| rfc9641v4.txt | rfc9641.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) K. Watsen | Internet Engineering Task Force (IETF) K. Watsen | |||
| Request for Comments: 9641 Watsen Networks | Request for Comments: 9641 Watsen Networks | |||
| Category: Standards Track September 2024 | Category: Standards Track October 2024 | |||
| ISSN: 2070-1721 | ISSN: 2070-1721 | |||
| A YANG Data Model for a Truststore | A YANG Data Model for a Truststore | |||
| Abstract | Abstract | |||
| This document presents a YANG module for configuring bags of | This document presents a YANG module for configuring bags of | |||
| certificates and bags of public keys that can be referenced by other | certificates and bags of public keys that can be referenced by other | |||
| data models for trust. Notifications are sent when certificates are | data models for trust. Notifications are sent when certificates are | |||
| about to expire. | about to expire. | |||
| skipping to change at line 174 ¶ | skipping to change at line 174 ¶ | |||
| 1.3. Adherence to the NMDA | 1.3. Adherence to the NMDA | |||
| This document is compliant with the Network Management Datastore | This document is compliant with the Network Management Datastore | |||
| Architecture (NMDA) [RFC8342]. For instance, trust anchors installed | Architecture (NMDA) [RFC8342]. For instance, trust anchors installed | |||
| during manufacturing (e.g., for trusted, well-known services) are | during manufacturing (e.g., for trusted, well-known services) are | |||
| expected to appear in <operational> (see Section 3). | expected to appear in <operational> (see Section 3). | |||
| 1.4. Conventions | 1.4. Conventions | |||
| Various examples in this document use "BASE64VALUE=" as a placeholder | Various examples in this document use "BASE64VALUE=" as a placeholder | |||
| value for binary data that has been base64 encoded (see Section 4 of | value for binary data that has been base64 encoded (see Section 9.8 | |||
| [RFC4648]). This placeholder value is used because real | of [RFC7950]). This placeholder value is used because real | |||
| base64-encoded structures are often many lines long and hence | base64-encoded structures are often many lines long and hence | |||
| distracting to the example being presented. | distracting to the example being presented. | |||
| Various examples in this document use the XML [W3C.REC-xml-20081126] | ||||
| encoding. Other encodings, such as JSON [RFC8259], could | ||||
| alternatively be used. | ||||
| Various examples in this document contain long lines that may be | ||||
| folded, as described in [RFC8792]. | ||||
| This document uses the adjective "central" with the word "truststore" | This document uses the adjective "central" with the word "truststore" | |||
| to refer to the top-level instance of the "truststore-grouping" | to refer to the top-level instance of the "truststore-grouping" | |||
| grouping when the "central-truststore-supported" feature is enabled. | grouping when the "central-truststore-supported" feature is enabled. | |||
| Please be aware that consuming YANG modules MAY instantiate the | Please be aware that consuming YANG modules MAY instantiate the | |||
| "truststore-grouping" grouping in other locations. All such other | "truststore-grouping" grouping in other locations. All such other | |||
| instances are not the "central" instance. | instances are not the "central" instance. | |||
| 2. The "ietf-truststore" Module | 2. The "ietf-truststore" Module | |||
| This section defines a YANG 1.1 [RFC7950] module called "ietf- | This section defines a YANG 1.1 [RFC7950] module called "ietf- | |||
| skipping to change at line 510 ¶ | skipping to change at line 517 ¶ | |||
| +-- End entity certs for authenticating a set of remote servers | +-- End entity certs for authenticating a set of remote servers | |||
| +-- Trust anchor certs for authenticating a set of remote clients | +-- Trust anchor certs for authenticating a set of remote clients | |||
| +-- End entity certs for authenticating a set of remote clients | +-- End entity certs for authenticating a set of remote clients | |||
| Public Key Bags | Public Key Bags | |||
| +-- SSH keys to authenticate a set of remote SSH servers | +-- SSH keys to authenticate a set of remote SSH servers | |||
| +-- SSH keys to authenticate a set of remote SSH clients | +-- SSH keys to authenticate a set of remote SSH clients | |||
