| rfc9642v5.txt | rfc9642.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) K. Watsen | Internet Engineering Task Force (IETF) K. Watsen | |||
| Request for Comments: 9642 Watsen Networks | Request for Comments: 9642 Watsen Networks | |||
| Category: Standards Track September 2024 | Category: Standards Track October 2024 | |||
| ISSN: 2070-1721 | ISSN: 2070-1721 | |||
| A YANG Data Model for a Keystore | A YANG Data Model for a Keystore | |||
| Abstract | Abstract | |||
| This document presents a YANG module called "ietf-keystore" that | This document presents a YANG module called "ietf-keystore" that | |||
| enables centralized configuration of both symmetric and asymmetric | enables centralized configuration of both symmetric and asymmetric | |||
| keys. The secret value for both key types may be encrypted or | keys. The secret value for both key types may be encrypted or | |||
| hidden. Asymmetric keys may be associated with certificates. | hidden. Asymmetric keys may be associated with certificates. | |||
| skipping to change at line 1769 ¶ | skipping to change at line 1769 ¶ | |||
| crypto officers that does not scale in production environments. | crypto officers that does not scale in production environments. | |||
| In order to decouple the crypto officers from the regular | In order to decouple the crypto officers from the regular | |||
| administrators, a special KEK, called the "primary key" (PK), may be | administrators, a special KEK, called the "primary key" (PK), may be | |||
| used. | used. | |||
| A PK is commonly a globally unique built-in (see Section 3) | A PK is commonly a globally unique built-in (see Section 3) | |||
| asymmetric key. The private raw key value, due to its long lifetime, | asymmetric key. The private raw key value, due to its long lifetime, | |||
| is hidden (i.e., "hidden-private-key"; see Section 2.1.4.5. of | is hidden (i.e., "hidden-private-key"; see Section 2.1.4.5. of | |||
| [RFC9640]). The raw public key value is often contained in an | [RFC9640]). The raw public key value is often contained in an | |||
| identity certificate (e.g., IDevID). How to configure an PK during | identity certificate (e.g., IDevID). How to configure a PK during | |||
| the manufacturing process is outside the scope of this document. | the manufacturing process is outside the scope of this document. | |||
| Assuming the server has a PK, the PK can be used to encrypt a "shared | Assuming the server has a PK, the PK can be used to encrypt a "shared | |||
| KEK", which is then used to encrypt the keys configured by regular | KEK", which is then used to encrypt the keys configured by regular | |||
| administrators. | administrators. | |||
| With this extra level of indirection, it is possible for a crypto | With this extra level of indirection, it is possible for a crypto | |||
| officer to encrypt the same KEK for a multiplicity of servers offline | officer to encrypt the same KEK for a multiplicity of servers offline | |||
| using the public key contained in their identity certificates. The | using the public key contained in their identity certificates. The | |||
| crypto officer can then safely hand off the encrypted KEKs to regular | crypto officer can then safely hand off the encrypted KEKs to regular | |||
| skipping to change at line 1887 ¶ | skipping to change at line 1887 ¶ | |||
| 5.3. Security Considerations for the "ietf-keystore" YANG Module | 5.3. Security Considerations for the "ietf-keystore" YANG Module | |||
| This section is modeled after the template defined in Section 3.7.1 | This section is modeled after the template defined in Section 3.7.1 | |||
| of [RFC8407]. | of [RFC8407]. | |||
| The ietf-keystore YANG module defines a data model that is designed | The ietf-keystore YANG module defines a data model that is designed | |||
| to be accessed via YANG-based management protocols, such as NETCONF | to be accessed via YANG-based management protocols, such as NETCONF | |||
| [RFC6241] and RESTCONF [RFC8040]. These protocols have mandatory-to- | [RFC6241] and RESTCONF [RFC8040]. These protocols have mandatory-to- | |||
| implement secure transport layers (e.g., SSH [RFC4252], TLS | implement secure transport layers (e.g., SSH [RFC4252], TLS | |||
| [RFC8446], and QUIC [RFC9000]) and mandatory-to-implement mutal | [RFC8446], and QUIC [RFC9000]) and mandatory-to-implement mutual | |||
| authentication. | authentication. | |||
| The Network Configuration Access Control Model (NACM) [RFC8341] | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
| provides the means to restrict access for particular users to a | provides the means to restrict access for particular users to a | |||
| preconfigured subset of all available protocol operations and | preconfigured subset of all available protocol operations and | |||
| content. | content. | |||
| Please be aware that this YANG module uses groupings from other YANG | Please be aware that this YANG module uses groupings from other YANG | |||
| modules that define nodes that may be considered sensitive or | modules that define nodes that may be considered sensitive or | |||
| vulnerable in network environments. Please review the Security | vulnerable in network environments. Please review the Security | |||
