Re: [yang-doctors] [Netconf] last call review of draft-ietf-netconf-keystore-02
"t.petch" <ietfc@btconnect.com> Tue, 01 August 2017 10:15 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AAFD129B5E; Tue, 1 Aug 2017 03:15:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.912
X-Spam-Level:
X-Spam-Status: No, score=-2.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RV9Wu9zgG_dw; Tue, 1 Aug 2017 03:15:21 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10099.outbound.protection.outlook.com [40.107.1.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C749313203A; Tue, 1 Aug 2017 03:15:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nWi8P5+8yr6mZBj1WoOWdURcoV1GBIilTOKcY+TbryU=; b=hkRlInASSpIMsofI8VTWSDvjOLjPLjVXPpz8uiyF+M2TgajZP+9swqLJNtDoQIrfp2zJ5LnRn1xSjZmNDqrJ+y3LbJcic6RgzvVVVc1eqeiMo8nCpDmlqZDSfjyBHp9ucdCt3oJryNk3vlCBL6BRMx9Pqt2LKoKPyf+5kK3VBLo=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
Received: from pc6 (86.171.5.69) by VI1PR0701MB3008.eurprd07.prod.outlook.com (2603:10a6:800:87::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.10; Tue, 1 Aug 2017 10:15:17 +0000
Message-ID: <04f301d30aae$7482e900$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kwatsen@juniper.net>
Cc: draft-ietf-netconf-keystore.all@ietf.org, yang-doctors@ietf.org, netconf@ietf.org
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net> <20170728073923.GA28870@elstar.local> <701F31A6-9941-4DE4-AE7E-00E859F103F8@juniper.net> <20170728154008.GA29865@elstar.local> <53886D3E-8A0C-4664-A7BD-1E708A80EE9D@juniper.net> <20170728170930.GA30054@elstar.local>
Date: Tue, 01 Aug 2017 11:09:41 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.171.5.69]
X-ClientProxiedBy: AM5P194CA0007.EURP194.PROD.OUTLOOK.COM (2603:10a6:203:8f::17) To VI1PR0701MB3008.eurprd07.prod.outlook.com (2603:10a6:800:87::22)
X-MS-Office365-Filtering-Correlation-Id: 3c2a36d1-ec44-43cd-fcba-08d4d8c6354f
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:VI1PR0701MB3008;
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB3008; 3:YZyOVEQXkqcZZU9MX4lNUPhku71hdWbIyQKBrYEpJ0YBvSzbprdrOJ51et0NsN3dh/ZG94EqVrKoktEvNQfIESewZs8PsJTlJRkUOycmvYbpP0MjMp2uHdX5QcRUcyaESuheHEIoBxspu5DYpEnZ812j69vfLunzF/xd7V/uReshgQ06TOnnWnu6qeSUnjLxegpG2tfgvUF7DUlicmD/U4e94S8TO0JqZym0zVU13zs8kdIQa8z18GK0fVNsC+TN; 25:BjjAVyLulBeXDWAyP8kijGVMF81XPWUAfgCKOOwdc9EW/8YpJuKu0PJ2F8YZAg0gO6cHHowZJaexEaM77WcFEhicGgfqqx+jR/bw+dzRc9/wTGKob6fqh6N33PEhbpnmpNADDmn+LiN81K3gBPKFa+cW+8shI5VKkdmv/xbXz4X+YaLdhKG/qF6SKqEJjGbm5CouxQqVAWhu1Lq2vI9FSxZSZ1RfwDJgHFTVhfB+P9Mb67X7TTNpJXp8i59rTsT0Dr0XM1KhkEaRb6qNculZX2Zl74A/f9N9jjPlQVZz8K+OhTTmPK+gRrStntfHXVNa6YhY71kZ3g7dX2MbZnddTg==; 31:Ow6LMoF40ZcuOH2XrXIi1z5tJBx4AquGABZSUAg/1UcCiqMt1FLtzJ+7kOGIqDyynFi8M4YHBS95NkYMYxSIPtbT+NW/8PEyHaZbgTwhepdEkbLtt1nklAa7K+PJ80ReQusWo4TouPwreaDbSORBkmJkS9lv2ldRIsCXDvJvP0siF8Ivjm5tau2G67kLWGLIOX1Qk2ITq9bROFU+ViBs4zXB/EOzQ/MLTzwVWEDlIro=
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: VI1PR0701MB3008:
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(166708455590820)(138986009662008);
X-Microsoft-Antispam-PRVS: <VI1PR0701MB3008847664969177209FFEC2A0B30@VI1PR0701MB3008.eurprd07.prod.outlook.com>
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123555025)(20161123558100)(20161123560025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:VI1PR0701MB3008; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:VI1PR0701MB3008;
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB3008; 4:eugIXJbSKde1al1WqPoi/bu4hggM/qaSu9iPZYUpFVHcXzOy3irFlC6rsNILV7xSn8FwIcNPeJVWj2LdywC48MRAR5/jI6Iuo8T2Xjup9BEwSRjmU6jV9KviC6PWVVDvPnL8M6HNP3Dc43oHcm1lNLjtWdTgYKwgTPZsrACYQ12wGq0Qph3tyNR4Z3KmqbEHn+EW/0HYASGkjsroqX97Rju1IIo22reGszGP/x6oIpHSLZJa17YzBEI0VLrJfQZ6BgVCjpRwzyl28b0OS49nSlXx1EPs4YZc5eZAtu6yA8Y8mWdG9Y9eXJEeAG/g+YBq5eMJVQ1lcMCojoVeEYeoVRh5hyjc/3PCYW8Jn3wPQETFavzQUeDgVPhYFeoMrM/S
