rfc9641.original | rfc9641.txt | |||
---|---|---|---|---|
NETCONF Working Group K. Watsen | Internet Engineering Task Force (IETF) K. Watsen | |||
Internet-Draft Watsen Networks | Request for Comments: 9641 Watsen Networks | |||
Intended status: Standards Track 16 March 2024 | Category: Standards Track October 2024 | |||
Expires: 17 September 2024 | ISSN: 2070-1721 | |||
A YANG Data Model for a Truststore | A YANG Data Model for a Truststore | |||
draft-ietf-netconf-trust-anchors-28 | ||||
Abstract | Abstract | |||
This document presents a YANG module for configuring bags of | This document presents a YANG module for configuring bags of | |||
certificates and bags of public keys that can be referenced by other | certificates and bags of public keys that can be referenced by other | |||
data models for trust. Notifications are sent when certificates are | data models for trust. Notifications are sent when certificates are | |||
about to expire. | about to expire. | |||
Editorial Note (To be removed by RFC Editor) | ||||
This draft contains placeholder values that need to be replaced with | ||||
finalized values at the time of publication. This note summarizes | ||||
all of the substitutions that are needed. No other RFC Editor | ||||
instructions are specified elsewhere in this document. | ||||
Artwork in this document contains shorthand references to drafts in | ||||
progress. Please apply the following replacements: | ||||
* AAAA --> the assigned RFC value for draft-ietf-netconf-crypto- | ||||
types | ||||
* BBBB --> the assigned RFC value for this draft | ||||
Artwork in this document contains placeholder values for the date of | ||||
publication of this draft. Please apply the following replacement: | ||||
* 2024-03-16 --> the publication date of this draft | ||||
The "Relation to other RFCs" section Section 1.1 contains the text | ||||
"one or more YANG modules" and, later, "modules". This text is | ||||
sourced from a file in a context where it is unknown how many modules | ||||
a draft defines. The text is not wrong as is, but it may be improved | ||||
by stating more directly how many modules are defined. | ||||
The "Relation to other RFCs" section Section 1.1 contains a self- | ||||
reference to this draft, along with a corresponding reference in the | ||||
Appendix. Please replace the self-reference in this section with | ||||
"This RFC" (or similar) and remove the self-reference in the | ||||
"Normative/Informative References" section, whichever it is in. | ||||
Tree-diagrams in this draft may use the '\' line-folding mode defined | ||||
in RFC 8792. However, nicer-to-the-eye is when the '\\' line-folding | ||||
mode is used. The AD suggested suggested putting a request here for | ||||
the RFC Editor to help convert "ugly" '\' folded examples to use the | ||||
'\\' folding mode. "Help convert" may be interpreted as, identify | ||||
what looks ugly and ask the authors to make the adjustment. | ||||
The following Appendix section is to be removed prior to publication: | ||||
* Appendix A. Change Log | ||||
Status of This Memo | Status of This Memo | |||
This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
provisions of BCP 78 and BCP 79. | ||||
Internet-Drafts are working documents of the Internet Engineering | ||||
Task Force (IETF). Note that other groups may also distribute | ||||
working documents as Internet-Drafts. The list of current Internet- | ||||
Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
Internet Standards is available in Section 2 of RFC 7841. | ||||
This Internet-Draft will expire on 17 September 2024. | Information about the current status of this document, any errata, | |||
and how to provide feedback on it may be obtained at | ||||
https://www.rfc-editor.org/info/rfc9641. | ||||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
in the Revised BSD License. | ||||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction | |||
1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 4 | 1.1. Relation to Other RFCs | |||
1.2. Specification Language . . . . . . . . . . . . . . . . . 6 | 1.2. Specification Language | |||
1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 | 1.3. Adherence to the NMDA | |||
1.4. Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 | 1.4. Conventions | |||
2. The "ietf-truststore" Module . . . . . . . . . . . . . . . . 6 | 2. The "ietf-truststore" Module | |||
2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 6 | 2.1. Data Model Overview | |||
2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 13 | 2.2. Example Usage | |||
2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 | 2.3. YANG Module | |||
3. Support for Built-in Trust Anchors . . . . . . . . . . . . . 30 | 3. Support for Built-In Trust Anchors | |||
4. Security Considerations . . . . . . . . . . . . . . . . . . . 32 | 4. Security Considerations | |||
4.1. Security of Data at Rest . . . . . . . . . . . . . . . . 33 | 4.1. Security of Data at Rest | |||
4.2. Unconstrained Public Key Usage . . . . . . . . . . . . . 33 | 4.2. Unconstrained Public Key Usage | |||
4.3. Considerations for the "ietf-truststore" YANG Module . . 33 | 4.3. Considerations for the "ietf-truststore" YANG Module | |||
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 | 5. IANA Considerations | |||
5.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 34 | 5.1. The IETF XML Registry | |||
5.2. The "YANG Module Names" Registry . . . . . . . . . . . . 34 | 5.2. The YANG Module Names Registry | |||
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 | 6. References | |||
6.1. Normative References . . . . . . . . . . . . . . . . . . 34 | 6.1. Normative References | |||
6.2. Informative References . . . . . . . . . . . . . . . . . 35 | 6.2. Informative References | |||
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 37 | Acknowledgements | |||
A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 37 | Author's Address | |||
A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 37 | ||||
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 38 | ||||
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 38 | ||||
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 38 | ||||
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 38 | ||||
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 38 | ||||
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 38 | ||||
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 39 | ||||
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 39 | ||||
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 39 | ||||
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 39 | ||||
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
A.14. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
A.15. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
A.16. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
A.17. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
A.18. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
A.19. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 41 | ||||
A.20. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 41 | ||||
A.21. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 41 | ||||
A.22. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 41 | ||||
A.23. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 42 | ||||
A.24. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 42 | ||||
A.25. 24 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 42 | ||||
A.26. 26 to 28 . . . . . . . . . . . . . . . . . . . . . . . . 42 | ||||
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 43 | ||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 43 | ||||
1. Introduction | 1. Introduction | |||
This document presents a YANG 1.1 [RFC7950] module having the | This document presents a YANG 1.1 [RFC7950] module that has the | |||
following characteristics: | following characteristics: | |||
Provide a central truststore for storing raw public keys and/or | * Provide a central truststore for storing raw public keys and/or | |||
certificates. | certificates. | |||
Provide support for storing named bags of raw public keys and/or | * Provide support for storing named bags of raw public keys and/or | |||
named bags of certificates. | named bags of certificates. | |||
Provide types that can be used to reference raw public keys or | * Provide types that can be used to reference raw public keys or | |||
certificates stored in the central truststore. | certificates stored in the central truststore. | |||
Provide groupings that enable raw public keys and certificates to | * Provide groupings that enable raw public keys and certificates to | |||
be configured inline or as references to truststore instances. | be configured inline or as references to truststore instances. | |||
Enable the truststore to be instantiated in other data models, in | * Enable the truststore to be instantiated in other data models, in | |||
addition to or in lieu of the central truststore instance. | addition to or in lieu of the central truststore instance. | |||
1.1. Relation to other RFCs | 1.1. Relation to Other RFCs | |||
This document presents one or more YANG modules [RFC7950] that are | This document presents a YANG module [RFC7950] that is part of a | |||
part of a collection of RFCs that work together to, ultimately, | collection of RFCs that work together to ultimately support the | |||
support the configuration of both the clients and servers of both the | configuration of both the clients and servers of both the Network | |||
NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. | Configuration Protocol (NETCONF) [RFC6241] and RESTCONF [RFC8040]. | |||
The dependency relationship between the primary YANG groupings | The dependency relationship between the primary YANG groupings | |||
defined in the various RFCs is presented in the below diagram. In | defined in the various RFCs is presented in the below diagram. In | |||
some cases, a draft may define secondary groupings that introduce | some cases, a document may define secondary groupings that introduce | |||
dependencies not illustrated in the diagram. The labels in the | dependencies not illustrated in the diagram. The labels in the | |||
diagram are a shorthand name for the defining RFC. The citation | diagram are shorthand names for the defining RFCs. The citation | |||
reference for shorthand name is provided below the diagram. | references for shorthand names are provided below the diagram. | |||
Please note that the arrows in the diagram point from referencer to | Please note that the arrows in the diagram point from referencer to | |||
referenced. For example, the "crypto-types" RFC does not have any | referenced. For example, the "crypto-types" RFC does not have any | |||
dependencies, whilst the "keystore" RFC depends on the "crypto-types" | dependencies, whilst the "keystore" RFC depends on the "crypto-types" | |||
RFC. | RFC. | |||
crypto-types | crypto-types | |||
^ ^ | ^ ^ | |||
/ \ | / \ | |||
/ \ | / \ | |||
skipping to change at page 5, line 28 ¶ | skipping to change at line 132 ¶ | |||
| | | | | ^ | | | | | | ^ | |||
| | | +-----+ +---------+ | | | | | +-----+ +---------+ | | |||
| | | | | | | | | | | | | | |||
| +-----------|--------|--------------+ | | | | +-----------|--------|--------------+ | | | |||
| | | | | | | | | | | | | | |||