| +-- Raw public keys to authenticate a set of remote SSH servers | +-- Raw public keys to authenticate a set of remote SSH servers | |||
| +-- Raw public keys to authenticate a set of remote SSH clients | +-- Raw public keys to authenticate a set of remote SSH clients | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| Note that long lines in examples are wrapped as described in | ||||
| [RFC8792]. | ||||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <truststore | <truststore | |||
| xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
| <!-- A bag of Certificate Bags --> | <!-- A bag of Certificate Bags --> | |||
| <certificate-bags> | <certificate-bags> | |||
| <!-- Trust Anchor Certs for Authenticating Servers --> | <!-- Trust Anchor Certs for Authenticating Servers --> | |||
| skipping to change at line 693 ¶ | skipping to change at line 695 ¶ | |||
| </public-key-bag> | </public-key-bag> | |||
| </public-key-bags> | </public-key-bags> | |||
| </truststore> | </truststore> | |||
| 2.2.2. A Certificate Expiration Notification | 2.2.2. A Certificate Expiration Notification | |||
| The following example illustrates the "certificate-expiration" | The following example illustrates the "certificate-expiration" | |||
| notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | |||
| configured in the truststore described in Section 2.2.1. | configured in the truststore described in Section 2.2.1. | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <notification | <notification | |||
| xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | |||
| <eventTime>2018-05-25T00:01:00Z</eventTime> | <eventTime>2018-05-25T00:01:00Z</eventTime> | |||
| <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | |||
| <certificate-bags> | <certificate-bags> | |||
| <certificate-bag> | <certificate-bag> | |||
| <name>trusted-client-ee-certs</name> | <name>trusted-client-ee-certs</name> | |||
| <certificate> | <certificate> | |||
| skipping to change at line 788 ¶ | skipping to change at line 788 ¶ | |||
| ts:central-public-key-bag-ref | ts:central-public-key-bag-ref | |||
| The following example provides two equivalent instances of each | The following example provides two equivalent instances of each | |||
| grouping, the first being a reference to a truststore and the second | grouping, the first being a reference to a truststore and the second | |||
| being defined inline. The instance having a reference to a | being defined inline. The instance having a reference to a | |||
| truststore is consistent with the truststore defined in | truststore is consistent with the truststore defined in | |||
| Section 2.2.1. The two instances are equivalent, as the inlined | Section 2.2.1. The two instances are equivalent, as the inlined | |||
| instance example contains the same values defined by the truststore | instance example contains the same values defined by the truststore | |||
| instance referenced by its sibling example. | instance referenced by its sibling example. | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <truststore-usage | <truststore-usage | |||
| xmlns="https://example.com/ns/example-truststore-usage" | xmlns="https://example.com/ns/example-truststore-usage" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
| <!-- The following two equivalent examples illustrate --> | <!-- The following two equivalent examples illustrate --> | |||
| <!-- the "inline-or-truststore-certs-grouping" grouping: --> | <!-- the "inline-or-truststore-certs-grouping" grouping: --> | |||
| <cert> | <cert> | |||
| skipping to change at line 1328 ¶ | skipping to change at line 1326 ¶ | |||
| The primary characteristic of the built-in trust anchors is that they | The primary characteristic of the built-in trust anchors is that they | |||
| are provided by the server, as opposed to configuration. As such, | are provided by the server, as opposed to configuration. As such, | |||
| they are present in <operational> (Section 5.3 of [RFC8342]) and | they are present in <operational> (Section 5.3 of [RFC8342]) and | |||
| <system> [NETMOD-SYSTEM-CONFIG], if implemented. | <system> [NETMOD-SYSTEM-CONFIG], if implemented. | |||
| The example below illustrates what the truststore in <operational> | The example below illustrates what the truststore in <operational> | |||