X-Forefront-PRVS: 0386B406AA
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(7370300001)(4630300001)(6009001)(39850400002)(39840400002)(39860400002)(39410400002)(39450400003)(39400400002)(174864002)(189002)(24454002)(377454003)(51444003)(199003)(13464003)(52314003)(68736007)(1941001)(5660300001)(229853002)(42186005)(8676002)(66066001)(47776003)(966005)(6666003)(189998001)(23756003)(1556002)(478600001)(25786009)(50466002)(38730400002)(6496005)(8666007)(14496001)(7350300001)(53936002)(6246003)(44736005)(6486002)(93886004)(6306002)(4326008)(54906002)(101416001)(62236002)(44716002)(554214002)(6116002)(3846002)(81166006)(33646002)(106356001)(4720700003)(81156014)(84392002)(86362001)(230783001)(230700001)(9686003)(1456003)(7736002)(76176999)(81686999)(50986999)(105586002)(116806002)(305945005)(2906002)(97736004)(61296003)(50226002)(81816999)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR0701MB3008; H:pc6; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB3008; 23:CM6QAYN/ZlL+ILUKgycNLiwaJ8Ms4Bm0dL9t+q3JLE2EiTKmdmESBMmRNHwnvEjiaSDaBYA6m5DOlWx9hKEQ7b+Wd887aa/nI4j2ImWhaCQ/vgyKDSXbxx4FucRh7V8w5/8VXRpcAeC9zki400Re+Z1t8nAr2KtTtaVCUinT1el44OY4SrUTsOaSDmSTU+MfN2YgkAbGrJa47pZGmQp7qIqITQKlrStqAa/zn6gEkx0P6uWH8SviUVgWyOyBJpX9M+n3BxxUIZ+kfVz4LOoFmVwnAgCw/Ye8KkYWu1uYTOpHFfwEK8j/ydmWqRCumw5y3fu3n7RMdFMcJZBySAOlV0oQUsmsVmVCJtzScm8eW06hDS6vKIjBqTXvOyUXCAioYDeTZXaCI+6BNbKpHyXWpYzNUGfRRzmxYyOM6q1dtif5RAPRR4SPL2f/yGVabrYh+ulTwdNZASHZEHIFl4YvNTJGpTOb2xk47qlZjwHGJlfyj3O7HNyvCwYJxZlx/+iHhZ2Ox4/TYh/FYrY12xK685DIIVg39EHV2Xus9qIzzHShB++5SGTKsp4D4ZqHNe5GC3N1gY5u5vifgk9lUdU70n8q/+v7HycCltIFvG8IBDoHljmRx9eH97wgVJ7ybqu9wf238ZVZYqExA+rlACv7x14tmhuEoquGyn2kFCcnEMDMC+uLPzIRIqzZRkNmrv/AJDhIIxQ+qnUluRuZ20e+/KLsSiK0+ofECeq48szJn45EetyiiUI5FQqMnGrJqq7QJV5lZ34IKE0/Lweo15+rRT5+k0K7KQWF8WEYkFt2eYb3sCtfGtel3kSRvJfqSUu1ZF5AVGg15MZCAK4UWpeliKs1kfqUjvyXEK+7XCZq/VZkizwXnsDkfdRlIQoDLsaepNEsi0xQTf6/pHlVThqaDMHwxzrGcTbG9ec29TR8F7Q8RAfgSKU047ZuI1zfwoOP6rIyFPXHc6D6wk4XKCMPzDNclqLn8fjiXgQG59hHJ0/zbpoEX4hw5+kUXyolnVX+T/by5t0aTvSwu24xB3VIG87/IUrcBJg/lSqrXkwtnoCkQdAXdZmC84zoeSHEoEhbAHjqWEFsIr/90wKWtUhAo7NZhhT8jcrZhbT53k7pBXbrzIZMzl/Pgys3mhDPMNBRnHalBgwQmO4olAQRGoT38i/5pB+IC6Ctjj6sCn8nzX7qR0Zp2Hg/0l3oAcL5DJ9/c+hIJJMoweitZcyJMWB8gAKTR29JkzHrCd+AMX2fKyovLG4KY50MLmBZmfQT2x7n5LH3aokzMGUpY6D5LoEINND9F8/g3+Dsg9qS2FoxSORwU7bHMoUw0Su9CunqdlPH6xG5pm19ADLYyjg8/FAdpAgjBhodyyVguylZEOUVNe2TPI8W5j+DYJai5HpAqu7WwPmyJ26oEHf/dMQUv1JtoevzAbTxuWc/2U9gUIir7MIq3nAGDV5OZDALlhwragZnta24rICL7zrVGRxrB5iuuk+briL0SsNSVB1xapjwOIOnlOldk28SwgKLMvzaY8Yb0tj6HZd2s4/IA3wJ4a4bCvd8MFUZDmccGV2MgI0uqWPagK/lDaLst18JMgXgOpbUcvzs34gnNyGNDVe83xLPnmllNxXGobvfrdTKuuhH1TYE8YLYsJxBUktcx7Tv4jGrkHx4XTcaBqyF6jYDN05yUU/nq6kpRRkFcijxu5XGGrmsirUqOBV0JZU6M2Xqo45N5E0ZQLAgWTkL6tcAE0MIgHQqTfXRawfjq5ciHZxYvUcTQn+GZPMxA/cwZgE3TL6RXPbWnYzgbFj0+ZrDQQbWQA==
X-Microsoft-Exchange-Diagnostics: 1; VI1PR0701MB3008; 6:5VlZxhpzOcyhlo08KExBry44f0r/6fTpY1HFqvsXOoRrbnAb9KYQFNblOVXfMOSDVEwtTde3DG5TTm1upz2dO8K1HeaDTGthB7UMw/9ex7m7s6PqU3doqHxmx9OfGPPp9JRvG7A29oqRXNY28RVXaMzNKenPs11sOh52PtvTJXzo86Gj0k+BOywySblXrcqFApk8em9MEyUSB48fQ7yy9HaAUHpd4o2GWfemYvGJgUiHDZBBwGYDdLO1CndJpiHh6oF+2M6SD0k78VbowJjvWvMG+5faPNh1BiebZfL0QxqeVYE9YhVAxhI76jQun4gP6k2MLm+xZrZyp+TILeINGQ==; 5:svHLWe0Zv4VXan5/irG0dwflJ3JXi2P3KAzX2eqJzKVjV+U7H5KYN0BI4gAlMFJvsN0pqzWxGspl6IRKbaeHF+nXzysv3hiKC/1KFOekzsjoboNl+tubT6itKU4MMVy4wCWjZm+2ajZzKoMqgk8vFQ==; 24:2IJcSEwi7yIrIemkSh/vRsmdamaJ3M9eb3tdRV3oR19/n0pjJFs+vqKJsM4Tj/sxBi4Mo/PLFplUU2mUzjwgvh6iJbvezJnxwMVpX55Wp2E=; 7:dmC7k2DZ8eNWRB4WuHj9Ciy7dkW07y9BQ3xPP1QixeHvrbZhb9opr4tgytwodhulpMOGbWWlzLcT7K4bwt9sQLz0fLfZboIjGU1gvvzQaDTySeaNhIHC9CPNtbEYPcuuQdNwKhRmnmvPgeFc2Jwz/Z3nO6OGuguZOs1KJ/jxqi7xFxdu1BJS59Zm+7+zUCQcUpIlGQZ2QuM1hm/mvU5P3GHCBpOwW1UPFAcbUmTJNM0=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Aug 2017 10:15:17.0485 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB3008
