rfc9641v2.txt | rfc9641.txt | |||
---|---|---|---|---|
skipping to change at line 510 ¶ | skipping to change at line 510 ¶ | |||
+-- End entity certs for authenticating a set of remote servers | +-- End entity certs for authenticating a set of remote servers | |||
+-- Trust anchor certs for authenticating a set of remote clients | +-- Trust anchor certs for authenticating a set of remote clients | |||
+-- End entity certs for authenticating a set of remote clients | +-- End entity certs for authenticating a set of remote clients | |||
Public Key Bags | Public Key Bags | |||
+-- SSH keys to authenticate a set of remote SSH servers | +-- SSH keys to authenticate a set of remote SSH servers | |||
+-- SSH keys to authenticate a set of remote SSH clients | +-- SSH keys to authenticate a set of remote SSH clients | |||
+-- Raw public keys to authenticate a set of remote SSH servers | +-- Raw public keys to authenticate a set of remote SSH servers | |||
+-- Raw public keys to authenticate a set of remote SSH clients | +-- Raw public keys to authenticate a set of remote SSH clients | |||
Following is the full example: | The following full example uses the XML [W3C.REC-xml-20081126] | |||
encoding. | ||||
Note that long lines in examples are wrapped as described in | ||||
[RFC8792]. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<truststore | <truststore | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- A bag of Certificate Bags --> | <!-- A bag of Certificate Bags --> | |||
<certificate-bags> | <certificate-bags> | |||
skipping to change at line 690 ¶ | skipping to change at line 694 ¶ | |||
</public-key-bag> | </public-key-bag> | |||
</public-key-bags> | </public-key-bags> | |||
</truststore> | </truststore> | |||
2.2.2. A Certificate Expiration Notification | 2.2.2. A Certificate Expiration Notification | |||
The following example illustrates the "certificate-expiration" | The following example illustrates the "certificate-expiration" | |||
notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | |||
configured in the truststore described in Section 2.2.1. | configured in the truststore described in Section 2.2.1. | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<notification | <notification | |||
xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | |||
<eventTime>2018-05-25T00:01:00Z</eventTime> | <eventTime>2018-05-25T00:01:00Z</eventTime> | |||
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | |||
<certificate-bags> | <certificate-bags> | |||
<certificate-bag> | <certificate-bag> | |||
<name>trusted-client-ee-certs</name> | <name>trusted-client-ee-certs</name> | |||
<certificate> | <certificate> | |||
skipping to change at line 711 ¶ | skipping to change at line 717 ¶ | |||
<certificate-expiration> | <certificate-expiration> | |||
<expiration-date>2024-01-05T14:18:53-05:00</expiration-d\ | <expiration-date>2024-01-05T14:18:53-05:00</expiration-d\ | |||
ate> | ate> | |||
</certificate-expiration> | </certificate-expiration> | |||
</certificate> | </certificate> | |||
</certificate-bag> | </certificate-bag> | |||
</certificate-bags> | </certificate-bags> | |||
</truststore> | </truststore> | |||
</notification> | </notification> | |||
2.2.3. The "Local or Truststore" Groupings | 2.2.3. The "Inline or Truststore" Groupings | |||
This section illustrates the various "inline-or-truststore" groupings | This section illustrates the various "inline-or-truststore" groupings | |||
defined in the "ietf-truststore" module, specifically the "inline-or- | defined in the "ietf-truststore" module, specifically the "inline-or- | |||
truststore-certs-grouping" (Section 2.1.3.3) and "inline-or- | truststore-certs-grouping" (Section 2.1.3.3) and "inline-or- | |||
truststore-public-keys-grouping" (Section 2.1.3.4) groupings. | truststore-public-keys-grouping" (Section 2.1.3.4) groupings. | |||
These examples assume the existence of an example module called "ex- | These examples assume the existence of an example module called "ex- | |||
truststore-usage" that has the namespace "https://example.com/ns/ | truststore-usage" that has the namespace "https://example.com/ns/ | |||
example-truststore-usage". | example-truststore-usage". | |||
skipping to change at line 783 ¶ | skipping to change at line 789 ¶ | |||
ts:central-public-key-bag-ref | ts:central-public-key-bag-ref | |||
The following example provides two equivalent instances of each | The following example provides two equivalent instances of each | |||
grouping, the first being a reference to a truststore and the second | grouping, the first being a reference to a truststore and the second | |||
being defined inline. The instance having a reference to a | being defined inline. The instance having a reference to a | |||
truststore is consistent with the truststore defined in | truststore is consistent with the truststore defined in | |||
Section 2.2.1. The two instances are equivalent, as the inlined | Section 2.2.1. The two instances are equivalent, as the inlined | |||
instance example contains the same values defined by the truststore | instance example contains the same values defined by the truststore | |||
instance referenced by its sibling example. | instance referenced by its sibling example. | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<truststore-usage | <truststore-usage | |||
