| rfc9641v2.txt | rfc9641.txt | |||
|---|---|---|---|---|
| skipping to change at line 510 ¶ | skipping to change at line 510 ¶ | |||
| +-- End entity certs for authenticating a set of remote servers | +-- End entity certs for authenticating a set of remote servers | |||
| +-- Trust anchor certs for authenticating a set of remote clients | +-- Trust anchor certs for authenticating a set of remote clients | |||
| +-- End entity certs for authenticating a set of remote clients | +-- End entity certs for authenticating a set of remote clients | |||
| Public Key Bags | Public Key Bags | |||
| +-- SSH keys to authenticate a set of remote SSH servers | +-- SSH keys to authenticate a set of remote SSH servers | |||
| +-- SSH keys to authenticate a set of remote SSH clients | +-- SSH keys to authenticate a set of remote SSH clients | |||
| +-- Raw public keys to authenticate a set of remote SSH servers | +-- Raw public keys to authenticate a set of remote SSH servers | |||
| +-- Raw public keys to authenticate a set of remote SSH clients | +-- Raw public keys to authenticate a set of remote SSH clients | |||
| Following is the full example: | The following full example uses the XML [W3C.REC-xml-20081126] | |||
| encoding. | ||||
| Note that long lines in examples are wrapped as described in | ||||
| [RFC8792]. | ||||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <truststore | <truststore | |||
| xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
| <!-- A bag of Certificate Bags --> | <!-- A bag of Certificate Bags --> | |||
| <certificate-bags> | <certificate-bags> | |||
| skipping to change at line 690 ¶ | skipping to change at line 694 ¶ | |||
| </public-key-bag> | </public-key-bag> | |||
| </public-key-bags> | </public-key-bags> | |||
| </truststore> | </truststore> | |||
| 2.2.2. A Certificate Expiration Notification | 2.2.2. A Certificate Expiration Notification | |||
| The following example illustrates the "certificate-expiration" | The following example illustrates the "certificate-expiration" | |||
| notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | |||
| configured in the truststore described in Section 2.2.1. | configured in the truststore described in Section 2.2.1. | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <notification | <notification | |||
| xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | |||
| <eventTime>2018-05-25T00:01:00Z</eventTime> | <eventTime>2018-05-25T00:01:00Z</eventTime> | |||
| <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | |||
| <certificate-bags> | <certificate-bags> | |||
| <certificate-bag> | <certificate-bag> | |||
| <name>trusted-client-ee-certs</name> | <name>trusted-client-ee-certs</name> | |||
| <certificate> | <certificate> | |||
| skipping to change at line 711 ¶ | skipping to change at line 717 ¶ | |||
| <certificate-expiration> | <certificate-expiration> | |||
| <expiration-date>2024-01-05T14:18:53-05:00</expiration-d\ | <expiration-date>2024-01-05T14:18:53-05:00</expiration-d\ | |||
| ate> | ate> | |||
| </certificate-expiration> | </certificate-expiration> | |||
| </certificate> | </certificate> | |||
| </certificate-bag> | </certificate-bag> | |||
| </certificate-bags> | </certificate-bags> | |||
| </truststore> | </truststore> | |||
| </notification> | </notification> | |||
| 2.2.3. The "Local or Truststore" Groupings | 2.2.3. The "Inline or Truststore" Groupings | |||
| This section illustrates the various "inline-or-truststore" groupings | This section illustrates the various "inline-or-truststore" groupings | |||
| defined in the "ietf-truststore" module, specifically the "inline-or- | defined in the "ietf-truststore" module, specifically the "inline-or- | |||
| truststore-certs-grouping" (Section 2.1.3.3) and "inline-or- | truststore-certs-grouping" (Section 2.1.3.3) and "inline-or- | |||
| truststore-public-keys-grouping" (Section 2.1.3.4) groupings. | truststore-public-keys-grouping" (Section 2.1.3.4) groupings. | |||
| These examples assume the existence of an example module called "ex- | These examples assume the existence of an example module called "ex- | |||
| truststore-usage" that has the namespace "https://example.com/ns/ | truststore-usage" that has the namespace "https://example.com/ns/ | |||
| example-truststore-usage". | example-truststore-usage". | |||
| skipping to change at line 783 ¶ | skipping to change at line 789 ¶ | |||
| ts:central-public-key-bag-ref | ts:central-public-key-bag-ref | |||
| The following example provides two equivalent instances of each | The following example provides two equivalent instances of each | |||
| grouping, the first being a reference to a truststore and the second | grouping, the first being a reference to a truststore and the second | |||
| being defined inline. The instance having a reference to a | being defined inline. The instance having a reference to a | |||
| truststore is consistent with the truststore defined in | truststore is consistent with the truststore defined in | |||
| Section 2.2.1. The two instances are equivalent, as the inlined | Section 2.2.1. The two instances are equivalent, as the inlined | |||
| instance example contains the same values defined by the truststore | instance example contains the same values defined by the truststore | |||
| instance referenced by its sibling example. | instance referenced by its sibling example. | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <truststore-usage | <truststore-usage | |||