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/Q4RdwTAhIWfE0jMGpycD7pgBCV4>
Subject: Re: [yang-doctors] [Netconf] last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 10:15:25 -0000
Kent Changing the subject because my tack is slightly different. I cannot reconcile this I-D with my (mis?)understanding of cryptography. Stepping back, I see two types of keys, symmetric where one key is used for encryption and decryption, and asymmetric, where there are two keys, public and private, mathematically related but impossible to derive one from the other, one used to encrypt, the other to decrypt. I see this I-D as solely concerned with asymmetric keys. Public and private key pairs must be generated together, after which the private key must stay secret else you have no security. Public keys by contrast are public for all to know. The challenge is authenticating that the public key really is the public key of who you think it is. Most public keys arrive by certificates which then allow you to follow a chain thereof to a hopefully trustworthy trust anchor. SSH, and some other protocols, are different in distributing naked public keys and relying on some other means of authenticating them (e.g. Trust on First Use). So when you say "AFAICT, the system should be able to generate its host-key from the private-key itself. " that is at odds with my understanding and would lead to an absence of security. When the I-D says, "that might be used to hold onto private keys and certificates " I struggle to see the point. Indeed, the module contains public keys as well as "leaf public-key { config false; mandatory true;" so you are really storing public/private key pairs (which may be generated on the box). The I-D also says "Certificates associated with this private key." which defeats me. A certificate or chain thereof gives me a public key, never a private one, and the means to authenticate the public key. A public key may or may not have a certificate or chain thereof. A TLS client would likely have both but will rarely have a private key. A server of any protocol (except SSH and such like) will have a public/private key pair and a certificate (and likely a chain thereof) to send to any enquiring client along with the public key. An SSH server would have a public/private key pair but likely no certificates. So, I cannot reconcile my understanding with the I-D. Tom Petch ----- Original Message ----- From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de> To: "Kent Watsen" <kwatsen@juniper.net> Cc: <draft-ietf-netconf-keystore.all@ietf.org>; <yang-doctors@ietf.org>; <netconf@ietf.org> Sent: Friday, July 28, 2017 6:09 PM > On Fri, Jul 28, 2017 at 05:00:06PM +0000, Kent Watsen wrote: > > > > > > >> >> >> - I am not sure I understand trusted-host-keys. On systems that have > > >> >> >> multiple user accounts, you usually have a per account list of > > >> >> >> trusted host keys in addition to a global system wide list. Perhaps > > >> >> >> make it clear that this models the global known hosts list only? > > >> >> >> > > >> >> >> <KENT> it's a list of lists, so there can be many different > > >> >> >> sets a host-keys defined, with each application/use pointing > > >> >> >> to its own entry. The ietf-ssh-client module's grouping has > > >> >> >> a leafref to a specific entry. FWIW, this grouping is > > >> >> >> used by ietf-netconf-client module. At the moment, there > > >> >> >> no other uses of this grouping. I think that you