xmlns="https://example.com/ns/example-truststore-usage" | xmlns="https://example.com/ns/example-truststore-usage" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- The following two equivalent examples illustrate --> | <!-- The following two equivalent examples illustrate --> | |||
<!-- the "inline-or-truststore-certs-grouping" grouping: --> | <!-- the "inline-or-truststore-certs-grouping" grouping: --> | |||
<cert> | <cert> | |||
skipping to change at line 1321 ¶ | skipping to change at line 1329 ¶ | |||
The primary characteristic of the built-in trust anchors is that they | The primary characteristic of the built-in trust anchors is that they | |||
are provided by the server, as opposed to configuration. As such, | are provided by the server, as opposed to configuration. As such, | |||
they are present in <operational> (Section 5.3 of [RFC8342]) and | they are present in <operational> (Section 5.3 of [RFC8342]) and | |||
<system> [NETMOD-SYSTEM-CONFIG], if implemented. | <system> [NETMOD-SYSTEM-CONFIG], if implemented. | |||
The example below illustrates what the truststore in <operational> | The example below illustrates what the truststore in <operational> | |||
might look like for a server in its factory default state. Note that | might look like for a server in its factory default state. Note that | |||
the built-in trust anchor bags have the "or:origin" annotation value | the built-in trust anchor bags have the "or:origin" annotation value | |||
"or:system". | "or:system". | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
<truststore | <truststore | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | |||
or:origin="or:intended"> | or:origin="or:intended"> | |||
<certificate-bags> | <certificate-bags> | |||
<certificate-bag or:origin="or:system"> | <certificate-bag or:origin="or:system"> | |||
<name>Built-In Manufacturer Trust Anchor Certificates</name> | <name>Built-In Manufacturer Trust Anchor Certificates</name> | |||
<description> | <description> | |||
skipping to change at line 1566 ¶ | skipping to change at line 1576 ¶ | |||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
<https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
[RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero | [RFC8572] Watsen, K., Farrer, I., and M. Abrahamsson, "Secure Zero | |||
Touch Provisioning (SZTP)", RFC 8572, | Touch Provisioning (SZTP)", RFC 8572, | |||
DOI 10.17487/RFC8572, April 2019, | DOI 10.17487/RFC8572, April 2019, | |||
<https://www.rfc-editor.org/info/rfc8572>. | <https://www.rfc-editor.org/info/rfc8572>. | |||
[RFC9642] Watsen, K., "A YANG Data Model for a Keystore and Keystore | [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | |||
Operations", RFC 9642, DOI 10.17487/RFC9642, September | "Handling Long Lines in Content of Internet-Drafts and | |||
2024, <https://www.rfc-editor.org/info/rfc9642>. | RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | |||
<https://www.rfc-editor.org/info/rfc8792>. | ||||
[RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | ||||
DOI 10.17487/RFC9642, September 2024, | ||||
<https://www.rfc-editor.org/info/rfc9642>. | ||||
[RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, | and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, | |||
September 2024, <https://www.rfc-editor.org/info/rfc9643>. | September 2024, <https://www.rfc-editor.org/info/rfc9643>. | |||
[RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
Servers", RFC 9644, DOI 10.17487/RFC9644, September 2024, | Servers", RFC 9644, DOI 10.17487/RFC9644, September 2024, | |||
<https://www.rfc-editor.org/info/rfc9644>. | <https://www.rfc-editor.org/info/rfc9644>. | |||
[RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
Servers", RFC 9645, DOI 10.17487/RFC9645, September 2024, | Servers", RFC 9645, DOI 10.17487/RFC9645, September 2024, | |||
<https://www.rfc-editor.org/info/rfc9645>. | <https://www.rfc-editor.org/info/rfc9645>. | |||
[W3C.REC-xml-20081126] | ||||
Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | ||||
and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
(Fifth Edition)", World Wide Web Consortium | ||||
Recommendation REC-xml-20081126, November 2008, | ||||
<https://www.w3.org/TR/2008/REC-xml-20081126/>. | ||||
Acknowledgements | Acknowledgements | |||
The authors especially thank Henk Birkholz for contributing YANG to | The authors especially thank Henk Birkholz for contributing YANG to | |||
the "ietf-truststore" module supporting raw public keys and PSKs | the "ietf-truststore" module supporting raw public keys and PSKs | |||
(pre-shared or pairwise-symmetric keys). While these contributions | (pre-shared or pairwise-symmetric keys). While these contributions | |||
were eventually replaced by reusing the existing support for | were eventually replaced by reusing the existing support for | |||
asymmetric and symmetric trust anchors, respectively, it was only | asymmetric and symmetric trust anchors, respectively, it was only | |||
through Henk's initiative that the WG was able to come to that | through Henk's initiative that the WG was able to come to that | |||
result. | result. | |||
End of changes. 7 change blocks. | ||||
5 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |