Re: [netmod] RFC7952 annotation to identify leaf encryption/hashing format

Mon, 22 May 2017 14:56:41 -0700 

RFC 7952 says:

   4.  Annotations sent by a server should not break clients that don't
       support them.

If the client is expected to understand which hash function has been
used to generate a hash value, then I think the hash function should
be communicated as proper YANG data and not as metadata.

/js

On Mon, May 22, 2017 at 05:16:36PM +0000, Sterne, Jason (Nokia - CA/Ottawa) 
wrote:
> Hi all,
> 
> Does anyone see any reasons why RFC7952 annotations couldn't/shouldn't be 
> used to identify the encryption/hashing format of an encrypted/hashed leaf ?
> 
> There are a number of approaches out there for encrypted/hashed leafs (e.g. 
> RFC7317 crypt-hash which encodes the hash function by prepending $x$ to the 
> password, using multiple leafs for the value/algorithm, etc).
> 
> These are leafs that can be typically written in cleartext or 
> encrypted/hashed format, but return only an encrypted/hashed format when 
> retrieved from a device.
> 
> I think RFC7952 annotation could also be used as an approach to this problem.
> 
> Annotation definition:
> 
>      md:annotation hash-format {
>        type enumeration {
>          enum md5l
>          enum sha-256
>          ...
>        }
>      }
> 
> An 'auth-key' leaf that is hashed:
> 
>     <auth-key hash-format="sha-256">
>       QsdsEWfjKAowjjhQHHslJSHHll
>     </auth-key>
> 
> 
> Regards,
> Jason
> 
> Note - I don't believe this statement in section 9 would point anyone away 
> from using annotations for encryption/hashing information (since the 
> encrypted leafs are data nodes):  "It is RECOMMENDED that security-sensitive 
> or privacy-sensitive data be modeled as regular YANG data nodes rather than 
> annotations."
> 
> 
> 

> _______________________________________________
> netmod mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/netmod


-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

_______________________________________________
netmod mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/netmod

Reply via email to