Hi all,
Does anyone see any reasons why RFC7952 annotations couldn't/shouldn't be used
to identify the encryption/hashing format of an encrypted/hashed leaf ?
There are a number of approaches out there for encrypted/hashed leafs (e.g.
RFC7317 crypt-hash which encodes the hash function by prepending $x$ to the
password, using multiple leafs for the value/algorithm, etc).
These are leafs that can be typically written in cleartext or encrypted/hashed
format, but return only an encrypted/hashed format when retrieved from a device.
I think RFC7952 annotation could also be used as an approach to this problem.
Annotation definition:
md:annotation hash-format {
type enumeration {
enum md5l
enum sha-256
...
}
}
An 'auth-key' leaf that is hashed:
<auth-key hash-format="sha-256">
QsdsEWfjKAowjjhQHHslJSHHll
</auth-key>
Regards,
Jason
Note - I don't believe this statement in section 9 would point anyone away from
using annotations for encryption/hashing information (since the encrypted leafs
are data nodes): "It is RECOMMENDED that security-sensitive or
privacy-sensitive data be modeled as regular YANG data nodes rather than
annotations."
_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod
