Note that omitting the keystring data node from the operational state in ietf-key-chain is consistent with what the approach in the NETMOD ietf-keystore model.
Thanks, Acee From: Mahesh Jethanandani <[email protected]<mailto:[email protected]>> Date: Wednesday, November 30, 2016 at 9:36 PM To: Acee Lindem <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [netmod] Key Strings in ietf-key-chain operational state On Nov 30, 2016, at 2:33 PM, Acee Lindem (acee) <[email protected]<mailto:[email protected]>> wrote: This is something we ran into with ietf-keystore model also. The thoughts are that key strings should never leave the device. If anything most devices have tamper proof capability (FIPS 140-2) to wipe the keys out if tampered with or exported. So exporting the string, encrypted, even with NACM would defy that. So, what we have today would with the key strings omitted from the operational state would be consistent with the direction for the ietf-keystore model. Correct? That is correct. Kent can correct me, but we are still trying to figure how to model it in YANG and in the datastores (<applied> and <operational-state>). How will this be enforced when we have an applied-config datastore? Thanks, Acee On Nov 30, 2016, at 1:37 PM, Acee Lindem (acee) <[email protected]<mailto:[email protected]>> wrote: In the days of MIBs, we used to omit key strings from the data that would be returned. This was ostensibly done for security purposes. We did the same for the operational state returned for keystring in key-chain-entries. I'm now thinking this was a mistake. Rather, it would seem that one could use RFC 6536 rules to accomplish this at a more granular level. Note that the model also support keystring encryption as described in RFC 5649. Thanks, Acee _______________________________________________ netmod mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/netmod Mahesh Jethanandani [email protected]<mailto:[email protected]> Mahesh Jethanandani [email protected]<mailto:[email protected]>
_______________________________________________ rtgwg mailing list [email protected] https://www.ietf.org/mailman/listinfo/rtgwg
