IETF Logo Mail Archive

Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02

Kent Watsen <kwatsen@juniper.net> Mon, 31 July 2017 20:18 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87BAE131CAE; Mon, 31 Jul 2017 13:18:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.011
X-Spam-Level:
X-Spam-Status: No, score=-3.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcANWGyKQw6P; Mon, 31 Jul 2017 13:18:48 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0130.outbound.protection.outlook.com [104.47.37.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 703F4129B30; Mon, 31 Jul 2017 13:18:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dsH6k0d680IaqmJAOP3NPhgKGk6njoIC67WELG9XlTw=; b=K7Maj4nmTk6r/6rYD6RuvxMnqukYZ/nSiIT6sFejGAGwSpw0fGjXClFoUnfKtEZ9zkHk2lR+7YJUtvCmBpUPEU1k4MRPm/1dgH/zFVtEtXr/LYOhIuY0/5MHXEsjvkrLKqHoCStkWg3IEk3EjgmPP4umJbVqkj6IWUgUXOWCx6U=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1092.namprd05.prod.outlook.com (10.160.113.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.10; Mon, 31 Jul 2017 20:18:46 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1320.010; Mon, 31 Jul 2017 20:18:46 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, "Gary Wu (garywu)" <garywu@cisco.com>
Thread-Topic: Yangdoctors last call review of draft-ietf-netconf-keystore-02
Thread-Index: AQHS/tjFB6LSB6mMA0ixt1H16U9uU6Jbyb8AgAEruACAAAVBAIALFnwAgACz04CABW6mAA==
Date: Mon, 31 Jul 2017 20:18:46 +0000
Message-ID: <D0B0F292-8138-4856-AD72-AA5871505DC5@juniper.net>
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <20170720171829.GA21659@elstar.local> <7F1757E2-F21A-44A4-B6F4-57F69CE44642@juniper.net> <20170728052127.GA28770@elstar.local>
In-Reply-To: <20170728052127.GA28770@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1092; 6:Yr4mL3Ve5GS7uqvLLimKMOvx1af21vdBq7m7jA42GWDPce2L3fS1dfqBhGeJY7DKOIHE+6dP7lkafntFjw+lJogwgCozuYkcY6xDf+JzTCXqlY3OR4QbViU/J2b/s+Hi3wX7vAe6bHnSMFu3tUIE7yUvxroU0/6bUPEMviSVO+wRsZXG8AJuZ6BRUapMvs8787DDlmSxPK2djdw3/f2X+MCDIgshXbyuD6JThnimVr8YmlbZ9Ykg2hyBDFBDj9mG69QtCROq12mccN8axUXa7JEeBWgRINp1k+Q543fVc7JLVF0vcArV7SILTwS2H06uKyT/+qBWoXTE72Xe4cu9Vw==; 5:Ip0UcBk5qAk2n/oyKU0JKBD54H2wtKEIHtOFGGzDIS8oM/yRdHA0qUSyI9nBpYYXthX8VkWh/dlgLVoJpWtFCoyqTQIzr5Mmq1xzP+x44wvcERexia+3fX+9NpeV9MGx8msbk6EfF+QjqKdjB/HmUA==; 24:gSVXlu1K1/i9LfTDdgnQLnJvMissriaaKapXbWNjYSkzawpYYpGwh+umPi1jvu5Th6VPhyejwrzfK4ybzHpEeFxNvlffOKvAI024GWOX4vo=; 7:P1EU1kR0+M/yzYNsUK9xEmOxo7FUlBTiUp/9ybWmB6nMMXveo95iStPIAh7YCVzw20g0r8h91KpA/zDVVKMvN/5SohkgSKZdVfc9oOvBqmySKX0Pzm3FWrZcYwVTI/3yN4es7Os3F5xxgGojPbf8s43KGAYPX63Tou2+SWDGmVrY8YxMXievnJYIRmx7877Eks7AFI5qVz4vqT18KjBGB+BeXuFaE8haHYLSzgaD0H0=
x-ms-office365-filtering-correlation-id: cea8d10f-cf3d-4a14-8090-08d4d8515918
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1092;
x-ms-traffictypediagnostic: BN3PR0501MB1092:
x-exchange-antispam-report-test: UriScan:(166708455590820)(192374486261705);
x-microsoft-antispam-prvs: <BN3PR0501MB109259B5DB43D8E5F94CD97FA5B20@BN3PR0501MB1092.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(10201501046)(6055026)(6041248)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123558100)(20161123555025)(20161123562025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1092; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1092;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39840400002)(39860400002)(39400400002)(39850400002)(39410400002)(199003)(24454002)(189002)(6916009)(54906002)(2950100002)(478600001)(8676002)(99286003)(81166006)(81156014)(4001350100001)(53936002)(6436002)(3280700002)(3660700001)(8936002)(6486002)(229853002)(77096006)(2900100001)(97736004)(6246003)(38730400002)(110136004)(82746002)(5660300001)(83716003)(189998001)(50986999)(6506006)(76176999)(54356999)(68736007)(33656002)(25786009)(966005)(14454004)(93886004)(305945005)(230783001)(36756003)(66066001)(106356001)(105586002)(86362001)(2906002)(83506001)(4326008)(6512007)(6306002)(3846002)(102836003)(6116002)(101416001)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1092; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <4D20F37949CAEA4780A5C30D72F7E1DD@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jul 2017 20:18:46.3561 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1092
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/V9v0vfNSyyltNRp7bPHI9wzcyMA>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 20:18:50 -0000

Removing ietf@ietf.org from CC.

Following up on this, I just realized that the SSH and TLS client-server drafts are also defining a number of algorithm identities, and these are more like the ones found in ietf-key-chain.  Now it seems that factoring these identities to another module is more prudent than ever.

Files https://github.com/netconf-wg/keystore/issues/8 to track this item.

K.



On Thu, Jul 27, 2017 at 10:37:50PM +0000, Kent Watsen wrote:
> Hi Juergen,
> 
> > I looked a bit more and you define
> >
> >  identity key-algorithm {
> >    description
> >      "Base identity from which all key-algorithms are derived.";
> >  }
> >
> > plus a bunch of concrete algorithms. draft-ietf-rtgwg-yang-key-chain-24
> > defines
> >
> >    identity crypto-algorithm {
> >       description
> >         "Base identity of cryptographic algorithm options.";
> >     }
> >
> > and then a bunch of concrete algorithms (hashes and symmetric ones).
> > They also do not expect IANA to maintain things. I would love if
> > security area people would help us with getting this right, well
> > perhaps they jump in during secdir review.
> 
> 
> FWIW, the two sets of algorithm identities are disjoint.  The ones in
> the keystore draft are all public-key algorithms.  As for the key-chain
> draft, all but one of the identities are hmac algorithms, with the last
> one being for a key derivation function.
> 
> It would be best to address this in the WG, for visibility.  I think
> that it's possible to request an early secdir review, or maybe we can 
> ask about just this concern.  This is a chair-action. 
>

I all for secdir review for this document. That said, perhaps it is OK
to have the identities as they are and to define a proper IANA
registry later. The price might be that some identities are defined
twice but that would likely not be a significant implementation cost.
Its a trade off between (i) moving fast and maybe requiring to adapt
later or (ii) trying to work everything out while doing the first
version and hence being slow.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email