ePslNdNX+Q5A8kzWb+qb2Bl5w5g+u1/3c4E6xUw+3u0GzmEvoeUDtOIx+CaHN4Vy6xFsYfYElSv4Qnvl1O5RjdcJdfOKerMRE29OhR6CL9yE93eXxkX8jW3c2uqvq4+z2qH4DniN7gY4rF+LpxONyRR+82mOs2Lly3h8xDuFhfhjWcG+KvBEewgoxgIksBa+U2/bffXuFWKc3jmya25g27iv1vrVMmGjmNSQK71g==; 5:EyKqTeJSNHn/0xStcFiV3sRXuNr6QaEwVFokC83z9C1aV9aAmt6nzI1U+uKbBaWIx85DO5Plp6K9Ti+m2nwv4dZFjBCIvVpKG6rrW689NPirTHSR9UmCEcaWuckz3cIutlV7Lt88X+RIZV5a2R8Tsw==; 24:BFI4m2qm43MY7OHuUJdszNGgrx09RQ+NWAa0RgKZ1v7k6DWfK4JWZtTk+P875kNEMuHKe9QM7I2JqNK6vQHwcKpttTHjKGgU3h7XL5RgFos=; 7:sd52p3/rg8Vq3nGlcgLfBvWn3oFXt8YptS8eKHv0QtrEGr/Ddpxj0tUTdyaX7XreMBvOa3x44ZZN6davlrFFe4VJpBnyt4vGyCSBMYYK8WB0s+yRTfMxOopAAacLIJvRvuOsEjXJJ+F5Mta2mDl33ENso1hO6jlmW8yxLAyEEYgjM1ekQmUfWqXag7Gvr6EM2LEOkhBbN18bS50cmfiQK2JjFblA5brht2oY09xrwmc=
x-ms-office365-filtering-correlation-id: 429abd52-a287-463e-bebd-08d4d9eea481
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(48565401081)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1521;
x-ms-traffictypediagnostic: BN3PR0501MB1521:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-microsoft-antispam-prvs: <BN3PR0501MB1521AD05E3C0224E8AEACB2EA5B00@BN3PR0501MB1521.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123564025)(20161123555025)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1521; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1521;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39850400002)(39840400002)(39410400002)(39400400002)(39860400002)(199003)(76104003)(189002)(51444003)(189998001)(2900100001)(101416001)(3660700001)(33656002)(81156014)(8676002)(81166006)(8936002)(2950100002)(229853002)(68736007)(3280700002)(14454004)(25786009)(305945005)(2906002)(106356001)(86362001)(105586002)(7736002)(3846002)(6116002)(102836003)(93886004)(50986999)(54356999)(230783001)(66066001)(76176999)(4326008)(5660300001)(53936002)(6246003)(83506001)(97736004)(478600001)(8666007)(99286003)(38730400002)(4001350100001)(54906002)(82746002)(6506006)(77096006)(36756003)(6486002)(83716003)(6436002)(6512007); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1521; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <6435E4CCF4E34E40B928B980E2F6CB25@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2017 21:37:14.9930 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1521
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/JCIcc3cdYiTb6-VexSDZEF3IZAY>
Subject: Re: [yang-doctors] [Netconf] last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 21:37:18 -0000

Hi Tom,


> Mostly yes.
>
> I think the one further change that I would like is to move away from
>   o  An unordered list of pinned SSH host key sets...
>
> I think that the scope should be a public key, not limited to SSH and
> not restricted to what is referred to as  a host key.  Typically this
> would be in a client enabling it to trust a server to establish a secure
> channel which may then be used for further authentication.  I see this
> as far more common than SSH.

Agreed.

> And since the scope is asymmetric cryptography, I would state the
>obvious in the Abstract
>
> This document defines a YANG module for a system-level mechanism,
> called a "keystore", containing security-sensitive data including
> private keys, pinned certificates, and public keys, such as pinned SSH
> host-keys, for use in asymmetric cryptography.

You're touching a point similar to what that Juergen raised.  I think
the solution here is to refactor the ietf-keystore module into a base
module, which doesn't mention anything protocol-specific, and augmenting
modules that are protocol specific.  If this were done, then the
abstract might read:

   This document defines a YANG module for a system-level mechanism,
   called a "keystore", containing security-sensitive data, such as
   asymmetric private keys.  This document defines additional modules
   that augment the base keystore module adding support for X.509
   and SSH.

What do you think?

Kent

v2.23.0 | Report a Bug | By Email