| xmlns="https://example.com/ns/example-truststore-usage" | xmlns="https://example.com/ns/example-truststore-usage" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
| <!-- The following two equivalent examples illustrate --> | <!-- The following two equivalent examples illustrate --> | |||
| <!-- the "inline-or-truststore-certs-grouping" grouping: --> | <!-- the "inline-or-truststore-certs-grouping" grouping: --> | |||
| <cert> | <cert> | |||
| skipping to change at line 1321 ¶ | skipping to change at line 1329 ¶ | |||
| The primary characteristic of the built-in trust anchors is that they | The primary characteristic of the built-in trust anchors is that they | |||
| are provided by the server, as opposed to configuration. As such, | are provided by the server, as opposed to configuration. As such, | |||
| they are present in <operational> (Section 5.3 of [RFC8342]) and | they are present in <operational> (Section 5.3 of [RFC8342]) and | |||
| <system> [NETMOD-SYSTEM-CONFIG], if implemented. | <system> [NETMOD-SYSTEM-CONFIG], if implemented. | |||
| The example below illustrates what the truststore in <operational> | The example below illustrates what the truststore in <operational> | |||
| might look like for a server in its factory default state. Note that | might look like for a server in its factory default state. Note that | |||
| the built-in trust anchor bags have the "or:origin" annotation value | the built-in trust anchor bags have the "or:origin" annotation value | |||
| "or:system". | "or:system". | |||
| The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
| <truststore | <truststore | |||
| xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
| xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | |||
| or:origin="or:intended"> | or:origin="or:intended"> | |||
| <certificate-bags> | <certificate-bags> | |||
| <certificate-bag or:origin="or:system"> | <certificate-bag or:origin="or:system"> | |||
| <name>Built-In Manufacturer Trust Anchor Certificates</name> | <name>Built-In Manufacturer Trust Anchor Certificates</name> | |||
| <description> | <description> | |||
| skipping to change at line 1566 ¶ | skipping to change at line 1576 ¶ | |||
| [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
| Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
| DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
| <https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
| [RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero | [RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero | |||
| Touch Provisioning (SZTP)", RFC 8572, | Touch Provisioning (SZTP)", RFC 8572, | |||
| DOI 10.17487/RFC8572, April 2019, | DOI 10.17487/RFC8572, April 2019, | |||
| <https://www.rfc-editor.org/info/rfc8572>. | <https://www.rfc-editor.org/info/rfc8572>. | |||
| [RFC9642] Watsen, K., "A YANG Data Model for a Keystore and Keystore | [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | |||
| Operations", RFC 9642, DOI 10.17487/RFC9642, September | "Handling Long Lines in Content of Internet-Drafts and | |||
| 2024, <https://www.rfc-editor.org/info/rfc9642>. | RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | |||
| <https://www.rfc-editor.org/info/rfc8792>. | ||||
| [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | ||||
| DOI 10.17487/RFC9642, September 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9642>. | ||||
| [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
| and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, | and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, | |||
| September 2024, <https://www.rfc-editor.org/info/rfc9643>. | September 2024, <https://www.rfc-editor.org/info/rfc9643>. | |||
| [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
| Servers", RFC 9644, DOI 10.17487/RFC9644, September 2024, | Servers", RFC 9644, DOI 10.17487/RFC9644, September 2024, | |||
| <https://www.rfc-editor.org/info/rfc9644>. | <https://www.rfc-editor.org/info/rfc9644>. | |||
| [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
| Servers", RFC 9645, DOI 10.17487/RFC9645, September 2024, | Servers", RFC 9645, DOI 10.17487/RFC9645, September 2024, | |||
| <https://www.rfc-editor.org/info/rfc9645>. | <https://www.rfc-editor.org/info/rfc9645>. | |||
| [W3C.REC-xml-20081126] | ||||
| Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | ||||
| and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
| (Fifth Edition)", World Wide Web Consortium | ||||
| Recommendation REC-xml-20081126, November 2008, | ||||
| <https://www.w3.org/TR/2008/REC-xml-20081126/>. | ||||
| Acknowledgements | Acknowledgements | |||
| The authors especially thank Henk Birkholz for contributing YANG to | The authors especially thank Henk Birkholz for contributing YANG to | |||
| the "ietf-truststore" module supporting raw public keys and PSKs | the "ietf-truststore" module supporting raw public keys and PSKs | |||
| (pre-shared or pairwise-symmetric keys). While these contributions | (pre-shared or pairwise-symmetric keys). While these contributions | |||
| were eventually replaced by reusing the existing support for | were eventually replaced by reusing the existing support for | |||
| asymmetric and symmetric trust anchors, respectively, it was only | asymmetric and symmetric trust anchors, respectively, it was only | |||
| through Henk's initiative that the WG was able to come to that | through Henk's initiative that the WG was able to come to that | |||
| result. | result. | |||
| End of changes. 7 change blocks. | ||||
| 5 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||