may be > > >> >> >> getting confused between the key the server presents (the > > >> >> >> host-key) versus the key user presents. > > >> >> >> . > > >> >> > > > >> >> > I though these are the authorized host keys? Yes, I am confused. If > > >> >> > these are user public keys, they should not be called host keys. But > > >> >> > yes, I am confused (but I started to read the other documents). > > >> >> > > >> >> This leaf encodes an SSH public key (RFC4253, 6.6), same as used in > > >> >> /ietf-system/system/user/authorized-key/key-data (and I have changed > > >> >> this leaf's type to match it in my local copy already), but the uses > > >> >> are different. In ietf-system, the authorized-key is configured on > > >> >> a server in order to authenticate subsequent SSH-client connections. > > >> >> Here, we're taking about the key that that SSH-server presents to > > >> >> the client. These are the host keys that OpenSSL often puts into the > > >> >> ~/.ssh/known-hosts file. > > >> > > > >> > I understand what you are modeling is /etc/ssh/ssh_host_rsa_key.pub > > >> > and friends. Make sure it is described clearly. Or do you actually > > >> > mean the clients cache of authenticated keys that goes into an > > >> > account's known-hosts file? In this case, the keystore may be the > > >> > wrong place. > > >> > > >> /keystore/trusted-host-keys/trusted-host-key is in fact like the > > >> known-hosts file. That is, these are the host-keys that a client has > > >> "pinned" or "trusted". The ietf-ssh-client has a leafref to one of > > >> these entries. We could rename "trusted-host-key[s]" to > > >> "pinned-host-key[s]" if that helps. Ditto for trusted-certificate[s]) > > >> > > >> By contrast, /keystore/keys/key/name is referenced by ietf-ssh-server > > >> to identify the host-key(s) the SSH server presents to SSH clients. > > >> This is analogous to /etc/ssh/ssh_host_rsa_key.pub and friends. This > > >> node isn't called e.g. /keystore/keys/key/ssh-host-key because, AFAICT, > > >> the system should be able to generate its host-key from the private-key > > >> itself. Thus, referencing the name is equivalent. If there were a > > >> /keystore/keys/key/ssh-host-key node, it would be a gratuitous config > > >> false value that somehow encoded the host-key in a more SSH friendly > > >> format. But, it may have a subtler value in that, I think that your > > >> confusion may be because it was NOT there and so, in its absence, > > >> you may have thought that the "trusted-host-keys" must serve that > > >> function. Thoughts? > > >> > > >> BTW, "host key" has a specific meaning, defined in RFC4251#4.1, not to > > >> be confused with authorized keys. > > > > > > I do not really follow you. I think I do understand what a host key > > > (pair) is and that it is different from a users key (pair). > > > > Fine, but this is SSH architecture thing, not something specific to > > the draft - right? > > ??? > > > > Yes, I did > > > not understand from reading the ID that the private SSH host key is to > > > be found in /keystore/keys/key/name (likely because of all the > > > certificate stuff around it that I have never seen used with SSH host > > > keys). > > > > Okay, then do you like having a /keystore/keys/key/ssh-host-key node? > > I guess what I am looking for is a more radical split between X.509 > stuff and SSH key stuff, the most radical split would be a module for > X.509 keys and certs and another module for SSH host keys. Or > alternatively, if there is really a strong reason to have all these > different keys in one list, then define the list such that > augmentations add X.509 stuff and SSH key stuff. I am not a fan of > lists where the usage of leafs for different purposes is not clear. > > > > I guess I am not a big fan of bundling the way X.509 keys and certs > > > work together with how SSH keys work (because I am not used to this > > > and the systems I tend to use do not do this either). Anyway, if this > > > is the direction to go, I think this needs explanatory text somewhere. > > > > So then perhaps factoring out the x.509 and ssh stuff out into augmenting > > modules? > > I am not sure how much is left, other than a list with a key name leaf > and whether it is worth to have this common structure (and whether any > uniqueness constraints resulting from that are a benefit or not). > > > > > >> >> >> - Should the document title be aligned with other YANG module > > >> >> >> definitions, so it is easier to spot it? > > >> >> >> > > >> >> >> <KENT> I don't understand, what do you mean? > > >> >> > > > >> >> > We often use "[A] YANG Data Model for ....". > > >> >> > > > >> >> > https://en.wikipedia.org/wiki/YANG#Usage_in_Standards > > >> >> > > > >> >> > The current name does not say YANG (sometimes I search for YANG > > >> >> > in the RFC index) and Keystore is also pretty broad given the > > >> >> > related work we have. > > >> >> > > >> >> Gotcha, how about "YANG Data Model for Keystores"? > > >> > > > >> > Yes, except that 'keystores' leaves readers unclear about the scope. I > > >> > commented several times that the names of this module and the other > > >> > module for symmetric keys are unfortunate. Concerning the SSH keys, I > > >> > am still concerned that we would be better off to have a separate SSH > > >> > module that takes care about managing an SSH server's host keys and > > >> > then this module would be X509 certificate specific, i.e., a 'YANG > > >> > Data Model for Managing X.509 Keys and Certificates' would be a clear > > >> > and well defined scope. > > >> > > >> From a refactoring perspective, we could have a base module and then > > >> two augmenting modules, one for SSH and the other for X.509. I would > > >> think to define all three modules in the same draft, but that wouldn't > > >> help your draft-name issue. We could put each module into own draft > > >> (e.g. +2 drafts), but is it worth it for renaming sake? Maybe an even > > >> longer title? "YANG Data Model for Managing Asymmetric Private Keys, > > >> X.509 Certificates, and SSH Host Keys'? Naming aside, what do you > > >> think about the module-factoring idea? > > > > > > Perhaps it is simpler to have one data model to manage X.509 keys and > > > certs and another data model to manage SSH keys. I do not know how > > > much commonality there is. At the end, I also do not mind if > > > everything is lumped together as long as it is clear how to implement > > > things and key formats etc match with what implementations typically > > > do. > > > > Two modules, something like ietf-ssh-keystore and ietf-x509-keystore? > > Of course, there would overlap between them (e.g., both modules would > > have the /keys/key hierarchy, the ietf-ssh-client/server modules might > > need to import both keystores, since SSH can use X.509 certs too (per > > RFC6187). I don't know, this doesn't seem right. For instance, what > > is a server to do if it generates a private key that has not yet been > > associated with an X.509 cert or SSH host key, is the private key to > > appear in both keystores? > > Is this how systems work? My command line tools either create X.509 > keys or SSH keys. > > > >> >> >> - Since the certs of a key do not contain a signature, where are signed > > >> >> >> certificates stored or are they outside the scope of the model? > > >> >> >> > > >> >> >> <KENT> I'm confused, certificates are signed structures already... > > >> >> > > > >> >> > Well, the