| might look like for a server in its factory default state. Note that | might look like for a server in its factory default state. Note that | |||
| the built-in trust anchor bags have the "or:origin" annotation value | the built-in trust anchor bags have the "or:origin" annotation value | |||
| "or:system". | "or:system". | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| <truststore | <truststore | |||
| xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
| xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | |||
| or:origin="or:intended"> | or:origin="or:intended"> | |||
| <certificate-bags> | <certificate-bags> | |||
| <certificate-bag or:origin="or:system"> | <certificate-bag or:origin="or:system"> | |||
| <name>Built-In Manufacturer Trust Anchor Certificates</name> | <name>Built-In Manufacturer Trust Anchor Certificates</name> | |||
| <description> | <description> | |||
| skipping to change at line 1409 ¶ | skipping to change at line 1405 ¶ | |||
| CA or by context in which the truststore is used. Implementations | CA or by context in which the truststore is used. Implementations | |||
| are free to use alternative or auxiliary structures and validation | are free to use alternative or auxiliary structures and validation | |||
| rules to define constraints that limit the applicability of a trust | rules to define constraints that limit the applicability of a trust | |||
| anchor. | anchor. | |||
| 4.3. Considerations for the "ietf-truststore" YANG Module | 4.3. Considerations for the "ietf-truststore" YANG Module | |||
| This section is modeled after the template defined in Section 3.7.1 | This section is modeled after the template defined in Section 3.7.1 | |||
| of [RFC8407]. | of [RFC8407]. | |||
| The “ietf-truststore" YANG module defines "grouping” and “container” | The "ietf-truststore" YANG module defines "grouping" and "container" | |||
| statements that are designed to be accessed via YANG-based management | statements that are designed to be accessed via YANG-based management | |||
| protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These | protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These | |||
| protocols have mandatory-to-implement secure transport layers (e.g., | protocols have mandatory-to-implement secure transport layers (e.g., | |||
| Secure Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and | Secure Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and | |||
| mandatory-to-implement mutual authentication. | mandatory-to-implement mutual authentication. | |||
| The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
| provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
| preconfigured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
| content. | content. | |||
| skipping to change at line 1510 ¶ | skipping to change at line 1506 ¶ | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", RFC 9000, | Multiplexed and Secure Transport", RFC 9000, | |||
| DOI 10.17487/RFC9000, May 2021, | DOI 10.17487/RFC9000, May 2021, | |||
| <https://www.rfc-editor.org/info/rfc9000>. | <https://www.rfc-editor.org/info/rfc9000>. | |||
| [RFC9640] Watsen, K., "YANG Data Types and Groupings for | [RFC9640] Watsen, K., "YANG Data Types and Groupings for | |||
| Cryptography", RFC 9640, DOI 10.17487/RFC9640, September | Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | |||
| 2024, <https://www.rfc-editor.org/info/rfc9640>. | 2024, <https://www.rfc-editor.org/info/rfc9640>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [HTTP-CLIENT-SERVER] | [HTTP-CLIENT-SERVER] | |||
| Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
| Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
| netconf-http-client-server-23, 15 August 2024, | netconf-http-client-server-23, 15 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| http-client-server-23>. | http-client-server-23>. | |||
| skipping to change at line 1532 ¶ | skipping to change at line 1528 ¶ | |||
| [NETCONF-CLIENT-SERVER] | [NETCONF-CLIENT-SERVER] | |||
| Watsen, K., "NETCONF Client and Server Models", Work in | Watsen, K., "NETCONF Client and Server Models", Work in | |||
| Progress, Internet-Draft, draft-ietf-netconf-netconf- | Progress, Internet-Draft, draft-ietf-netconf-netconf- | |||
| client-server-37, 14 August 2024, | client-server-37, 14 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| netconf-client-server-37>. | netconf-client-server-37>. | |||
| [NETMOD-SYSTEM-CONFIG] | [NETMOD-SYSTEM-CONFIG] | |||
| Ma, Q., Wu, Q., and C. Feng, "System-defined | Ma, Q., Wu, Q., and C. Feng, "System-defined | |||
| Configuration", Work in Progress, Internet-Draft, draft- | Configuration", Work in Progress, Internet-Draft, draft- | |||
| ietf-netmod-system-config-08, 18 June 2024, | ietf-netmod-system-config-09, 29 September 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | <https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | |||
| system-config-08>. | system-config-09>. | |||
| [RESTCONF-CLIENT-SERVER] | [RESTCONF-CLIENT-SERVER] | |||
| Watsen, K., "RESTCONF Client and Server Models", Work in | Watsen, K., "RESTCONF Client and Server Models", Work in | |||
| Progress, Internet-Draft, draft-ietf-netconf-restconf- | Progress, Internet-Draft, draft-ietf-netconf-restconf- | |||
| client-server-38, 14 August 2024, | client-server-38, 14 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| restconf-client-server-38>. | restconf-client-server-38>. | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | ||||
| Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | ||||
| <https://www.rfc-editor.org/info/rfc4648>. | ||||
| [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
| the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
| <https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
| Interchange Format", STD 90, RFC 8259, | ||||
| DOI 10.17487/RFC8259, December 2017, | ||||
| <https://www.rfc-editor.org/info/rfc8259>. | ||||
| [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
| BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
| [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
| and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
| (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
| [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
| skipping to change at line 1581 ¶ | skipping to change at line 1578 ¶ | |||
| Touch Provisioning (SZTP)", RFC 8572, | Touch Provisioning (SZTP)", RFC 8572, | |||
| DOI 10.17487/RFC8572, April 2019, | DOI 10.17487/RFC8572, April 2019, | |||
| <https://www.rfc-editor.org/info/rfc8572>. | <https://www.rfc-editor.org/info/rfc8572>. | |||
| [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | |||
| "Handling Long Lines in Content of Internet-Drafts and | "Handling Long Lines in Content of Internet-Drafts and | |||
| RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | |||
| <https://www.rfc-editor.org/info/rfc8792>. | <https://www.rfc-editor.org/info/rfc8792>. | |||
| [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | |||
| DOI 10.17487/RFC9642, September 2024, | DOI 10.17487/RFC9642, October 2024, | |||
| <https://www.rfc-editor.org/info/rfc9642>. | <https://www.rfc-editor.org/info/rfc9642>. | |||
| [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
| and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, | and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, October | |||
| September 2024, <https://www.rfc-editor.org/info/rfc9643>. | 2024, <https://www.rfc-editor.org/info/rfc9643>. | |||
| [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
| Servers", RFC 9644, DOI 10.17487/RFC9644, September 2024, | Servers", RFC 9644, DOI 10.17487/RFC9644, October 2024, | |||
| <https://www.rfc-editor.org/info/rfc9644>. | <https://www.rfc-editor.org/info/rfc9644>. | |||
| [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
| Servers", RFC 9645, DOI 10.17487/RFC9645, September 2024, | Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, | |||
| <https://www.rfc-editor.org/info/rfc9645>. | <https://www.rfc-editor.org/info/rfc9645>. | |||
| [W3C.REC-xml-20081126] | [W3C.REC-xml-20081126] | |||
| Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | |||
| and F. Yergeau, "Extensible Markup Language (XML) 1.0 | and F. Yergeau, "Extensible Markup Language (XML) 1.0 | |||
| (Fifth Edition)", World Wide Web Consortium | (Fifth Edition)", World Wide Web Consortium | |||
| Recommendation REC-xml-20081126, November 2008, | Recommendation REC-xml-20081126, November 2008, | |||
| <https://www.w3.org/TR/2008/REC-xml-20081126/>. | <https://www.w3.org/TR/2008/REC-xml-20081126/>. | |||
| Acknowledgements | Acknowledgements | |||
| End of changes. 17 change blocks. | ||||
| 27 lines changed or deleted | 24 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||