+-----------+ | | | | | | +-----------+ | | | | | | |||
| | | | | | | | | | | | | | |||
| | | | | | | | | | | | | | |||
netconf-client-server restconf-client-server | netconf-client-server restconf-client-server | |||
+======================+===========================================+ | +========================+==========================+ | |||
|Label in Diagram | Originating RFC | | | Label in Diagram | Reference | | |||
+======================+===========================================+ | +========================+==========================+ | |||
|crypto-types | [I-D.ietf-netconf-crypto-types] | | | crypto-types | [RFC9640] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|truststore | [I-D.ietf-netconf-trust-anchors] | | | truststore | RFC 9641 | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|keystore | [I-D.ietf-netconf-keystore] | | | keystore | [RFC9642] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | | | tcp-client-server | [RFC9643] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | | | ssh-client-server | [RFC9644] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|tls-client-server | [I-D.ietf-netconf-tls-client-server] | | | tls-client-server | [RFC9645] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|http-client-server | [I-D.ietf-netconf-http-client-server] | | | http-client-server | [HTTP-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | | | netconf-client-server | [NETCONF-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
|restconf-client-server| [I-D.ietf-netconf-restconf-client-server] | | | restconf-client-server | [RESTCONF-CLIENT-SERVER] | | |||
+----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
Table 1: Label in Diagram to RFC Mapping | Table 1: Label in Diagram to RFC Mapping | |||
1.2. Specification Language | 1.2. Specification Language | |||
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
"OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
capitals, as shown here. | capitals, as shown here. | |||
1.3. Adherence to the NMDA | 1.3. Adherence to the NMDA | |||
This document is compliant with the Network Management Datastore | This document is compliant with the Network Management Datastore | |||
Architecture (NMDA) [RFC8342]. For instance, trust anchors installed | Architecture (NMDA) [RFC8342]. For instance, trust anchors installed | |||
during manufacturing (e.g., for trusted well-known services), are | during manufacturing (e.g., for trusted, well-known services) are | |||
expected to appear in <operational> (see Section 3). | expected to appear in <operational> (see Section 3). | |||
1.4. Conventions | 1.4. Conventions | |||
Various examples in this document use "BASE64VALUE=" as a placeholder | Various examples in this document use "BASE64VALUE=" as a placeholder | |||
value for binary data that has been base64 encoded (see Section 4 in | value for binary data that has been base64 encoded (see Section 9.8 | |||
[RFC4648]). This placeholder value is used because real base64 | of [RFC7950]). This placeholder value is used because real | |||
encoded structures are often many lines long and hence distracting to | base64-encoded structures are often many lines long and hence | |||
the example being presented. | distracting to the example being presented. | |||
This document uses the adjective "central" to the word "truststore" | Various examples in this document use the XML [W3C.REC-xml-20081126] | |||
to refer to the top-level instance of the "truststore-grouping", when | encoding. Other encodings, such as JSON [RFC8259], could | |||
the "central-truststore-supported" feature is enabled. Please be | alternatively be used. | |||
aware that consuming YANG modules MAY instantiate the "truststore- | ||||
grouping" in other locations. All such other instances are not the | Various examples in this document contain long lines that may be | |||
"central" instance. | folded, as described in [RFC8792]. | |||
This document uses the adjective "central" with the word "truststore" | ||||
to refer to the top-level instance of the "truststore-grouping" | ||||
grouping when the "central-truststore-supported" feature is enabled. | ||||
Please be aware that consuming YANG modules MAY instantiate the | ||||
"truststore-grouping" grouping in other locations. All such other | ||||
instances are not the "central" instance. | ||||
2. The "ietf-truststore" Module | 2. The "ietf-truststore" Module | |||
This section defines a YANG 1.1 [RFC7950] module called "ietf- | This section defines a YANG 1.1 [RFC7950] module called "ietf- | |||
truststore". A high-level overview of the module is provided in | truststore". A high-level overview of the module is provided in | |||
Section 2.1. Examples illustrating the module's use are provided in | Section 2.1. Examples illustrating the module's use are provided in | |||
Examples (Section 2.2). The YANG module itself is defined in | Section 2.2 ("Example Usage"). The YANG module itself is defined in | |||
Section 2.3. | Section 2.3. | |||
2.1. Data Model Overview | 2.1. Data Model Overview | |||
This section provides an overview of the "ietf-truststore" module in | This section provides an overview of the "ietf-truststore" module in | |||
terms of its features, typedefs, groupings, and protocol-accessible | terms of its features, typedefs, groupings, and protocol-accessible | |||
nodes. | nodes. | |||
2.1.1. Features | 2.1.1. Features | |||
skipping to change at page 7, line 35 ¶ | skipping to change at line 242 ¶ | |||
The diagram above uses syntax that is similar to but not defined in | The diagram above uses syntax that is similar to but not defined in | |||
[RFC8340]. | [RFC8340]. | |||
Comments: | Comments: | |||
* All the typedefs defined in the "ietf-truststore" module extend | * All the typedefs defined in the "ietf-truststore" module extend | |||
the base "leafref" type defined in [RFC7950]. | the base "leafref" type defined in [RFC7950]. | |||
* The leafrefs refer to certificates, public keys, and bags in the | * The leafrefs refer to certificates, public keys, and bags in the | |||
central truststore, when this module is implemented. | central truststore when this module is implemented. | |||
* These typedefs are provided as an aid to consuming modules that | * These typedefs are provided to aid consuming modules that import | |||
import the "ietf-truststore" module. | the "ietf-truststore" module. | |||
2.1.3. Groupings | 2.1.3. Groupings | |||
The "ietf-truststore" module defines the following "grouping" | The "ietf-truststore" module defines the following "grouping" | |||
statements: | statements: | |||
* central-certificate-ref-grouping | * central-certificate-ref-grouping | |||
* central-public-key-ref-grouping | * central-public-key-ref-grouping | |||
* inline-or-truststore-certs-grouping | * inline-or-truststore-certs-grouping | |||
* inline-or-truststore-public-keys-grouping | * inline-or-truststore-public-keys-grouping | |||
* truststore-grouping | * truststore-grouping | |||
Each of these groupings are presented in the following subsections. | Each of these groupings are presented in the following subsections. | |||
2.1.3.1. The "central-certificate-ref-grouping" Grouping | 2.1.3.1. The "central-certificate-ref-grouping" Grouping | |||
The following tree diagram [RFC8340] illustrates the "central- | The following tree diagram [RFC8340] illustrates the "central- | |||
certificate-ref-grouping" grouping: | certificate-ref-grouping" grouping: | |||
grouping central-certificate-ref-grouping: | grouping central-certificate-ref-grouping: | |||
+-- certificate-bag? ts:central-certificate-bag-ref | +-- certificate-bag? ts:central-certificate-bag-ref | |||
| {central-truststore-supported,certificates}? | | {central-truststore-supported,certificates}? | |||
+-- certificate? ts:central-certificate-ref | +-- certificate? ts:central-certificate-ref | |||
{central-truststore-supported,certificates}? | {central-truststore-supported,certificates}? | |||
Comments: | Comments: | |||
* The "central-certificate-ref-grouping" grouping is provided solely | * The "central-certificate-ref-grouping" grouping is provided solely | |||
as convenience to consuming modules that wish to enable the | as a convenience to consuming modules that wish to enable the | |||
configuration of a reference to a certificate in a certificate-bag | configuration of a reference to a certificate in a certificate-bag | |||
in the truststore. | in the truststore. | |||
* The "certificate-bag" leaf uses the "central-certificate-bag-ref" | * The "certificate-bag" leaf uses the "central-certificate-bag-ref" | |||
typedef defined in Section 2.1.2. | typedef defined in Section 2.1.2. | |||
* The "certificate" leaf uses the "central-certificate-ref" typedef | * The "certificate" leaf uses the "central-certificate-ref" typedef | |||
defined in Section 2.1.2. | defined in Section 2.1.2. | |||
2.1.3.2. The "central-public-key-ref-grouping" Grouping | 2.1.3.2. The "central-public-key-ref-grouping" Grouping | |||
skipping to change at page 8, line 43 ¶ | skipping to change at line 302 ¶ | |||
grouping central-public-key-ref-grouping: | grouping central-public-key-ref-grouping: | |||
+-- public-key-bag? ts:central-public-key-bag-ref | +-- public-key-bag? ts:central-public-key-bag-ref | |||
| {central-truststore-supported,public-keys}? | | {central-truststore-supported,public-keys}? | |||
+-- public-key? ts:central-public-key-ref | +-- public-key? ts:central-public-key-ref | |||
{central-truststore-supported,public-keys}? | {central-truststore-supported,public-keys}? | |||
Comments: | Comments: | |||
* The "central-public-key-ref-grouping" grouping is provided solely | * The "central-public-key-ref-grouping" grouping is provided solely | |||
as convenience to consuming modules that wish to enable the | as a convenience to consuming modules that wish to enable the | |||
configuration of a reference to a public-key in a public-key-bag | configuration of a reference to a public-key in a public-key-bag | |||
in the truststore. | in the truststore. | |||
* The "public-key-bag" leaf uses the "public-key-bag-ref" typedef | * The "public-key-bag" leaf uses the "central-public-key-bag-ref" | |||
defined in Section 2.1.2. | typedef defined in Section 2.1.2. | |||
* The "public-key" leaf uses the "public-key-ref" typedef defined in | * The "public-key" leaf uses the "central-public-key-ref" typedef | |||
Section 2.1.2. | defined in Section 2.1.2. | |||
2.1.3.3. The "inline-or-truststore-certs-grouping" Grouping | 2.1.3.3. The "inline-or-truststore-certs-grouping" Grouping | |||
The following tree diagram [RFC8340] illustrates the "inline-or- | The following tree diagram [RFC8340] illustrates the "inline-or- | |||
truststore-certs-grouping" grouping: | truststore-certs-grouping" grouping: | |||
grouping inline-or-truststore-certs-grouping: | grouping inline-or-truststore-certs-grouping: | |||
+-- (inline-or-truststore) | +-- (inline-or-truststore) | |||
+--:(inline) {inline-definitions-supported}? | +--:(inline) {inline-definitions-supported}? | |||
| +-- inline-definition | | +-- inline-definition | |||
| +-- certificate* [name] | | +-- certificate* [name] | |||
| +-- name? string | | +-- name string | |||
| +---u ct:trust-anchor-cert-grouping | | +---u ct:trust-anchor-cert-grouping | |||
+--:(central-truststore) | +--:(central-truststore) | |||
{central-truststore-supported,certificates}? | {central-truststore-supported,certificates}? | |||
+-- central-truststore-reference? | +-- central-truststore-reference? | |||
ts:central-certificate-bag-ref | ts:central-certificate-bag-ref | |||
Comments: | Comments: | |||
* The "inline-or-truststore-certs-grouping" grouping is provided | * The "inline-or-truststore-certs-grouping" grouping is provided | |||
solely as convenience to consuming modules that wish to offer an | solely as a convenience to consuming modules that wish to offer an | |||
option whether a bag of certificates can be defined inline or as a | option whether a bag of certificates can be defined inline or as a | |||
reference to a bag in the truststore. | reference to a bag in the truststore. | |||
* A "choice" statement is used to expose the various options. Each | * A "choice" statement is used to expose the various options. Each | |||
option is enabled by a "feature" statement. Additional "case" | option is enabled by a "feature" statement. Additional "case" | |||
statements MAY be augmented in if, e.g., there is a need to | statements MAY be augmented in if, e.g., there is a need to | |||
reference a bag in an alternate location. | reference a bag in an alternate location. | |||
* For the "inline-definition" option, the "certificate" node uses | * For the "inline-definition" option, the "certificate" node uses | |||
the "trust-anchor-cert-grouping" grouping discussed in | the "trust-anchor-cert-grouping" grouping discussed in | |||
Section 2.1.4.7 of [I-D.ietf-netconf-crypto-types]. | Section 2.1.4.8 of [RFC9640]. | |||
* For the "central-truststore" option, the "central-truststore- | * For the "central-truststore" option, the "central-truststore- | |||
reference" is an instance of the "certificate-bag-ref" discussed | reference" node is an instance of the "central-certificate-bag- | |||
in Section 2.1.2. | ref" discussed in Section 2.1.2. | |||
2.1.3.4. The "inline-or-truststore-public-keys-grouping" Grouping | 2.1.3.4. The "inline-or-truststore-public-keys-grouping" Grouping | |||
The following tree diagram [RFC8340] illustrates the "inline-or- | The following tree diagram [RFC8340] illustrates the "inline-or- | |||
truststore-public-keys-grouping" grouping: | truststore-public-keys-grouping" grouping: | |||
grouping inline-or-truststore-public-keys-grouping: | grouping inline-or-truststore-public-keys-grouping: | |||
+-- (inline-or-truststore) | +-- (inline-or-truststore) | |||
+--:(inline) {inline-definitions-supported}? | +--:(inline) {inline-definitions-supported}? | |||
| +-- inline-definition | | +-- inline-definition | |||
| +-- public-key* [name] | | +-- public-key* [name] | |||
| +-- name? string | | +-- name string | |||
| +---u ct:public-key-grouping | | +---u ct:public-key-grouping | |||
+--:(central-truststore) | +--:(central-truststore) | |||
{central-truststore-supported,public-keys}? | {central-truststore-supported,public-keys}? | |||
+-- central-truststore-reference? | +-- central-truststore-reference? | |||
ts:central-public-key-bag-ref | ts:central-public-key-bag-ref | |||
Comments: | Comments: | |||
* The "inline-or-truststore-public-keys-grouping" grouping is | * The "inline-or-truststore-public-keys-grouping" grouping is | |||
provided solely as convenience to consuming modules that wish to | provided solely as a convenience to consuming modules that wish to | |||
offer an option whether a bag of public keys can be defined inline | offer an option whether a bag of public keys can be defined inline | |||
or as a reference to a bag in the truststore. | or as a reference to a bag in the truststore. | |||
* A "choice" statement is used to expose the various options. Each | * A "choice" statement is used to expose the various options. Each | |||
option is enabled by a "feature" statement. Additional "case" | option is enabled by a "feature" statement. Additional "case" | |||
statements MAY be augmented in if, e.g., there is a need to | statements MAY be augmented in if, e.g., there is a need to | |||
reference a bag in an alternate location. | reference a bag in an alternate location. | |||
* For the "inline-definition" option, the "public-key" node uses the | * For the "inline-definition" option, the "public-key" node uses the | |||
"public-key-grouping" grouping discussed in Section 2.1.4.4 of | "public-key-grouping" grouping discussed in Section 2.1.4.4 of | |||
[I-D.ietf-netconf-crypto-types]. | [RFC9640]. | |||
* For the "central-truststore" option, the "central-truststore- | * For the "central-truststore" option, the "central-truststore- | |||
reference" is an instance of the "certificate-bag-ref" discussed | reference" is an instance of the "certificate-bag-ref" discussed | |||
in Section 2.1.2. | in Section 2.1.2. | |||
2.1.3.5. The "truststore-grouping" Grouping | 2.1.3.5. The "truststore-grouping" Grouping | |||
The following tree diagram [RFC8340] illustrates the "truststore- | The following tree diagram [RFC8340] illustrates the "truststore- | |||
grouping" grouping: | grouping" grouping: | |||
grouping truststore-grouping: | grouping truststore-grouping: | |||
+-- certificate-bags {certificates}? | +-- certificate-bags {certificates}? | |||
| +-- certificate-bag* [name] | | +-- certificate-bag* [name] | |||
| +-- name? string | | +-- name string | |||
| +-- description? string | | +-- description? string | |||
| +-- certificate* [name] | | +-- certificate* [name] | |||
| +-- name? string | | +-- name string | |||
| +---u ct:trust-anchor-cert-grouping | | +---u ct:trust-anchor-cert-grouping | |||
+-- public-key-bags {public-keys}? | +-- public-key-bags {public-keys}? | |||
+-- public-key-bag* [name] | +-- public-key-bag* [name] | |||
+-- name? string | +-- name string | |||
+-- description? string | +-- description? string | |||
+-- public-key* [name] | +-- public-key* [name] | |||
+-- name? string | +-- name string | |||
+---u ct:public-key-grouping | +---u ct:public-key-grouping | |||
Comments: | Comments: | |||
* The "truststore-grouping" grouping defines a truststore instance | * The "truststore-grouping" grouping defines a truststore instance | |||
as being composed of certificates and/or public keys, both of | as being composed of certificates and/or public keys, both of | |||
which are enabled by "feature" statements. The structure | which are enabled by "feature" statements. The structures | |||
supporting certificates and public keys is essentially the same, | supporting certificates and public keys are essentially the same, | |||
having an outer list of "bags" containing an inner list of objects | having an outer list of "bags" containing an inner list of objects | |||
(certificates or public keys). The bags enable trust anchors | (i.e., certificates or public keys). The bags enable trust | |||
serving a common purpose to be grouped and referenced together. | anchors serving a common purpose to be grouped and referenced | |||
together. | ||||
* For certificates, each certificate is defined by the "trust- | * For certificates, each certificate is defined by the "trust- | |||
anchor-cert-grouping" grouping Section 2.1.4.7 of | anchor-cert-grouping" grouping (Section 2.1.4.8 of [RFC9640]). | |||
[I-D.ietf-netconf-crypto-types]. The "cert-data" node is a CMS | The "cert-data" node is a Cryptographic Message Syntax (CMS) | |||
structure that can be composed of a chain of one or more | structure that can be composed of a chain of one or more | |||
certificates. Additionally, the "certificate-expiration" | certificates. Additionally, the "certificate-expiration" | |||
notification enables the server to alert clients when certificates | notification enables the server to alert clients when certificates | |||
are nearing or have already expired. | are nearing expiration or have already expired. | |||
* For public keys, each public key is defined by the "public-key- | * For public keys, each public key is defined by the "public-key- | |||
grouping" grouping Section 2.1.4.4 of | grouping" grouping (Section 2.1.4.4 of [RFC9640]). The "public- | |||
[I-D.ietf-netconf-crypto-types]. The "public-key" node can be one | key" node can be one of any number of structures specified by the | |||
of any number of structures specified by the "public-key-format" | "public-key-format" identity node. | |||
identity node. | ||||
2.1.4. Protocol-accessible Nodes | 2.1.4. Protocol-Accessible Nodes | |||
The following tree diagram [RFC8340] lists all the protocol- | The following tree diagram [RFC8340] lists all the protocol- | |||
accessible nodes defined in the "ietf-truststore" module, without | accessible nodes defined in the "ietf-truststore" module without | |||
expanding the "grouping" statements: | expanding the "grouping" statements: | |||
module: ietf-truststore | module: ietf-truststore | |||
+--rw truststore {central-truststore-supported}? | +--rw truststore {central-truststore-supported}? | |||
+---u truststore-grouping | +---u truststore-grouping | |||
The following tree diagram [RFC8340] lists all the protocol- | The following tree diagram [RFC8340] lists all the protocol- | |||
accessible nodes defined in the "ietf-truststore" module, with all | accessible nodes defined in the "ietf-truststore" module with all | |||
"grouping" statements expanded, enabling the truststore's full | "grouping" statements expanded, enabling the truststore's full | |||
structure to be seen: | structure to be seen: | |||
module: ietf-truststore | module: ietf-truststore | |||
+--rw truststore {central-truststore-supported}? | +--rw truststore {central-truststore-supported}? | |||
+--rw certificate-bags {certificates}? | +--rw certificate-bags {certificates}? | |||
| +--rw certificate-bag* [name] | | +--rw certificate-bag* [name] | |||
| +--rw name string | | +--rw name string | |||
| +--rw description? string | | +--rw description? string | |||
| +--rw certificate* [name] | | +--rw certificate* [name] | |||
skipping to change at page 12, line 42 ¶ | skipping to change at line 474 ¶ | |||
+--rw public-key-format identityref | +--rw public-key-format identityref | |||
+--rw public-key binary | +--rw public-key binary | |||
Comments: | Comments: | |||
* Protocol-accessible nodes are those nodes that are accessible when | * Protocol-accessible nodes are those nodes that are accessible when | |||
the module is "implemented", as described in Section 5.6.5 of | the module is "implemented", as described in Section 5.6.5 of | |||
[RFC7950]. | [RFC7950]. | |||
* The protocol-accessible nodes for the "ietf-truststore" module are | * The protocol-accessible nodes for the "ietf-truststore" module are | |||
an instance of the "truststore-grouping" grouping discussed in | instances of the "truststore-grouping" grouping discussed in | |||
Section 2.1.3.5. | Section 2.1.3.5. | |||
* The top-level node "truststore" is additionally constrained by the | * The top-level "truststore" node is additionally constrained by the | |||
feature "central-truststore-supported". | "central-truststore-supported" feature. | |||
* The "truststore-grouping" grouping is discussed in | * The "truststore-grouping" grouping is discussed in | |||
Section 2.1.3.5. | Section 2.1.3.5. | |||
* The reason for why the "truststore-grouping" exists separate from | * The reason for why the "truststore-grouping" grouping exists | |||