description of certificates/certificate/value says: > > >> >> > > > >> >> > An unsigned PKCS #7 SignedData structure, as specified > > >> >> > by Section 9.1 in RFC 2315, containing just certificates > > >> >> > (no content, signatures, or CRLs), encoded using ASN.1 > > >> >> > distinguished encoding rules (DER), as specified in > > >> >> > ITU-T X.690. > > >> >> > > > >> >> > Yes, I am confused how this works. > > >> >> > > >> >> Okay, now I understand your confusion. I believe the text is > > >> >> accurate. Think of the PKCS#7 structure being a little like a > > >> >> TAR file that contains a directory structure like this: > > >> >> > > >> >> pkcs7: > > >> >> /signed-info > > >> >> /signature - this sig is only over 'signed-info' ... > > >> >> /extra-certificates > > >> >> /extra-revocation-objects > > >> >> > > >> >> So, in this case, we're using a degenerate form of the pkcs7 > > >> >> structure that has no content (signed-info), signature, or CRLs > > >> >> (revocation-objects), it only contains the certificates. Perhaps > > >> >> my use of the word "unsigned" isn't clear enough? > > >> > > > >> > So why pkcs7, is this what implementations use? The certificates > > >> > > >> Why pkcs7 is because each certificate may have an associated chain > > >> of certificates leading to a trust-anchor CA certificate. For instance, > > >> a vendor might have a CA called "foo-root" that signs an intermediate > > >> CA called "foo-intermediate" that signs the "foo-entity" certificates. > > >> So, a given foo-entity certificate (a single X.509 structure) is > > >> commonly presented along with its chain of CA certs (more X.509 > > >> structures), in this case, the "foo-intermediate" and "foo-root" CA > > >> certs. The pkcs7 structure is commonly used for this purpose in the > > >> PKI world. Yes, it could be just a TAR file having a flat list of > > >> certs, but then we'd have to define that structure, whereas its > > >> already defined in pkcs7. > > >> > > >> > I find in /etc/ssl/certs on my Debian system seem to be in PEM format. > > >> > > >> PEM and DER are interchangeable formats. PEM is essentially the base64 > > >> encoding of the DER surrounded by the "===== BEGIN/END CERTIFICATE > > >> =====" header/footer. > > >> > > > > > > DER encoded certificate or pkcs7? I thought PEM is just a base64 > > > encoded version of the DER encoded certificate, no pkcs7 involved. > > > > Both PKCS7 and X.509 or ASN.1-encoded structures, and all ASN.1 structures > > can be encoded using PEM, DER, or even BER. Your debian system's "certs" > > directory undoubtedly only contains root certs, hence there is no cert-chain > > to staple to them, and hence a single X.509 structure (either PEM or a DER) > > is perfect. As soon as you step into needing more than one cert, then > > either PKCS7 or PKCS12 (both of which could be PEM or DER encoded), or a > > very special multi-part PEM (one that contains more than one of the "=====" > > BEGIN/END blocks) could be used. BTW, all this was discussed a while back > > related to https://github.com/netconf-wg/keystore/issues/1. What's written > > in the GitHub issue tracker should be ignored, search instead the list-archive > > on issue #1... > > > > What matters is that the I-D is clear and captures the important > reasons etc. You can't expect implementors to read github issues > or mailing list archives. Sorry for my ignorance. > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [yang-doctors] Yangdoctors last call review of dr… Jürgen Schönwälder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Mehmet Ersue
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Kent Watsen
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen