IETF Logo Mail Archive

Re: [yang-doctors] [Netconf] last call review of draft-ietf-netconf-keystore-02

Kent Watsen <kwatsen@juniper.net> Fri, 11 August 2017 23:19 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0C7E132426; Fri, 11 Aug 2017 16:19:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1wDsf4CTZ_y; Fri, 11 Aug 2017 16:19:40 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0097.outbound.protection.outlook.com [104.47.40.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69269132431; Fri, 11 Aug 2017 16:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TK97At6mTM/n02R60cCU3MPVnETa8fTNVdMcTFFp+uI=; b=VnMSk8ribVNXhAyGMAX4BX9moXS1Ifkm083dbi9RPihqPJUjTpgy/CuO4Naib7X3QH9QXpM70apCXR6s++KOvu2KsLVbRw9cX9hPwyT9uKi2xDq1Cc7byoFc2qsjBb0vLB2PdqMHes9rWAe6BPpOVgaEp9VzhLLj5z4zxoCiJ7M=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1475.namprd05.prod.outlook.com (10.160.117.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1341.9; Fri, 11 Aug 2017 23:19:38 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1341.010; Fri, 11 Aug 2017 23:19:38 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] last call review of draft-ietf-netconf-keystore-02
Thread-Index: AQHTCq8XkNqYUxlm6UGsbvnPncWRP6JvjmEAgAFOJnyAAHoOgIACygFtgAt3loA=
Date: Fri, 11 Aug 2017 23:19:38 +0000
Message-ID: <285887CC-3466-4FE9-BCC2-27EA13647C44@juniper.net>
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net> <20170728073923.GA28870@elstar.local> <701F31A6-9941-4DE4-AE7E-00E859F103F8@juniper.net> <20170728154008.GA29865@elstar.local> <53886D3E-8A0C-4664-A7BD-1E708A80EE9D@juniper.net> <20170728170930.GA30054@elstar.local> <04f301d30aae$7482e900$4001a8c0@gateway.2wire.net> <7C4C9B41-7343-4FCD-AB0F-0131F64B45BF@juniper.net> <07d301d30b78$50b9a0c0$4001a8c0@gateway.2wire.net> <FE5D497F-2B78-4CFE-8517-6924C04FAD12@juniper.net> <042d01d30d1a$56e2eee0$4001a8c0@gateway.2wire.net>
In-Reply-To: <042d01d30d1a$56e2eee0$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1475; 6:E6u1XGaMiudRlP9F4DeDqmqSWHGDqnDofYpNJfjBQuhPExWxRr0pBsHx/JrK6UUKuCTLJ9ab8F9kYiGpqPhFAvmVOvtInE0l9sZDHEM5h3WYX7qdZDRvaILWaBy/y/1Jr5srY+7lp7w1Vy6y+h9nAe8CYNffYA1MYrpTWstIa4/0d5FsL9vaaKQ38ocd8qbbHtPaaRMNWSZtkMijtKfr5Gc83XiLxU5JUQqudKMJnSKmyUZpvScm4FGDqlhPiEhepa8DodMB0tt2jiVsJ0QqesfwGYLW6U6lglFdFGPzQhduA5Boe5BlFU/aMBYPyz+jLaf2t6UhMv0hTudO9Q97sQ==; 5:Xje+b9y7PfONCTBAPDsNGE8+JsJ2VRVpdVcxPqS2QE5uoWy+X08EUXFdKkm2wWYbTUO1pSpJB0Vm/JeTYeFBx1GoPYlJ7Iajm1Rn2EDCnoZNWFy1x/yOEh091pVkMa6lFLCr1P96L87PHO3rCLZ/sw==; 24:Lw5y+xJ6ndvT7ixlZsYYBZN+7tbe+lhSreqALrVfu9rNpS7r9Rxn5mHLf2PS27JtYHsYg1w4xUtur4L3cG97zGJJ5xHz8dZIjYWhprpn/cE=; 7:Yhsrw58N64onbN9dq08INZCeJVB1KNuPgRpF9BVehV2LClvydt+MPejZZiH1HTjDx0y8urYpLj4arcFSclsnB5qxrxMcetRaSjVyU1GdVzCCCdIP9IJyoVU4O4m/Bv8QvJeqUDe/R4Jd3xinyF4k2NJOD/KaB6WQPfrBllvCwEcetQROb5O8kOd/bW4LNhDfNZ4ZPFLNyhMOo3v140eAYdOHS0XMWxcAcfxAafjgT0k=
x-ms-office365-filtering-correlation-id: 09d28739-e005-497d-4bc6-08d4e10f6fde
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603124)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1475;
x-ms-traffictypediagnostic: BN3PR0501MB1475:
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-microsoft-antispam-prvs: <BN3PR0501MB1475DB8BAE9296F924FC2BCBA5890@BN3PR0501MB1475.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(100000703101)(100105400095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(20161123558100)(20161123560025)(20161123555025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1475; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1475;
x-forefront-prvs: 03965EFC76
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(199003)(51444003)(189002)(551544002)(2950100002)(3846002)(6116002)(6246003)(82746002)(102836003)(6506006)(77096006)(53936002)(93886004)(2900100001)(106356001)(76176999)(66066001)(14454004)(83506001)(97736004)(83716003)(54906002)(54356999)(50986999)(5660300001)(101416001)(6512007)(99286003)(230783001)(105586002)(189998001)(2906002)(33656002)(4326008)(68736007)(6436002)(8676002)(81156014)(8666007)(8936002)(81166006)(86362001)(36756003)(6486002)(25786009)(478600001)(4001350100001)(229853002)(7736002)(305945005)(3280700002)(3660700001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1475; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0A2DE7606AC05E458CD7AD3BA8C6F2D6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Aug 2017 23:19:38.2587 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1475
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/XwBMNjFF8BoCvYIzk4zNn2VRcK4>
Subject: Re: [yang-doctors] [Netconf] last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 23:19:43 -0000

Hi Tom,


> My model is that are different ways of arriving at a public key but that
> once you have, then the cryptography is the same, with a choice of
> algorithms.

A good first-approximation  :)


> If you are a SSH client, then likely you have a stash of public host
> keys associated with one or more SSH servers, and, apart from
> algorithms, no more.
>
>
> If you are a TLS client, then likely you are using X.509 and will have a
> pre-configured trust anchor, in the shape of a public key or a
> certificate (which may or may not be root).

The clients also need their own private keys (which may be a password for
SSH) and associated public-key/certificate.


> If you are a SSH server, then likely you will have stash of
> private/public key pairs, perhaps with constraints on their usage, and
> the ability to generate further private/public key pairs.
>
> If you are a TLS server, then you will have one or more X.509
> certificates with your public keys, a chain of X.509 certificates back
> to an anchor that the client will trust, the corresponding private keys
> and perhaps the ability to generate a X.509 certificate with a
> public/private key pair; this may or may not chain back to a trusted
> root.

The servers also need information for how to authenticate the clients
(hashed password, pinned public-key or cert, pinned trust-anchor, etc.)
and how to map them to application-level usernames (e.g., via cert-maps)


> There are other TLS options but I think that their usage is limited, but
> in the context of network management, one or more could be significant
> although I don't have a specific example in mind ( I like PAKE but do
> not see it in use).
>
> So the only part in common is what you do once you have the public key,
> which is not much.

I'm unsure what change you're looking for with this comment.


Thanks,
Kent

v2.23.0 | Report a Bug | By Email