the protocol-accessible nodes definition is to enable instances of | separate from the protocol-accessible nodes definition is to | |||
the truststore to be instantiated in other locations, as may be | enable instances of the truststore to be instantiated in other | |||
needed or desired by some modules. | locations, as may be needed or desired by some modules. | |||
2.2. Example Usage | 2.2. Example Usage | |||
The examples in this section are encoded using XML, such as might be | The examples in this section are encoded using XML, such as might be | |||
the case when using the NETCONF protocol. Other encodings MAY be | the case when using the NETCONF protocol. Other encodings MAY be | |||
used, such as JSON when using the RESTCONF protocol. | used, such as JSON when using the RESTCONF protocol. | |||
2.2.1. A Truststore Instance | 2.2.1. A Truststore Instance | |||
This section presents an example illustrating trust anchors in | This section presents an example illustrating trust anchors in | |||
<intended>, as per Section 2.1.4. Please see Section 3 for an | <intended>, as per Section 2.1.4. Please see Section 3 for an | |||
example illustrating built-in values in <operational>. | example illustrating built-in values in <operational>. | |||
The example contained in this section defines eight bags of trust | The example contained in this section defines eight bags of trust | |||
anchors. There are four certificate-based bags and four public key | anchors. There are four certificate-based bags and four public-key- | |||
based bags. The following diagram provides an overview of the | based bags. The following diagram provides an overview of the | |||
contents in the example: | contents in the example: | |||
Certificate Bags | Certificate Bags | |||
+-- Trust anchor certs for authenticating a set of remote servers | +-- Trust anchor certs for authenticating a set of remote servers | |||
+-- End entity certs for authenticating a set of remote servers | +-- End entity certs for authenticating a set of remote servers | |||
+-- Trust anchor certs for authenticating a set of remote clients | +-- Trust anchor certs for authenticating a set of remote clients | |||
+-- End entity certs for authenticating a set of remote clients | +-- End entity certs for authenticating a set of remote clients | |||
Public Key Bags | Public Key Bags | |||
+-- SSH keys to authenticate a set of remote SSH server | +-- SSH keys to authenticate a set of remote SSH servers | |||
+-- SSH keys to authenticate a set of remote SSH clients | +-- SSH keys to authenticate a set of remote SSH clients | |||
+-- Raw public keys to authenticate a set of remote SSH server | +-- Raw public keys to authenticate a set of remote SSH servers | |||
+-- Raw public keys to authenticate a set of remote SSH clients | +-- Raw public keys to authenticate a set of remote SSH clients | |||
Following is the full example: | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<truststore | <truststore | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- A bag of Certificate Bags --> | <!-- A bag of Certificate Bags --> | |||
<certificate-bags> | <certificate-bags> | |||
<!-- Trust Anchor Certs for Authenticating Servers --> | <!-- Trust Anchor Certs for Authenticating Servers --> | |||
<certificate-bag> | <certificate-bag> | |||
<name>trusted-server-ca-certs</name> | <name>trusted-server-ca-certs</name> | |||
<description> | <description> | |||
Trust anchors (i.e. CA certs) used to authenticate server | Trust anchors (i.e., CA certs) used to authenticate server | |||
certificates. A server certificate is authenticated if its | certificates. A server certificate is authenticated if its | |||
end-entity certificate has a chain of trust to one of these | end-entity certificate has a chain of trust to one of these | |||
certificates. | certificates. | |||
</description> | </description> | |||
<certificate> | <certificate> | |||
<name>Server Cert Issuer #1</name> | <name>Server Cert Issuer #1</name> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
<certificate> | <certificate> | |||
<name>Server Cert Issuer #2</name> | <name>Server Cert Issuer #2</name> | |||
skipping to change at page 14, line 43 ¶ | skipping to change at line 568 ¶ | |||
<certificate> | <certificate> | |||
<name>My Application #2</name> | <name>My Application #2</name> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
</certificate-bag> | </certificate-bag> | |||
<!-- Trust Anchor Certs for Authenticating Clients --> | <!-- Trust Anchor Certs for Authenticating Clients --> | |||
<certificate-bag> | <certificate-bag> | |||
<name>trusted-client-ca-certs</name> | <name>trusted-client-ca-certs</name> | |||
<description> | <description> | |||
Trust anchors (i.e. CA certs) used to authenticate client | Trust anchors (i.e., CA certs) used to authenticate client | |||
certificates. A client certificate is authenticated if its | certificates. A client certificate is authenticated if its | |||
end-entity certificate has a chain of trust to one of these | end-entity certificate has a chain of trust to one of these | |||
certificates. | certificates. | |||
</description> | </description> | |||
<certificate> | <certificate> | |||
<name>Client Identity Issuer #1</name> | <name>Client Identity Issuer #1</name> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
<certificate> | <certificate> | |||
<name>Client Identity Issuer #2</name> | <name>Client Identity Issuer #2</name> | |||
skipping to change at page 17, line 23 ¶ | skipping to change at line 692 ¶ | |||
-key-format> | -key-format> | |||
<public-key>BASE64VALUE=</public-key> | <public-key>BASE64VALUE=</public-key> | |||
</public-key> | </public-key> | |||
</public-key-bag> | </public-key-bag> | |||
</public-key-bags> | </public-key-bags> | |||
</truststore> | </truststore> | |||
2.2.2. A Certificate Expiration Notification | 2.2.2. A Certificate Expiration Notification | |||
The following example illustrates the "certificate-expiration" | The following example illustrates the "certificate-expiration" | |||
notification (per Section 2.1.4.6 of [I-D.ietf-netconf-crypto-types]) | notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | |||
for a certificate configured in the truststore in Section 2.2.1. | configured in the truststore described in Section 2.2.1. | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<notification | <notification | |||
xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | |||
<eventTime>2018-05-25T00:01:00Z</eventTime> | <eventTime>2018-05-25T00:01:00Z</eventTime> | |||
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | |||
<certificate-bags> | <certificate-bags> | |||
<certificate-bag> | <certificate-bag> | |||
<name>trusted-client-ee-certs</name> | <name>trusted-client-ee-certs</name> | |||
skipping to change at page 18, line 5 ¶ | skipping to change at line 716 ¶ | |||
<certificate-expiration> | <certificate-expiration> | |||
<expiration-date>2024-01-05T14:18:53-05:00</expiration-d\ | <expiration-date>2024-01-05T14:18:53-05:00</expiration-d\ | |||
ate> | ate> | |||
</certificate-expiration> | </certificate-expiration> | |||
</certificate> | </certificate> | |||
</certificate-bag> | </certificate-bag> | |||
</certificate-bags> | </certificate-bags> | |||
</truststore> | </truststore> | |||
</notification> | </notification> | |||
2.2.3. The "Local or Truststore" Groupings | 2.2.3. The "Inline or Truststore" Groupings | |||
This section illustrates the various "inline-or-truststore" groupings | This section illustrates the various "inline-or-truststore" groupings | |||
defined in the "ietf-truststore" module, specifically the "inline-or- | defined in the "ietf-truststore" module, specifically the "inline-or- | |||
truststore-certs-grouping" (Section 2.1.3.3) and "inline-or- | truststore-certs-grouping" (Section 2.1.3.3) and "inline-or- | |||
truststore-public-keys-grouping" (Section 2.1.3.4) groupings. | truststore-public-keys-grouping" (Section 2.1.3.4) groupings. | |||
These examples assume the existence of an example module called "ex- | These examples assume the existence of an example module called "ex- | |||
truststore-usage" having the namespace "https://example.com/ns/ | truststore-usage" that has the namespace "https://example.com/ns/ | |||
example-truststore-usage". | example-truststore-usage". | |||
The ex-truststore-usage module is first presented using tree diagrams | The "ex-truststore-usage" module is first presented using tree | |||
[RFC8340], followed by an instance example illustrating all the | diagrams [RFC8340], followed by an instance example illustrating all | |||
"inline-or-truststore" groupings in use, followed by the YANG module | the "inline-or-truststore" groupings in use, followed by the YANG | |||
itself. | module itself. | |||
The following tree diagram illustrates "ex-truststore-usage" without | The following tree diagram illustrates the "ex-truststore-usage" | |||
expanding the "grouping" statements: | module without expanding the "grouping" statements: | |||
module: ex-truststore-usage | module: ex-truststore-usage | |||
+--rw truststore-usage | +--rw truststore-usage | |||
+--rw cert* [name] | +--rw cert* [name] | |||
| +--rw name string | | +--rw name string | |||
| +---u ts:inline-or-truststore-certs-grouping | | +---u ts:inline-or-truststore-certs-grouping | |||
+--rw public-key* [name] | +--rw public-key* [name] | |||
+--rw name string | +--rw name string | |||
+---u ts:inline-or-truststore-public-keys-grouping | +---u ts:inline-or-truststore-public-keys-grouping | |||
The following tree diagram illustrates the "ex-truststore-usage" | The following tree diagram illustrates the "ex-truststore-usage" | |||
module, with all "grouping" statements expanded, enabling the | module with all "grouping" statements expanded, enabling the | |||
truststore's full structure to be seen: | truststore's full structure to be seen: | |||
module: ex-truststore-usage | module: ex-truststore-usage | |||
+--rw truststore-usage | +--rw truststore-usage | |||
+--rw cert* [name] | +--rw cert* [name] | |||
| +--rw name string | | +--rw name string | |||
| +--rw (inline-or-truststore) | | +--rw (inline-or-truststore) | |||
| +--:(inline) {inline-definitions-supported}? | | +--:(inline) {inline-definitions-supported}? | |||
| | +--rw inline-definition | | | +--rw inline-definition | |||
| | +--rw certificate* [name] | | | +--rw certificate* [name] | |||
skipping to change at page 20, line 4 ¶ | skipping to change at line 796 ¶ | |||
instance referenced by its sibling example. | instance referenced by its sibling example. | |||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<truststore-usage | <truststore-usage | |||
xmlns="https://example.com/ns/example-truststore-usage" | xmlns="https://example.com/ns/example-truststore-usage" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- The following two equivalent examples illustrate --> | <!-- The following two equivalent examples illustrate --> | |||
<!-- the "inline-or-truststore-certs-grouping" grouping: --> | <!-- the "inline-or-truststore-certs-grouping" grouping: --> | |||
<cert> | <cert> | |||
<name>example 1a</name> | <name>example 1a</name> | |||
<central-truststore-reference>trusted-client-ca-certs</central-t\ | <central-truststore-reference>trusted-client-ca-certs</central-t\ | |||
ruststore-reference> | ruststore-reference> | |||
</cert> | </cert> | |||
<cert> | <cert> | |||
<name>example 1b</name> | <name>example 1b</name> | |||
<inline-definition> | <inline-definition> | |||
<name>my-trusted-client-ca-certs</name> | ||||
<certificate> | <certificate> | |||
<name>Client Identity Issuer #1</name> | <name>Client Identity Issuer #1</name> | |||
<cert>BASE64VALUE=</cert> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
<certificate> | <certificate> | |||
<name>Client Identity Issuer #2</name> | <name>Client Identity Issuer #2</name> | |||
<cert>BASE64VALUE=</cert> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
</inline-definition> | </inline-definition> | |||
</cert> | </cert> | |||
<!-- The following two equivalent examples illustrate the --> | <!-- The following two equivalent examples illustrate the --> | |||
<!-- "inline-or-truststore-public-keys-grouping" grouping: --> | <!-- "inline-or-truststore-public-keys-grouping" grouping: --> | |||
<public-key> | <public-key> | |||
<name>example 2a</name> | <name>example 2a</name> | |||
<central-truststore-reference>trusted-ssh-public-keys</central-t\ | <central-truststore-reference>trusted-ssh-public-keys</central-t\ | |||
ruststore-reference> | ruststore-reference> | |||
</public-key> | </public-key> | |||
<public-key> | <public-key> | |||
<name>example 2b</name> | <name>example 2b</name> | |||
<inline-definition> | <inline-definition> | |||
<name>trusted-ssh-public-keys</name> | ||||
<public-key> | <public-key> | |||
<name>corp-fw1</name> | <name>corp-fw1</name> | |||
<public-key-format> | <public-key-format>ct:ssh-public-key-format</public-key-form\ | |||
ct:ssh-public-key-format | at> | |||
</public-key-format> | ||||
<public-key>BASE64VALUE=</public-key> | <public-key>BASE64VALUE=</public-key> | |||
</public-key> | </public-key> | |||
<public-key> | <public-key> | |||
<name>corp-fw2</name> | <name>corp-fw2</name> | |||
<public-key-format> | <public-key-format>ct:ssh-public-key-format</public-key-form\ | |||
ct:ssh-public-key-format | at> | |||
</public-key-format> | ||||
<public-key>BASE64VALUE=</public-key> | <public-key>BASE64VALUE=</public-key> | |||
</public-key> | </public-key> | |||
</inline-definition> | </inline-definition> | |||
</public-key> | </public-key> | |||
</truststore-usage> | </truststore-usage> | |||
Following is the "ex-truststore-usage" module's YANG definition: | Following is the "ex-truststore-usage" module's YANG definition: | |||
module ex-truststore-usage { | module ex-truststore-usage { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "https://example.com/ns/example-truststore-usage"; | namespace "https://example.com/ns/example-truststore-usage"; | |||
prefix etu; | prefix etu; | |||
import ietf-truststore { | import ietf-truststore { | |||
prefix ts; | prefix ts; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
organization | organization | |||
"Example Corporation"; | "Example Corporation"; | |||
contact | contact | |||
"Author: YANG Designer <mailto:yang.designer@example.com>"; | "Author: YANG Designer <mailto:yang.designer@example.com>"; | |||
description | description | |||
"This example module illustrates notable groupings defined | "This example module illustrates notable groupings defined | |||
in the 'ietf-truststore' module."; | in the 'ietf-truststore' module."; | |||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
container truststore-usage { | container truststore-usage { | |||
description | description | |||
"An illustration of the various truststore groupings."; | "An illustration of the various truststore groupings."; | |||
list cert { | list cert { | |||
key "name"; | key "name"; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
skipping to change at page 22, line 24 ¶ | skipping to change at line 908 ¶ | |||
uses ts:inline-or-truststore-public-keys-grouping; | uses ts:inline-or-truststore-public-keys-grouping; | |||
description | description | |||
"A public key that may be configured locally or be | "A public key that may be configured locally or be | |||
a reference to a public key in the truststore."; | a reference to a public key in the truststore."; | |||
} | } | |||
} | } | |||
} | } | |||
2.3. YANG Module | 2.3. YANG Module | |||
This YANG module imports modules from [RFC8341] and | This YANG module imports modules from [RFC8341] and [RFC9640]. | |||
[I-D.ietf-netconf-crypto-types]. | ||||
<CODE BEGINS> file "ietf-truststore@2024-03-16.yang" | <CODE BEGINS> file "ietf-truststore@2024-03-16.yang" | |||
module ietf-truststore { | module ietf-truststore { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-truststore"; | namespace "urn:ietf:params:xml:ns:yang:ietf-truststore"; | |||
prefix ts; | prefix ts; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
skipping to change at page 22, line 39 ¶ | skipping to change at line 921 ¶ | |||
module ietf-truststore { | module ietf-truststore { | |||
yang-version 1.1; | yang-version 1.1; | |||
namespace "urn:ietf:params:xml:ns:yang:ietf-truststore"; | namespace "urn:ietf:params:xml:ns:yang:ietf-truststore"; | |||
prefix ts; | prefix ts; | |||
import ietf-netconf-acm { | import ietf-netconf-acm { | |||
prefix nacm; | prefix nacm; | |||
reference | reference | |||
"RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
} | } | |||
import ietf-crypto-types { | import ietf-crypto-types { | |||
prefix ct; | prefix ct; | |||
reference | reference | |||
"RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
} | } | |||
organization | organization | |||
"IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
contact | contact | |||
"WG Web : https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
WG List : NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
Author : Kent Watsen <kent+ietf@watsen.net>"; | Author: Kent Watsen <kent+ietf@watsen.net>"; | |||
description | description | |||
"This module defines a 'truststore' to centralize management | "This module defines a 'truststore' to centralize management | |||
of trust anchors including certificates and public keys. | of trust anchors, including certificates and public keys. | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here. | ||||
Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
(https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
This version of this YANG module is part of RFC BBBB | This version of this YANG module is part of RFC 9641 | |||
(https://www.rfc-editor.org/info/rfcBBBB); see the RFC | (https://www.rfc-editor.org/info/rfc9641); see the RFC | |||
itself for full legal notices. | itself for full legal notices."; | |||
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
are to be interpreted as described in BCP 14 (RFC 2119) | ||||
(RFC 8174) when, and only when, they appear in all | ||||
capitals, as shown here."; | ||||
revision 2024-03-16 { | revision 2024-03-16 { | |||
description | description | |||
"Initial version"; | "Initial version."; | |||
reference | reference | |||
"RFC BBBB: A YANG Data Model for a Truststore"; | "RFC 9641: A YANG Data Model for a Truststore"; | |||
} | } | |||
/****************/ | /****************/ | |||
/* Features */ | /* Features */ | |||
/****************/ | /****************/ | |||
feature central-truststore-supported { | feature central-truststore-supported { | |||
description | description | |||
"The 'central-truststore-supported' feature indicates that | "The 'central-truststore-supported' feature indicates that | |||
the server supports the truststore (i.e., implements the | the server supports the truststore (i.e., implements the | |||
'ietf-truststore' module)."; | 'ietf-truststore' module)."; | |||
} | } | |||
feature inline-definitions-supported { | feature inline-definitions-supported { | |||
description | description | |||
"The 'inline-definitions-supported' feature indicates that | "The 'inline-definitions-supported' feature indicates that | |||
the server supports locally-defined trust anchors."; | the server supports locally defined trust anchors."; | |||
} | } | |||
feature certificates { | feature certificates { | |||
description | description | |||
"The 'certificates' feature indicates that the server | "The 'certificates' feature indicates that the server | |||
implements the /truststore/certificate-bags subtree."; | implements the /truststore/certificate-bags subtree."; | |||
} | } | |||
feature public-keys { | feature public-keys { | |||
description | description | |||
skipping to change at page 24, line 41 ¶ | skipping to change at line 1016 ¶ | |||
} | } | |||
typedef central-certificate-ref { | typedef central-certificate-ref { | |||
type leafref { | type leafref { | |||
path "/ts:truststore/ts:certificate-bags/ts:certificate-bag" | path "/ts:truststore/ts:certificate-bags/ts:certificate-bag" | |||
+ "[ts:name = current()/../certificate-bag]/" | + "[ts:name = current()/../certificate-bag]/" | |||
+ "ts:certificate/ts:name"; | + "ts:certificate/ts:name"; | |||
} | } | |||
description | description | |||
"This typedef defines a reference to a specific certificate | "This typedef defines a reference to a specific certificate | |||
in a certificate bag in the central truststore. This typedef | in a certificate bag in the central truststore. This typedef | |||
requires that there exist a sibling 'leaf' node called | requires that there exist a sibling 'leaf' node called | |||
'certificate-bag' that SHOULD have the typedef | 'certificate-bag' that SHOULD have the | |||
'central-certificate-bag-ref'."; | 'central-certificate-bag-ref' typedef."; | |||
} | } | |||
typedef central-public-key-bag-ref { | typedef central-public-key-bag-ref { | |||
type leafref { | type leafref { | |||
path "/ts:truststore/ts:public-key-bags/" | path "/ts:truststore/ts:public-key-bags/" | |||
+ "ts:public-key-bag/ts:name"; | + "ts:public-key-bag/ts:name"; | |||
} | } | |||
description | description | |||
"This typedef defines a reference to a public key bag | "This typedef defines a reference to a public key bag | |||
in the central truststore."; | in the central truststore."; | |||
skipping to change at page 25, line 19 ¶ | skipping to change at line 1042 ¶ | |||
typedef central-public-key-ref { | typedef central-public-key-ref { | |||
type leafref { | type leafref { | |||
path "/ts:truststore/ts:public-key-bags/ts:public-key-bag" | path "/ts:truststore/ts:public-key-bags/ts:public-key-bag" | |||
+ "[ts:name = current()/../public-key-bag]/" | + "[ts:name = current()/../public-key-bag]/" | |||
+ "ts:public-key/ts:name"; | + "ts:public-key/ts:name"; | |||
} | } | |||
description | description | |||
"This typedef defines a reference to a specific public key | "This typedef defines a reference to a specific public key | |||
in a public key bag in the truststore. This typedef | in a public key bag in the truststore. This typedef | |||
requires that there exist a sibling 'leaf' node called | requires that there exist a sibling 'leaf' node called | |||
'public-key-bag' that SHOULD have the typedef | 'public-key-bag' SHOULD have the | |||
'central-public-key-bag-ref'."; | 'central-public-key-bag-ref' typedef."; | |||
} | } | |||
/*****************/ | /*****************/ | |||
/* Groupings */ | /* Groupings */ | |||
/*****************/ | /*****************/ | |||
// *-ref groupings | // *-ref groupings | |||
grouping central-certificate-ref-grouping { | grouping central-certificate-ref-grouping { | |||
description | description | |||