| skipping to change at line 2011 ¶ | skipping to change at line 2011 ¶ | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Multiplexed and Secure Transport", RFC 9000, | Multiplexed and Secure Transport", RFC 9000, | |||
| DOI 10.17487/RFC9000, May 2021, | DOI 10.17487/RFC9000, May 2021, | |||
| <https://www.rfc-editor.org/info/rfc9000>. | <https://www.rfc-editor.org/info/rfc9000>. | |||
| [RFC9640] Watsen, K., "YANG Data Types and Groupings for | [RFC9640] Watsen, K., "YANG Data Types and Groupings for | |||
| Cryptography", RFC 9640, DOI 10.17487/RFC9640, August | Cryptography", RFC 9640, DOI 10.17487/RFC9640, October | |||
| 2024, <https://www.rfc-editor.org/info/rfc9640>. | 2024, <https://www.rfc-editor.org/info/rfc9640>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [HTTP-CLIENT-SERVER] | [HTTP-CLIENT-SERVER] | |||
| Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
| Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
| netconf-http-client-server-23, 15 August 2024, | netconf-http-client-server-23, 15 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| http-client-server-23>. | http-client-server-23>. | |||
| skipping to change at line 2033 ¶ | skipping to change at line 2033 ¶ | |||
| [NETCONF-CLIENT-SERVER] | [NETCONF-CLIENT-SERVER] | |||
| Watsen, K., "NETCONF Client and Server Models", Work in | Watsen, K., "NETCONF Client and Server Models", Work in | |||
| Progress, Internet-Draft, draft-ietf-netconf-netconf- | Progress, Internet-Draft, draft-ietf-netconf-netconf- | |||
| client-server-37, 14 August 2024, | client-server-37, 14 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| netconf-client-server-37>. | netconf-client-server-37>. | |||
| [NETMOD-SYSTEM-CONFIG] | [NETMOD-SYSTEM-CONFIG] | |||
| Ma, Q., Ed., Wu, Q., and C. Feng, "System-defined | Ma, Q., Ed., Wu, Q., and C. Feng, "System-defined | |||
| Configuration", Work in Progress, Internet-Draft, draft- | Configuration", Work in Progress, Internet-Draft, draft- | |||
| ietf-netmod-system-config-08, 18 June 2024, | ietf-netmod-system-config-09, 29 September 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | <https://datatracker.ietf.org/doc/html/draft-ietf-netmod- | |||
| system-config-08>. | system-config-09>. | |||
| [RESTCONF-CLIENT-SERVER] | [RESTCONF-CLIENT-SERVER] | |||
| Watsen, K., "RESTCONF Client and Server Models", Work in | Watsen, K., "RESTCONF Client and Server Models", Work in | |||
| Progress, Internet-Draft, draft-ietf-netconf-restconf- | Progress, Internet-Draft, draft-ietf-netconf-restconf- | |||
| client-server-38, 14 August 2024, | client-server-38, 14 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| restconf-client-server-38>. | restconf-client-server-38>. | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| skipping to change at line 2073 ¶ | skipping to change at line 2073 ¶ | |||
| Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
| DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
| <https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
| [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | |||
| "Handling Long Lines in Content of Internet-Drafts and | "Handling Long Lines in Content of Internet-Drafts and | |||
| RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | |||
| <https://www.rfc-editor.org/info/rfc8792>. | <https://www.rfc-editor.org/info/rfc8792>. | |||
| [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | |||
| RFC 9641, DOI 10.17487/RFC9641, August 2024, | RFC 9641, DOI 10.17487/RFC9641, October 2024, | |||
| <https://www.rfc-editor.org/info/rfc9641>. | <https://www.rfc-editor.org/info/rfc9641>. | |||
| [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
| and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, August | and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, October | |||
| 2024, <https://www.rfc-editor.org/info/rfc9643>. | 2024, <https://www.rfc-editor.org/info/rfc9643>. | |||
| [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
| Servers", RFC 9644, DOI 10.17487/RFC9644, August 2024, | Servers", RFC 9644, DOI 10.17487/RFC9644, October 2024, | |||
| <https://www.rfc-editor.org/info/rfc9644>. | <https://www.rfc-editor.org/info/rfc9644>. | |||
| [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
| Servers", RFC 9645, DOI 10.17487/RFC9645, August 2024, | Servers", RFC 9645, DOI 10.17487/RFC9645, October 2024, | |||
| <https://www.rfc-editor.org/info/rfc9645>. | <https://www.rfc-editor.org/info/rfc9645>. | |||
| [Std-802.1AR-2018] | [Std-802.1AR-2018] | |||
| IEEE, "IEEE Standard for Local and Metropolitan Area | IEEE, "IEEE Standard for Local and Metropolitan Area | |||
| Networks - Secure Device Identity", IEEE Std 802.1AR-2018, | Networks - Secure Device Identity", IEEE Std 802.1AR-2018, | |||
| DOI 10.1109/IEEESTD.2018.8423794, August 2018, | DOI 10.1109/IEEESTD.2018.8423794, August 2018, | |||
| <https://standards.ieee.org/standard/802_1AR-2018.html>. | <https://standards.ieee.org/standard/802_1AR-2018.html>. | |||
| [W3C.REC-xml-20081126] | [W3C.REC-xml-20081126] | |||
| Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., | Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., | |||
| End of changes. 10 change blocks. | ||||
| 10 lines changed or deleted | 10 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||