Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 03 August 2017 06:38 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0ABB132294; Wed, 2 Aug 2017 23:38:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iz5IqnfYvV_m; Wed, 2 Aug 2017 23:38:02 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0710A132297; Wed, 2 Aug 2017 23:38:02 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id D3618375; Thu, 3 Aug 2017 08:38:00 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id jGt2kgtbcBfY; Thu, 3 Aug 2017 08:37:58 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Thu, 3 Aug 2017 08:38:00 +0200 (CEST)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id AEA0C200BC; Thu, 3 Aug 2017 08:38:00 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id B0TnYDIqIaIe; Thu, 3 Aug 2017 08:37:59 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id D82E1200BA; Thu, 3 Aug 2017 08:37:59 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id C214D40079FA; Thu, 3 Aug 2017 08:37:59 +0200 (CEST)
Date: Thu, 03 Aug 2017 08:37:59 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kwatsen@juniper.net>
Cc: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20170803063759.GC35265@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kwatsen@juniper.net>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
References: <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net> <20170728073923.GA28870@elstar.local> <701F31A6-9941-4DE4-AE7E-00E859F103F8@juniper.net> <20170728154008.GA29865@elstar.local> <53886D3E-8A0C-4664-A7BD-1E708A80EE9D@juniper.net> <20170728170930.GA30054@elstar.local> <7079A8FA-A8C6-4677-9DBA-2A00637AD023@juniper.net> <20170731190640.GC32546@elstar.local> <DEE37B41-0EB4-43E3-8C48-34057BEB4AF6@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DEE37B41-0EB4-43E3-8C48-34057BEB4AF6@juniper.net>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/SdwCIQpNDqVw8BrEBFVJk2WTj4Q>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Aug 2017 06:38:05 -0000
On Wed, Aug 02, 2017 at 11:47:42PM +0000, Kent Watsen wrote: > > Hi Juergen, > > > <snip/> > > Yes, the host-key resides on the server, the public part of the host > > key may be stored on a client in a known-hosts file so that client can > > check whether it talks to the right server. So far so good. > > > > It seems /keystore/trusted-host-keys/trusted-host-key represents > > /etc/ssh/ssh_known_hosts (i.e. a _global_ known hosts list) and there > > is no way to learn the public known host key from a server via the > > YANG module. Can I request creation of a hew host key? There is > > generate-private-key but that seems to be more tied to X.509 stuff. > > The 'generate-private-key' action is no way meant to be just for X.509 > stuff. But I acknowledge that there might be a semantic-gap here. > For instance, if one wants to ask an SSH server to generate a new > host-key, one expects an API called something like 'generate-host-key' > (inside an SSH namespace, or as an action to the server instance), > rather than first generating the 'key' and then separately saying that > it's the host-key. I think that this could be caulked up to saying > that there is a base API layer and then, separately, higher level > layers that use it, but it's worth the discussion if it makes sense > at all... Sound complex and unclear to me. > > Note that this does not model ~/.ssh/known-hosts since the list is not > > on a per user account base. It would actually be the equivalence of a > > global /etc/ssh/ssh_known_hosts file. > > Not exactly. As it is undetermined who, or which models, point to the > keystore host-key lists. In some data models, it might be global and, > in others, user specific. OK, but very different from how implementations work (they tend to store account specific known host keys in account specific places). > >> <snip/> > >> No, your system most likely does not use a keystore mechanism. For > >> instance, OpenSSL's `ssh-keygen` utility just writes to a local file. > >> We're doing something a little different here, which is a cause for > >> careful review (thanks again). Taking a step back, one of the drivers > >> for this keystore mechanism is to centralize the /trusted-host-keys > >> and /trusted-certificates, as these lists are referenced from many > >> locations. Less important to centralize are the private keys, as > >> the keys (always?) have a single use. The only reason for centralizing > >> the private keys is to give keys created via the generate-private-key > >> action a place to be listed before they are used for some purpose... > > > > The question is whether there is value to centralize beyond the > > differnet key systems. Is there really added value to try to treat SSH > > keys and X.509 in the same list infrastructure or are they at the end > > just different things? What about other keys, i.e., for signing DNS > > zones or RPKI keys? Is it useful to try to put all of these keys that > > serve different purposes into a common structure? The open source > > people maintaining software packages seem to keep things separate. Is > > Junos having such a centralized asymmetric keystore? How about IOS XR? > > Others? If not, why would a standard do this? > > JUNOS is not having a centralized keystore. I can't speak for IOS or > others, but I guess not. This model is suggesting a *conceptual* > keystore. As the keystore draft says: > > It is not required that a system has an operating system level > keystore utility to implement this module. > > But to your higher-lever question, is there value to treating such > various keys similarly, all I can say is that all such private keys > should be protected and, as such, the nacm:default-deny-all property > given here is apropos. > It is easy to specify nacm:default-deny-all on multiple branches. I am concerned about trying to create a unified asymmetric keystore that nobody really has experience with and that maintenance of it may become a real problem given that this would involve collaboration and coordination between multiple WGs in the IETF (ideally this work should be done by security WGs). /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [yang-doctors] Yangdoctors last call review of dr… Jürgen Schönwälder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Mehmet Ersue
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Kent Watsen
- Re: [yang-doctors] [Netconf] Yangdoctors last cal… Per Hedeland
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Kent Watsen
- Re: [yang-doctors] Yangdoctors last call review o… Juergen Schoenwaelder
- Re: [yang-doctors] [Netconf] last call review of … t.petch
- Re: [yang-doctors] [Netconf] last call review of … Kent Watsen