"Grouping for the reference to a certificate in a | "Grouping for the reference to a certificate in a | |||
certificate-bag in the central truststore."; | certificate-bag in the central truststore."; | |||
leaf certificate-bag { | leaf certificate-bag { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "central-truststore-supported"; | if-feature "central-truststore-supported"; | |||
if-feature "certificates"; | if-feature "certificates"; | |||
type ts:central-certificate-bag-ref; | type ts:central-certificate-bag-ref; | |||
must "../certificate"; | must '../certificate'; | |||
description | description | |||
"Reference to a certificate-bag in the truststore."; | "Reference to a certificate-bag in the truststore."; | |||
} | } | |||
leaf certificate { | leaf certificate { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "central-truststore-supported"; | if-feature "central-truststore-supported"; | |||
if-feature "certificates"; | if-feature "certificates"; | |||
type ts:central-certificate-ref; | type ts:central-certificate-ref; | |||
must "../certificate-bag"; | must '../certificate-bag'; | |||
description | description | |||
"Reference to a specific certificate in the | "Reference to a specific certificate in the | |||
referenced certificate-bag."; | referenced certificate-bag."; | |||
} | } | |||
} | } | |||
grouping central-public-key-ref-grouping { | grouping central-public-key-ref-grouping { | |||
description | description | |||
"Grouping for the reference to a public key in a | "Grouping for the reference to a public key in a | |||
public-key-bag in the central truststore."; | public-key-bag in the central truststore."; | |||
leaf public-key-bag { | leaf public-key-bag { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "central-truststore-supported"; | if-feature "central-truststore-supported"; | |||
if-feature "public-keys"; | if-feature "public-keys"; | |||
type ts:central-public-key-bag-ref; | type ts:central-public-key-bag-ref; | |||
description | description | |||
"Reference of a public key bag in the truststore including | "Reference of a public key bag in the truststore, including | |||
the certificate to authenticate the TLS client."; | the certificate to authenticate the TLS client."; | |||
} | } | |||
leaf public-key { | leaf public-key { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "central-truststore-supported"; | if-feature "central-truststore-supported"; | |||
if-feature "public-keys"; | if-feature "public-keys"; | |||
type ts:central-public-key-ref; | type ts:central-public-key-ref; | |||
description | description | |||
"Reference to a specific public key in the | "Reference to a specific public key in the | |||
referenced public-key-bag."; | referenced public-key-bag."; | |||
} | } | |||
} | } | |||
// inline-or-truststore-* groupings | // inline-or-truststore-* groupings | |||
grouping inline-or-truststore-certs-grouping { | grouping inline-or-truststore-certs-grouping { | |||
description | description | |||
"A grouping for the configuration of a list of certificates. | "A grouping for the configuration of a list of certificates. | |||
The list of certificate may be defined inline or as a | The list of certificates may be defined inline or as a | |||
reference to a certificate bag in the central truststore. | reference to a certificate bag in the central truststore. | |||
Servers that wish to define alternate truststore locations | Servers that wish to define alternate truststore locations | |||
MUST augment in custom 'case' statements enabling | MUST augment in custom 'case' statements, enabling | |||
references to those alternate truststore locations."; | references to those alternate truststore locations."; | |||
choice inline-or-truststore { | choice inline-or-truststore { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice between an inlined definition and a definition | "A choice between an inlined definition and a definition | |||
that exists in the truststore."; | that exists in the truststore."; | |||
case inline { | case inline { | |||
if-feature "inline-definitions-supported"; | if-feature "inline-definitions-supported"; | |||
container inline-definition { | container inline-definition { | |||
skipping to change at page 27, line 38 ¶ | skipping to change at line 1156 ¶ | |||
description | description | |||
"A reference to a certificate bag that exists in the | "A reference to a certificate bag that exists in the | |||
central truststore."; | central truststore."; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
grouping inline-or-truststore-public-keys-grouping { | grouping inline-or-truststore-public-keys-grouping { | |||
description | description | |||
"A grouping that allows the public keys to be either | "A grouping that allows the public keys to either be | |||
configured locally, within the using data model, or be a | configured locally, within the data model being used, or be a | |||
reference to a public key bag stored in the truststore. | reference to a public key bag stored in the truststore. | |||
Servers that wish to define alternate truststore locations | Servers that wish to define alternate truststore locations | |||
SHOULD augment in custom 'case' statements enabling | SHOULD augment in custom 'case' statement, enabling | |||
references to those alternate truststore locations."; | references to those alternate truststore locations."; | |||
choice inline-or-truststore { | choice inline-or-truststore { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
mandatory true; | mandatory true; | |||
description | description | |||
"A choice between an inlined definition and a definition | "A choice between an inlined definition and a definition | |||
that exists in the truststore."; | that exists in the truststore."; | |||
case inline { | case inline { | |||
if-feature "inline-definitions-supported"; | if-feature "inline-definitions-supported"; | |||
container inline-definition { | container inline-definition { | |||
skipping to change at page 29, line 47 ¶ | skipping to change at line 1260 ¶ | |||
container public-key-bags { | container public-key-bags { | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
if-feature "public-keys"; | if-feature "public-keys"; | |||
description | description | |||
"A collection of public key bags."; | "A collection of public key bags."; | |||
list public-key-bag { | list public-key-bag { | |||
key "name"; | key "name"; | |||
description | description | |||
"A bag of public keys. Each bag of keys SHOULD be for | "A bag of public keys. Each bag of keys SHOULD be for | |||
a specific purpose. For instance, one bag could be used | a specific purpose. For instance, one bag could be used | |||
authenticate a specific set of servers, while another | to authenticate a specific set of servers, while another | |||
could be used to authenticate a specific set of clients."; | could be used to authenticate a specific set of clients."; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
"An arbitrary name for this bag of public keys."; | "An arbitrary name for this bag of public keys."; | |||
} | } | |||
leaf description { | leaf description { | |||
type string; | type string; | |||
description | description | |||
"A description for this bag public keys. The | "A description for this bag of public keys. The | |||
intended purpose for the bag MUST be described."; | intended purpose for the bag MUST be described."; | |||
} | } | |||
list public-key { | list public-key { | |||
key "name"; | key "name"; | |||
description | description | |||
"A public key."; | "A public key."; | |||
leaf name { | leaf name { | |||
type string; | type string; | |||
description | description | |||
"An arbitrary name for this public key."; | "An arbitrary name for this public key."; | |||
} | } | |||
uses ct:public-key-grouping; | uses ct:public-key-grouping; | |||
} | } | |||
} | } | |||
} | } | |||
} | } | |||
/*********************************/ | /*********************************/ | |||
/* Protocol accessible nodes */ | /* Protocol-accessible nodes */ | |||
/*********************************/ | /*********************************/ | |||
container truststore { | container truststore { | |||
if-feature central-truststore-supported; | if-feature "central-truststore-supported"; | |||
nacm:default-deny-write; | nacm:default-deny-write; | |||
description | description | |||
"The truststore contains bags of certificates and | "The truststore contains bags of certificates and | |||
public keys."; | public keys."; | |||
uses truststore-grouping; | uses truststore-grouping; | |||
} | } | |||
} | } | |||
<CODE ENDS> | <CODE ENDS> | |||
3. Support for Built-in Trust Anchors | 3. Support for Built-In Trust Anchors | |||
In some implementations, a server may define some built-in trust | In some implementations, a server may define some built-in trust | |||
anchors. For instance, there may be built-in trust anchors enabling | anchors. For instance, there may be built-in trust anchors enabling | |||
the server to securely connect to well-known services (e.g., an SZTP | the server to securely connect to well-known services (e.g., a Secure | |||
[RFC8572] bootstrap server) or public CA certificates to connect to | Zero-Touch Provisioning (SZTP) [RFC8572] bootstrap server) or public | |||
arbitrary Web services using public PKI. | Certification Authority (CA) certificates to connect to arbitrary web | |||
services using PKI. | ||||
Built-in trust anchors are expected to be set by a vendor-specific | Built-in trust anchors are expected to be set by a vendor-specific | |||
process. Any ability for operators to set and/or modify built-in | process. Any ability for operators to set and/or modify built-in | |||
trust anchors is outside the scope of this document. | trust anchors is outside the scope of this document. | |||
The primary characteristic of the built-in trust anchors is that they | The primary characteristic of the built-in trust anchors is that they | |||
are provided by the server, as opposed to configuration. As such, | are provided by the server, as opposed to configuration. As such, | |||
they are present in <operational> (Section 5.3 of [RFC8342]), and | they are present in <operational> (Section 5.3 of [RFC8342]) and | |||
<system> [I-D.ietf-netmod-system-config], if implemented. | <system> [NETMOD-SYSTEM-CONFIG], if implemented. | |||
The example below illustrates what the truststore in <operational> | The example below illustrates what the truststore in <operational> | |||
might look like for a server in its factory default state. Note that | might look like for a server in its factory default state. Note that | |||
the built-in trust anchor bags have the "or:origin" annotation value | the built-in trust anchor bags have the "or:origin" annotation value | |||
"or:system". | "or:system". | |||
<truststore | <truststore | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | |||
skipping to change at page 33, line 4 ¶ | skipping to change at line 1371 ¶ | |||
<certificate> | <certificate> | |||
<name>Public Root CA Cert 3</name> | <name>Public Root CA Cert 3</name> | |||
<cert-data>BASE64VALUE=</cert-data> | <cert-data>BASE64VALUE=</cert-data> | |||
</certificate> | </certificate> | |||
</certificate-bag> | </certificate-bag> | |||
</certificate-bags> | </certificate-bags> | |||
</truststore> | </truststore> | |||
4. Security Considerations | 4. Security Considerations | |||
4.1. Security of Data at Rest | 4.1. Security of Data at Rest | |||
The YANG module defined in this document defines a mechanism called a | The YANG module specified in this document defines a mechanism called | |||
"truststore" that, by its name, suggests that its contents are | a "truststore" that, by its name, suggests that its contents are | |||
protected from unauthorized modification. | protected from unauthorized modification. | |||
Security controls for the API (i.e., data in motion) are discussed in | Security controls for the API (i.e., data in motion) are discussed in | |||
Section 4.3, but controls for the data at rest (e.g., on disk) cannot | Section 4.3, but controls for the data at rest (e.g., on disk) cannot | |||
be specified by the YANG module. | be specified by the YANG module. | |||
In order to satisfy the expectations of a "truststore", server | In order to satisfy the expectations of a "truststore", server | |||
implementations MUST ensure that the truststore contents are | implementations MUST ensure that the truststore contents are | |||
protected from unauthorized modifications when at rest. | protected from unauthorized modifications when at rest. | |||
4.2. Unconstrained Public Key Usage | 4.2. Unconstrained Public Key Usage | |||
This module enables the configuration of public keys without | This module enables the configuration of public keys without | |||
constraints on their usage, e.g., what operations the key is allowed | constraints on their usage, e.g., what operations the key is allowed | |||
to be used for (encryption, verification, both). | to be used for (encryption, verification, or both). | |||
Trust anchors configured via this module are implicitly trusted to | Trust anchors configured via this module are implicitly trusted to | |||
validate certification paths that may include any name, be used for | validate certification paths that may include any name, be used for | |||
any purpose, subject to constraints imposed by an intermediate CA or | any purpose, or be subject to constraints imposed by an intermediate | |||
by context in which the truststore is used. Implementations are free | CA or by context in which the truststore is used. Implementations | |||
to use alternative or auxiliary structures and validation rules to | are free to use alternative or auxiliary structures and validation | |||
define constraints that limit the applicability of a trust anchor. | rules to define constraints that limit the applicability of a trust | |||
anchor. | ||||
4.3. Considerations for the "ietf-truststore" YANG Module | 4.3. Considerations for the "ietf-truststore" YANG Module | |||
This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
[RFC8407]. | of [RFC8407]. | |||
The YANG module defined in this document is designed to be accessed | The "ietf-truststore" YANG module defines "grouping" and "container" | |||
via YANG based management protocols, such as NETCONF [RFC6241] and | statements that are designed to be accessed via YANG-based management | |||
RESTCONF [RFC8040]. Both of these protocols have mandatory-to- | protocols, such as NETCONF [RFC6241] and RESTCONF [RFC8040]. These | |||
implement secure transport layers (e.g., SSH, TLS) with mutual | protocols have mandatory-to-implement secure transport layers (e.g., | |||
authentication. | Secure Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and | |||
mandatory-to-implement mutual authentication. | ||||
The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
content. | ||||
Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the security | |||
Considerations for dependent YANG modules for information as to which | considerations for dependent YANG modules for information as to which | |||
nodes may be considered sensitive or vulnerable in network | nodes may be considered sensitive or vulnerable in network | |||
environments. | environments. | |||
Most of the readable data nodes defined in this YANG module are not | Most of the readable data nodes defined in this YANG module are not | |||
considered sensitive or vulnerable in network environments. However, | considered sensitive or vulnerable in network environments. However, | |||
the "cert-data" node uses the NACM "default-deny-all" extension, for | the "cert-data" node uses the NACM "default-deny-all" extension for | |||
reasons described in Section 3.9 of [I-D.ietf-netconf-crypto-types]. | reasons described in Section 3.8 of [RFC9640]. | |||
All the writable data nodes defined by this module, both in the | All the writable data nodes defined by this module, both in the | |||
"grouping" statements as well as the protocol-accessible "truststore" | "grouping" statements as well as the protocol-accessible "truststore" | |||
instance, may be considered sensitive or vulnerable in some network | instance, may be considered sensitive or vulnerable in some network | |||
environments. For instance, any modification to a trust anchor or | environments. For instance, any modification to a trust anchor or | |||
reference to a trust anchor may dramatically alter the implemented | reference to a trust anchor may dramatically alter the implemented | |||
security policy. For this reason, the NACM extension "default-deny- | security policy. For this reason, the NACM "default-deny-write" | |||
write" has been set for all data nodes defined in this module. | extension has been set for all data nodes defined in this module. | |||
This module does not define any "rpc" or "action" statements, and | This module does not define any "rpc" or "action" statements, and | |||
thus the security considerations for such is not provided here. | thus, the security considerations for such are not provided here. | |||
5. IANA Considerations | 5. IANA Considerations | |||
5.1. The "IETF XML" Registry | 5.1. The IETF XML Registry | |||
This document registers one URI in the "ns" subregistry of the IETF | IANA has registered the following URI in the "ns" registry defined of | |||
XML Registry [RFC3688]. Following the format in [RFC3688], the | the "IETF XML Registry" [RFC3688]. | |||
following registration is requested: | ||||
URI: urn:ietf:params:xml:ns:yang:ietf-truststore | URI: urn:ietf:params:xml:ns:yang:ietf-truststore | |||
Registrant Contact: The IESG | Registrant Contact: The IESG | |||
XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
5.2. The "YANG Module Names" Registry | 5.2. The YANG Module Names Registry | |||
This document registers one YANG module in the YANG Module Names | IANA has registered the following YANG module in the "YANG Module | |||
registry [RFC6020]. Following the format in [RFC6020], the following | Names" registry defined in [RFC6020]. | |||
registration is requested: | ||||
name: ietf-truststore | Name: ietf-truststore | |||
namespace: urn:ietf:params:xml:ns:yang:ietf-truststore | Namespace: urn:ietf:params:xml:ns:yang:ietf-truststore | |||
prefix: ts | Prefix: ts | |||
reference: RFC BBBB | Reference: RFC 9641 | |||
6. References | 6. References | |||
6.1. Normative References | 6.1. Normative References | |||
[I-D.ietf-netconf-crypto-types] | ||||
Watsen, K., "YANG Data Types and Groupings for | ||||
Cryptography", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-crypto-types-33, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
crypto-types-33>. | ||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
<https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
[RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | ||||
Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | ||||
January 2006, <https://www.rfc-editor.org/info/rfc4252>. | ||||
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | ||||
and A. Bierman, Ed., "Network Configuration Protocol | ||||
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | ||||
<https://www.rfc-editor.org/info/rfc6241>. | ||||
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
<https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8040>. | ||||
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
[RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | ||||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | ||||
<https://www.rfc-editor.org/info/rfc8446>. | ||||
[RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | ||||
Multiplexed and Secure Transport", RFC 9000, | ||||
DOI 10.17487/RFC9000, May 2021, | ||||
<https://www.rfc-editor.org/info/rfc9000>. | ||||
[RFC9640] Watsen, K., "YANG Data Types and Groupings for | ||||
Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | ||||
2024, <https://www.rfc-editor.org/info/rfc9640>. | ||||
6.2. Informative References | 6.2. Informative References | |||
[I-D.ietf-netconf-http-client-server] | [HTTP-CLIENT-SERVER] | |||
Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
netconf-http-client-server-19, 1 March 2024, | netconf-http-client-server-23, 15 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
http-client-server-19>. | ||||
[I-D.ietf-netconf-keystore] | ||||
Watsen, K., "A YANG Data Model for a Keystore and Keystore | ||||
Operations", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-keystore-34, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
keystore-34>. | http-client-server-23>. | |||
[I-D.ietf-netconf-netconf-client-server] | [NETCONF-CLIENT-SERVER] | |||
Watsen, K., "NETCONF Client and Server Models", Work in | Watsen, K., "NETCONF Client and Server Models", Work in | |||
Progress, Internet-Draft, draft-ietf-netconf-netconf- | Progress, Internet-Draft, draft-ietf-netconf-netconf- | |||
client-server-35, 1 March 2024, | client-server-37, 14 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
netconf-client-server-35>. | ||||
[I-D.ietf-netconf-restconf-client-server] | ||||
Watsen, K., "RESTCONF Client and Server Models", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-restconf- | ||||
client-server-35, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
restconf-client-server-35>. | ||||
[I-D.ietf-netconf-ssh-client-server] | ||||
Watsen, K., "YANG Groupings for SSH Clients and SSH | ||||
Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-ssh-client-server-39, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
ssh-client-server-39>. | ||||
[I-D.ietf-netconf-tcp-client-server] | ||||
Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
and TCP Servers", Work in Progress, Internet-Draft, draft- | ||||
ietf-netconf-tcp-client-server-23, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
tcp-client-server-23>. | ||||
[I-D.ietf-netconf-tls-client-server] | ||||
Watsen, K., "YANG Groupings for TLS Clients and TLS | ||||
Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
netconf-tls-client-server-40, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
tls-client-server-40>. | ||||
[I-D.ietf-netconf-trust-anchors] | ||||
Watsen, K., "A YANG Data Model for a Truststore", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-trust- | ||||
anchors-27, 1 March 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
trust-anchors-27>. | netconf-client-server-37>. | |||
[I-D.ietf-netmod-system-config] | [NETMOD-SYSTEM-CONFIG] | |||
Ma, Q., Wu, Q., and C. Feng, "System-defined | Ma, Q., Wu, Q., and C. Feng, "System-defined | |||
Configuration", Work in Progress, Internet-Draft, draft- | Configuration", Work in Progress, Internet-Draft, draft- | |||
