On Mon, May 22, 2017 at 2:56 PM, Juergen Schoenwaelder < j.schoenwael...@jacobs-university.de> wrote:
> RFC 7952 says: > > 4. Annotations sent by a server should not break clients that don't > support them. > > If the client is expected to understand which hash function has been > used to generate a hash value, then I think the hash function should > be communicated as proper YANG data and not as metadata. > > Agreed. Also, the annotation extension cannot constrain the usage of the XML attribute. It is supposed to apply to any data node (clearly hash-function does not apply to every data node.) Since it is data-node specific, it is not metadata; just more data. > /js > Andy > > On Mon, May 22, 2017 at 05:16:36PM +0000, Sterne, Jason (Nokia - > CA/Ottawa) wrote: > > Hi all, > > > > Does anyone see any reasons why RFC7952 annotations couldn't/shouldn't > be used to identify the encryption/hashing format of an encrypted/hashed > leaf ? > > > > There are a number of approaches out there for encrypted/hashed leafs > (e.g. RFC7317 crypt-hash which encodes the hash function by prepending $x$ > to the password, using multiple leafs for the value/algorithm, etc). > > > > These are leafs that can be typically written in cleartext or > encrypted/hashed format, but return only an encrypted/hashed format when > retrieved from a device. > > > > I think RFC7952 annotation could also be used as an approach to this > problem. > > > > Annotation definition: > > > > md:annotation hash-format { > > type enumeration { > > enum md5l > > enum sha-256 > > ... > > } > > } > > > > An 'auth-key' leaf that is hashed: > > > > <auth-key hash-format="sha-256"> > > QsdsEWfjKAowjjhQHHslJSHHll > > </auth-key> > > > > > > Regards, > > Jason > > > > Note - I don't believe this statement in section 9 would point anyone > away from using annotations for encryption/hashing information (since the > encrypted leafs are data nodes): "It is RECOMMENDED that > security-sensitive or privacy-sensitive data be modeled as regular YANG > data nodes rather than annotations." > > > > > > > > > _______________________________________________ > > netmod mailing list > > netmod@ietf.org > > https://www.ietf.org/mailman/listinfo/netmod > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod >
_______________________________________________ netmod mailing list netmod@ietf.org https://www.ietf.org/mailman/listinfo/netmod