ietf-netmod-system-config-05, 21 February 2024, | ietf-netmod-system-config-09, 29 September 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | <https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | |||
system-config-05>. | system-config-09>. | |||
[RESTCONF-CLIENT-SERVER] | ||||
Watsen, K., "RESTCONF Client and Server Models", Work in | ||||
Progress, Internet-Draft, draft-ietf-netconf-restconf- | ||||
client-server-38, 14 August 2024, | ||||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
restconf-client-server-38>. | ||||
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
<https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | ||||
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | ||||
<https://www.rfc-editor.org/info/rfc4648>. | ||||
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
and A. Bierman, Ed., "Network Configuration Protocol | Interchange Format", STD 90, RFC 8259, | |||
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | DOI 10.17487/RFC8259, December 2017, | |||
<https://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc8259>. | |||
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
<https://www.rfc-editor.org/info/rfc8040>. | ||||
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
<https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
[RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero | [RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero | |||
Touch Provisioning (SZTP)", RFC 8572, | Touch Provisioning (SZTP)", RFC 8572, | |||
DOI 10.17487/RFC8572, April 2019, | DOI 10.17487/RFC8572, April 2019, | |||
<https://www.rfc-editor.org/info/rfc8572>. | <https://www.rfc-editor.org/info/rfc8572>. | |||
Appendix A. Change Log | [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | |||
"Handling Long Lines in Content of Internet-Drafts and | ||||
A.1. 00 to 01 | RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | |||
<https://www.rfc-editor.org/info/rfc8792>. | ||||
* Added features "x509-certificates" and "ssh-host-keys". | ||||
* Added nacm:default-deny-write to "trust-anchors" container. | ||||
A.2. 01 to 02 | ||||
* Switched "list pinned-certificate" to use the "trust-anchor-cert- | ||||
grouping" from crypto-types. Effectively the same definition as | ||||
before. | ||||
A.3. 02 to 03 | ||||
* Updated copyright date, boilerplate template, affiliation, folding | ||||
algorithm, and reformatted the YANG module. | ||||
A.4. 03 to 04 | ||||
* Added groupings 'inline-or-truststore-certs-grouping' and 'inline- | ||||
or-truststore-host-keys-grouping', matching similar definitions in | ||||
the keystore draft. Note new (and incomplete) "truststore" usage! | ||||
* Related to above, also added features 'truststore-supported' and | ||||
'local-trust-anchors-supported'. | ||||
A.5. 04 to 05 | ||||
* Renamed "trust-anchors" to "truststore" | ||||
* Removed "pinned." prefix everywhere, to match truststore rename | ||||
* Moved everything under a top-level 'grouping' to enable use in | ||||
other contexts. | ||||
* Renamed feature from 'local-trust-anchors-supported' to 'inline- | ||||
definitions-supported' (same name used in keystore) | ||||
* Removed the "require-instance false" statement from the "*-ref" | ||||
typedefs. | ||||
* Added missing "ssh-host-keys" and "x509-certificates" if-feature | ||||
statements | ||||
A.6. 05 to 06 | ||||
* Editorial changes only. | ||||
A.7. 06 to 07 | ||||
* Added Henk Birkholz as a co-author (thanks Henk!) | ||||
* Added PSKs and raw public keys to truststore. | ||||
A.8. 07 to 08 | ||||
* Added new "Support for Built-in Trust Anchors" section. | ||||
* Removed spurious "uses ct:trust-anchor-certs-grouping" line. | ||||
* Removed PSK from model. | ||||
A.9. 08 to 09 | ||||
* Removed remaining PSK references from text. | ||||
* Wrapped each top-level list with a container. | ||||
* Introduced "bag" term. | ||||
* Merged "SSH Public Keys" and "Raw Public Keys" in a single "Public | ||||
Keys" bag. Consuming downstream modules (i.e., "ietf-[ssh/tls]- | ||||
[client/server]) refine the "public-key-format" to be either SSH | ||||
or TLS specific as needed. | ||||
A.10. 09 to 10 | ||||
* Removed "algorithm" node from examples. | ||||
* Removed the no longer used statements supporting the old "ssh- | ||||
public-key" and "raw-public-key" nodes. | ||||
* Added a "Note to Reviewers" note to first page. | ||||
A.11. 10 to 11 | ||||
* Corrected module prefix registered in the IANA Considerations | ||||
section. | ||||
* Modified 'inline-or-truststore-certs-grouping' to use a list (not | ||||
a leaf-list). | ||||
* Added new example section "The Local or Truststore Groupings". | ||||
* Clarified expected behavior for "built-in" certificates in | ||||
<operational> | ||||
* Expanded "Data Model Overview section(s) [remove "wall" of tree | ||||
diagrams]. | ||||
* Updated the Security Considerations section. | ||||
A.12. 11 to 12 | ||||
* Fixed a copy/paste issue in the "Data at Rest" Security | ||||
Considerations section. | ||||
A.13. 12 to 13 | ||||
* Fixed issues found by the SecDir review of the "keystore" draft. | ||||
A.14. 13 to 14 | ||||
* Added an "Unconstrained Public Key Usage" Security Consideration | ||||
to address concern raised by SecDir. | ||||
* Addressed comments raised by YANG Doctor. | ||||
A.15. 14 to 15 | ||||
* Added prefixes to 'path' statements per trust-anchors/issues/1 | ||||
* Renamed feature "truststore-supported" to "central-truststore- | ||||
supported". | ||||
* Associated with above, generally moved text to refer to a | ||||
"central" truststore. | ||||
* Removed two unecessary/unwanted "min-elements 1" and associated | ||||
"presence" statements. | ||||
* Aligned modules with `pyang -f` formatting. | ||||
* Fixed nits found by YANG Doctor reviews. | ||||
A.16. 15 to 16 | ||||
* Replaced "base64encodedvalue==" with "BASE64VALUE=" in examples. | ||||
* Minor editorial nits | ||||
A.17. 16 to 17 | ||||
* fixup the 'WG Web' and 'WG List' lines in YANG module(s) | ||||
* fixup copyright (i.e., s/Simplified/Revised/) in YANG module(s) | ||||
* Added Informative reference to ma-netmod-with-system | ||||
A.18. 17 to 18 | ||||
* Updated Security Considerations section to address comment | ||||
received from Carl Wallace. | ||||
* Fixed examples to not have line-returns around "identity" | ||||
encodings. | ||||
* Fixed a couple tree diagrams to not create diagrams for | ||||
"groupings" too. | ||||
* Added "if-feature central-truststore-supported" to top-level | ||||
"trustore" container. | ||||
A.19. 18 to 19 | ||||
* Updated per Shepherd reviews impacting the suite of drafts. | ||||
A.20. 19 to 20 | ||||
* Updated per Shepherd reviews impacting the suite of drafts. | ||||
A.21. 20 to 21 | ||||
* Updated (implicitly) per Tom Petch review. | ||||
* Updated per AD's review. | ||||
* s/local/inline/ in feature names, grouping names, and node names. | ||||
* Updated ref from 'ma-netmod-with-system' to 'ietf-netmod-system- | ||||
config'. | ||||
* Removed special handling text for built-in certs | ||||
* Updated section on built-in trust anchors to read almost the same | ||||
as the section in the keystore draft. | ||||
A.22. 21 to 22 | ||||
* Mostly addresses AD review comments. | ||||
* Also added typedefs and groupings similar to those created by Alto | ||||
WG. | ||||
* Added note to Editor to fix line foldings. | ||||
* Renamed "truststore" to "central truststore" throughout. | ||||
* Removed "built-in" section text that overlaps with the "system- | ||||
config" draft. | ||||
* Added "certificate-ref-grouping" and "public-key-ref-grouping" | ||||
* Modified typedef certificate-ref's leafref path to NOT prefix | ||||
"certificate-bag". | ||||
* Modified typedef public-key-ref's leafref path to NOT prefix | ||||
"public-key-bag". | ||||
* Added groupings "certificate-ref-grouping" and "public-key-ref- | ||||
grouping". | ||||
A.23. 22 to 23 | ||||
* Addresses Gen-ART review by Dale Worley. | ||||
* Addresses review by Tom Petch. | ||||
A.24. 23 to 24 | ||||
* Addresses 1st-round of IESG reviews. | ||||
A.25. 24 to 26 | ||||
* Addresses issues found in OpsDir review of the ssh-client-server | ||||
draft. | ||||
* Renamed Security Considerations section s/Template for/ | ||||
Considerations for/ | ||||
* s/defines/presents/ in a few places. | ||||
* Add refs to where the 'operational' and 'system' datastores are | [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | |||
defined. | DOI 10.17487/RFC9642, October 2024, | |||
<https://www.rfc-editor.org/info/rfc9642>. | ||||
* Improved Security Consideration for 'cert-data' node. | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, October | ||||
2024, <https://www.rfc-editor.org/info/rfc9643>. | ||||
* s/should/SHOULD/ is one place | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
Servers", RFC 9644, DOI 10.17487/RFC9644, October 2024, | ||||
<https://www.rfc-editor.org/info/rfc9644>. | ||||
A.26. 26 to 28 | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, | ||||
<https://www.rfc-editor.org/info/rfc9645>. | ||||
* Nothing changed. Only bumped for automation... | [W3C.REC-xml-20081126] | |||
Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | ||||
and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
(Fifth Edition)", World Wide Web Consortium | ||||
Recommendation REC-xml-20081126, November 2008, | ||||
<https://www.w3.org/TR/2008/REC-xml-20081126/>. | ||||
Acknowledgements | Acknowledgements | |||
The authors especially thank Henk Birkholz for contributing YANG to | The authors especially thank Henk Birkholz for contributing YANG to | |||
the ietf-truststore module supporting raw public keys and PSKs (pre- | the "ietf-truststore" module supporting raw public keys and PSKs | |||
shared or pairwise-symmetric keys). While these contributions were | (pre-shared or pairwise-symmetric keys). While these contributions | |||
eventually replaced by reusing the existing support for asymmetric | were eventually replaced by reusing the existing support for | |||
and symmetric trust anchors, respectively, it was only through Henk's | asymmetric and symmetric trust anchors, respectively, it was only | |||
initiative that the WG was able to come to that result. | through Henk's initiative that the WG was able to come to that | |||
result. | ||||
The authors additionally thank the following for helping give shape | The authors additionally thank the following for helping give shape | |||
to this work (ordered by first name): Balázs Kovács, Carl Wallace, | to this work (ordered by first name): Balázs Kovács, Carl Wallace, | |||
Eric Voit, Éric Vyncke, Francesca Palombini, Jensen Zhang, Jürgen | Eric Voit, Éric Vyncke, Francesca Palombini, Jensen Zhang, Jürgen | |||
Schönwälder, Lars Eggert, Liang Xia, Martin Björklund, Murray | Schönwälder, Lars Eggert, Liang Xia, Martin Björklund, Murray | |||
Kucherawy, Nick Hancock, Qin Wu, Rob Wilton, Robert Varga, Roman | Kucherawy, Nick Hancock, Paul Kyzivat, Qin Wu, Rob Wilton, Robert | |||
Danyliw, Paul Kyzivat, and Yoav Nir. | Varga, Roman Danyliw, and Yoav Nir. | |||
Author's Address | Author's Address | |||
Kent Watsen | Kent Watsen | |||
Watsen Networks | Watsen Networks | |||
Email: kent+ietf@watsen.net | Email: kent+ietf@watsen.net | |||
End of changes. 152 change blocks. | ||||
642 lines changed or deleted | 333 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |