| rfc9640.original | rfc9640.txt | |||
|---|---|---|---|---|
| NETCONF Working Group K. Watsen | Internet Engineering Task Force (IETF) K. Watsen | |||
| Internet-Draft Watsen Networks | Request for Comments: 9640 Watsen Networks | |||
| Intended status: Standards Track 16 March 2024 | Category: Standards Track September 2024 | |||
| Expires: 17 September 2024 | ISSN: 2070-1721 | |||
| YANG Data Types and Groupings for Cryptography | YANG Data Types and Groupings for Cryptography | |||
| draft-ietf-netconf-crypto-types-34 | ||||
| Abstract | Abstract | |||
| This document presents a YANG 1.1 (RFC 7950) module defining | This document presents a YANG 1.1 (RFC 7950) module defining | |||
| identities, typedefs, and groupings useful to cryptographic | identities, typedefs, and groupings useful to cryptographic | |||
| applications. | applications. | |||
| Editorial Note (To be removed by RFC Editor) | ||||
| This draft contains placeholder values that need to be replaced with | ||||
| finalized values at the time of publication. This note summarizes | ||||
| all of the substitutions that are needed. No other RFC Editor | ||||
| instructions are specified elsewhere in this document. | ||||
| Artwork in this document contains shorthand references to drafts in | ||||
| progress. Please apply the following replacements: | ||||
| * AAAA --> the assigned RFC value for this draft | ||||
| Artwork in this document contains placeholder values for the date of | ||||
| publication of this draft. Please apply the following replacement: | ||||
| * 2024-03-16 --> the publication date of this draft | ||||
| The "Relation to other RFCs" section Section 1.1 contains the text | ||||
| "one or more YANG modules" and, later, "modules". This text is | ||||
| sourced from a file in a context where it is unknown how many modules | ||||
| a draft defines. The text is not wrong as is, but it may be improved | ||||
| by stating more directly how many modules are defined. | ||||
| The "Relation to other RFCs" section Section 1.1 contains a self- | ||||
| reference to this draft, along with a corresponding reference in the | ||||
| Appendix. Please replace the self-reference in this section with | ||||
| "This RFC" (or similar) and remove the self-reference in the | ||||
| "Normative/Informative References" section, whichever it is in. | ||||
| Tree-diagrams in this draft may use the '\' line-folding mode defined | ||||
| in RFC 8792. However, nicer-to-the-eye is when the '\\' line-folding | ||||
| mode is used. The AD suggested suggested putting a request here for | ||||
| the RFC Editor to help convert "ugly" '\' folded examples to use the | ||||
| '\\' folding mode. "Help convert" may be interpreted as, identify | ||||
| what looks ugly and ask the authors to make the adjustment. | ||||
| The following Appendix section is to be removed prior to publication: | ||||
| * Appendix A. Change Log | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 17 September 2024. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9640. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction | |||
| 1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 4 | 1.1. Relation to Other RFCs | |||
| 1.2. Specification Language . . . . . . . . . . . . . . . . . 6 | 1.2. Specification Language | |||
| 1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 | 1.3. Adherence to the NMDA | |||
| 1.4. Conventions . . . . . . . . . . . . . . . . . . . . . . . 6 | 1.4. Conventions | |||
| 2. The "ietf-crypto-types" Module . . . . . . . . . . . . . . . 6 | 2. The "ietf-crypto-types" Module | |||
| 2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 6 | 2.1. Data Model Overview | |||
| 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 17 | 2.2. Example Usage | |||
| 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 26 | 2.3. YANG Module | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 49 | 3. Security Considerations | |||
| 3.1. No Support for CRMF . . . . . . . . . . . . . . . . . . . 49 | 3.1. No Support for CRMF | |||
| 3.2. No Support for Key Generation . . . . . . . . . . . . . . 50 | 3.2. No Support for Key Generation | |||
| 3.3. Unconstrained Public Key Usage . . . . . . . . . . . . . 50 | 3.3. Unconstrained Public Key Usage | |||
| 3.4. Unconstrained Private Key Usage . . . . . . . . . . . . . 50 | 3.4. Unconstrained Private Key Usage | |||
| 3.5. Cleartext Passwords and Keys . . . . . . . . . . . . . . 50 | 3.5. Cleartext Passwords and Keys | |||
| 3.6. Encrypting Passwords and Keys . . . . . . . . . . . . . . 51 | 3.6. Encrypting Passwords and Keys | |||
| 3.7. Deletion of Cleartext Key Values . . . . . . . . . . . . 51 | 3.7. Deletion of Cleartext Key Values | |||
| 3.8. Considerations for the "ietf-crypto-types" YANG Module . 51 | 3.8. Considerations for the "ietf-crypto-types" YANG Module | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 53 | 4. IANA Considerations | |||
| 4.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 53 | 4.1. The IETF XML Registry | |||
| 4.2. The "YANG Module Names" Registry . . . . . . . . . . . . 53 | 4.2. The YANG Module Names Registry | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 | 5. References | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . 53 | 5.1. Normative References | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . 55 | 5.2. Informative References | |||
| Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 58 | Acknowledgements | |||
| A.1. I-D to 00 . . . . . . . . . . . . . . . . . . . . . . . . 58 | Author's Address | |||
| A.2. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 58 | ||||
| A.3. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 58 | ||||
| A.4. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 58 | ||||
| A.5. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 59 | ||||
| A.6. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 59 | ||||
| A.7. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 59 | ||||
| A.8. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 60 | ||||
| A.9. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 60 | ||||
| A.10. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 60 | ||||
| A.11. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 60 | ||||
| A.12. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 61 | ||||
| A.13. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 61 | ||||
| A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 61 | ||||
| A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 62 | ||||
| A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 62 | ||||
| A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 62 | ||||
| A.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 63 | ||||
| A.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 63 | ||||
| A.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 63 | ||||
| A.21. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.22. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.23. 21 to 22 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.24. 22 to 23 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.25. 23 to 24 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.26. 24 to 25 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.27. 25 to 26 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.28. 26 to 27 . . . . . . . . . . . . . . . . . . . . . . . . 64 | ||||
| A.29. 27 to 28 . . . . . . . . . . . . . . . . . . . . . . . . 65 | ||||
| A.30. 28 to 29 . . . . . . . . . . . . . . . . . . . . . . . . 65 | ||||
| A.31. 29 to 30 . . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| A.32. 30 to 32 . . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| A.33. 32 to 34 . . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 66 | ||||
| 1. Introduction | 1. Introduction | |||
| This document presents a YANG 1.1 [RFC7950] module defining | This document presents a YANG 1.1 [RFC7950] module defining | |||
| identities, typedefs, and groupings useful to cryptographic | identities, typedefs, and groupings useful to cryptographic | |||
| applications. | applications. | |||
| 1.1. Relation to other RFCs | 1.1. Relation to Other RFCs | |||
| This document presents one or more YANG modules [RFC7950] that are | This document presents a YANG module [RFC7950] that is part of a | |||
| part of a collection of RFCs that work together to, ultimately, | collection of RFCs that work together to, ultimately, support the | |||
| support the configuration of both the clients and servers of both the | configuration of both the clients and servers of both the Network | |||
| NETCONF [RFC6241] and RESTCONF [RFC8040] protocols. | Configuration Protocol (NETCONF) [RFC6241] and RESTCONF [RFC8040]. | |||
| The dependency relationship between the primary YANG groupings | The dependency relationship between the primary YANG groupings | |||
| defined in the various RFCs is presented in the below diagram. In | defined in the various RFCs is presented in the below diagram. In | |||
| some cases, a draft may define secondary groupings that introduce | some cases, a document may define secondary groupings that introduce | |||
| dependencies not illustrated in the diagram. The labels in the | dependencies not illustrated in the diagram. The labels in the | |||
| diagram are a shorthand name for the defining RFC. The citation | diagram are shorthand names for the defining RFCs. The citation | |||
| reference for shorthand name is provided below the diagram. | references for the shorthand names are provided below the diagram. | |||
| Please note that the arrows in the diagram point from referencer to | Please note that the arrows in the diagram point from referencer to | |||
| referenced. For example, the "crypto-types" RFC does not have any | referenced. For example, the "crypto-types" RFC does not have any | |||
| dependencies, whilst the "keystore" RFC depends on the "crypto-types" | dependencies, whilst the "keystore" RFC depends on the "crypto-types" | |||
| RFC. | RFC. | |||
| crypto-types | crypto-types | |||
| ^ ^ | ^ ^ | |||
| / \ | / \ | |||
| / \ | / \ | |||
| skipping to change at page 5, line 28 ¶ | skipping to change at line 121 ¶ | |||
| | | | | | ^ | | | | | | ^ | |||
| | | | +-----+ +---------+ | | | | | +-----+ +---------+ | | |||
| | | | | | | | | | | | | | | |||
| | +-----------|--------|--------------+ | | | | +-----------|--------|--------------+ | | | |||
| | | | | | | | | | | | | | | |||
| +-----------+ | | | | | | +-----------+ | | | | | | |||
| | | | | | | | | | | | | | | |||
| | | | | | | | | | | | | | | |||
| netconf-client-server restconf-client-server | netconf-client-server restconf-client-server | |||
| +======================+===========================================+ | +========================+==========================+ | |||
| |Label in Diagram | Originating RFC | | | Label in Diagram | Reference | | |||
| +======================+===========================================+ | +========================+==========================+ | |||
| |crypto-types | [I-D.ietf-netconf-crypto-types] | | | crypto-types | RFC 9640 | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |truststore | [I-D.ietf-netconf-trust-anchors] | | | truststore | [RFC9641] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |keystore | [I-D.ietf-netconf-keystore] | | | keystore | [RFC9642] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |tcp-client-server | [I-D.ietf-netconf-tcp-client-server] | | | tcp-client-server | [RFC9643] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |ssh-client-server | [I-D.ietf-netconf-ssh-client-server] | | | ssh-client-server | [RFC9644] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |tls-client-server | [I-D.ietf-netconf-tls-client-server] | | | tls-client-server | [RFC9645] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |http-client-server | [I-D.ietf-netconf-http-client-server] | | | http-client-server | [HTTP-CLIENT-SERVER] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |netconf-client-server | [I-D.ietf-netconf-netconf-client-server] | | | netconf-client-server | [NETCONF-CLIENT-SERVER] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| |restconf-client-server| [I-D.ietf-netconf-restconf-client-server] | | | restconf-client-server | [RESTCONF-CLIENT-SERVER] | | |||
| +----------------------+-------------------------------------------+ | +------------------------+--------------------------+ | |||
| Table 1: Label in Diagram to RFC Mapping | Table 1: Labels in Diagram to RFC Mapping | |||
| 1.2. Specification Language | 1.2. Specification Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.3. Adherence to the NMDA | 1.3. Adherence to the NMDA | |||
| This document is compliant with the Network Management Datastore | This document is compliant with the Network Management Datastore | |||
| Architecture (NMDA) [RFC8342]. It does not define any protocol | Architecture (NMDA) [RFC8342]. It does not define any protocol- | |||
| accessible nodes that are "config false". | accessible nodes that are "config false". | |||
| 1.4. Conventions | 1.4. Conventions | |||
| Various examples in this document use "BASE64VALUE=" as a placeholder | Various examples in this document use "BASE64VALUE=" as a placeholder | |||
| value for binary data that has been base64 encoded (per Section 9.8 | value for binary data that has been base64 encoded (per Section 9.8 | |||
| of [RFC7950]). This placeholder value is used because real base64 | of [RFC7950]). This placeholder value is used because real | |||
| encoded structures are often many lines long and hence distracting to | base64-encoded structures are often many lines long and hence | |||
| the example being presented. | distracting to the example being presented. | |||
| Various examples in this document use the XML [W3C.REC-xml-20081126] | ||||
| encoding. Other encodings, such as JSON [RFC8259], could | ||||
| alternatively be used. | ||||
| Various examples in this document contain long lines that may be | ||||
| folded, as described in [RFC8792]. | ||||
| 2. The "ietf-crypto-types" Module | 2. The "ietf-crypto-types" Module | |||
| This section defines a YANG 1.1 [RFC7950] module called "ietf-crypto- | This section defines a YANG 1.1 [RFC7950] module called "ietf-crypto- | |||
| types". A high-level overview of the module is provided in | types". A high-level overview of the module is provided in | |||
| Section 2.1. Examples illustrating the module's use are provided in | Section 2.1. Examples illustrating the module's use are provided in | |||
| Examples (Section 2.2). The YANG module itself is defined in | Section 2.2. The YANG module itself is defined in Section 2.3. | |||
| Section 2.3. | ||||
| 2.1. Data Model Overview | 2.1. Data Model Overview | |||
| This section provides an overview of the "ietf-crypto-types" module | This section provides an overview of the "ietf-crypto-types" module | |||
| in terms of its features, identities, typedefs, and groupings. | in terms of its features, identities, typedefs, and groupings. | |||
| 2.1.1. Features | 2.1.1. Features | |||
| The following diagram lists all the "feature" statements defined in | The following diagram lists all the "feature" statements defined in | |||
| the "ietf-crypto-types" module: | the "ietf-crypto-types" module: | |||
| skipping to change at page 8, line 39 ¶ | skipping to change at line 253 ¶ | |||
| The diagram above uses syntax that is similar to but not the same as | The diagram above uses syntax that is similar to but not the same as | |||
| that in [RFC8340]. | that in [RFC8340]. | |||
| Comments: | Comments: | |||
| * The diagram shows that there are five base identities. The first | * The diagram shows that there are five base identities. The first | |||
| three identities are used to indicate the format for the key data, | three identities are used to indicate the format for the key data, | |||
| while the fourth identity is used to indicate the format for | while the fourth identity is used to indicate the format for | |||
| encrypted values. The fifth identity is used to indicate the | encrypted values. The fifth identity is used to indicate the | |||
| format for a certificate signing request. The base identities are | format for a certificate signing request (CSR). The base | |||
| "abstract", in the object oriented programming sense, in that they | identities are "abstract", in the object oriented programming | |||
| only define a "class" of formats, rather than a specific format. | sense, in that they only define a "class" of formats, rather than | |||
| a specific format. | ||||
| * The various terminal identities define specific encoding formats. | * The various terminal identities define specific encoding formats. | |||
| The derived identities defined in this document are sufficient for | The derived identities defined in this document are sufficient for | |||
| the effort described in Section 1.1 but, by nature of them being | the effort described in Section 1.1, but by nature of them being | |||
| identities, additional derived identities MAY be defined by future | identities, additional derived identities MAY be defined by future | |||
| efforts. | efforts. | |||
| * Identities used to specify uncommon formats are enabled by | * Identities used to specify uncommon formats are enabled by | |||
| "feature" statements, allowing applications to support them when | "feature" statements, allowing applications to support them when | |||
| needed. | needed. | |||
| 2.1.3. Typedefs | 2.1.3. Typedefs | |||
| The following diagram illustrates the relationship amongst the | The following diagram illustrates the relationship amongst the | |||
| skipping to change at page 10, line 36 ¶ | skipping to change at line 348 ¶ | |||
| Comments: | Comments: | |||
| * The "encrypted-by" node is an empty container (difficult to see in | * The "encrypted-by" node is an empty container (difficult to see in | |||
| the diagram) that a consuming module MUST augment key references | the diagram) that a consuming module MUST augment key references | |||
| into. The "ietf-crypto-types" module is unable to populate this | into. The "ietf-crypto-types" module is unable to populate this | |||
| container as the module only defines groupings. Section 2.2.1 | container as the module only defines groupings. Section 2.2.1 | |||
| presents an example illustrating a consuming module populating the | presents an example illustrating a consuming module populating the | |||
| "encrypted-by" container. | "encrypted-by" container. | |||
| * The "encrypted-value" node is the value, encrypted by the key | * The "encrypted-value" node is the value encrypted by the key | |||
| referenced by the "encrypted-by" node, and encoded in the format | referenced by the "encrypted-by" node and encoded in the format | |||
| appropriate for the kind of key it was encrypted by. | appropriate for the kind of key it was encrypted by. | |||
| - If the value is encrypted by a symmetric key, then the | - If the value is encrypted by a symmetric key, then the | |||
| encrypted value is encoded using the format associated with the | encrypted value is encoded using the format associated with the | |||
| "symmetrically-encrypted-value-format" identity. | "symmetrically-encrypted-value-format" identity. | |||
| - If the value is encrypted by an asymmetric key, then the | - If the value is encrypted by an asymmetric key, then the | |||
| encrypted value is encoded using the format associated with the | encrypted value is encoded using the format associated with the | |||
| "asymmetrically-encrypted-value-format" identity. | "asymmetrically-encrypted-value-format" identity. | |||
| See Section 2.1.2 for information about the "format" identities. | See Section 2.1.2 for information about the "format" identities. | |||
| 2.1.4.2. The "password-grouping" Grouping | 2.1.4.2. The "password-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "password-grouping" grouping. This tree diagram does not expand the | "password-grouping" grouping. This tree diagram does not expand the | |||
| internally used grouping statement(s): | internally used "grouping" statement(s): | |||
| grouping password-grouping: | grouping password-grouping: | |||
| +-- (password-type) | +-- (password-type) | |||
| +--:(cleartext-password) {cleartext-passwords}? | +--:(cleartext-password) {cleartext-passwords}? | |||
| | +-- cleartext-password? string | | +-- cleartext-password? string | |||
| +--:(encrypted-password) {encrypted-passwords}? | +--:(encrypted-password) {encrypted-passwords}? | |||
| +-- encrypted-password | +-- encrypted-password | |||
| +---u encrypted-value-grouping | +---u encrypted-value-grouping | |||
| Comments: | Comments: | |||
| * The "password-grouping" enables configuration of credentials | * The "password-grouping" enables the configuration of credentials | |||
| needed to authenticate to a remote system. The 'ianach:crypt- | needed to authenticate to a remote system. The "ianach:crypt- | |||
| hash' typedef from [RFC7317] should be used instead when needing | hash" typedef from [RFC7317] should be used instead when needing | |||
| to configure a password to authencate a local account. | to configure a password to authenticate a local account. | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "encrypted-value-grouping" grouping is discussed in | - The "encrypted-value-grouping" grouping is discussed in | |||
| Section 2.1.4.1. | Section 2.1.4.1. | |||
| * The "choice" statement enables the password data to be cleartext | * The "choice" statement enables the password data to be cleartext | |||
| or encrypted, as follows: | or encrypted, as follows: | |||
| - The "cleartext-password" node can encode any cleartext value. | - The "cleartext-password" node can encode any cleartext value. | |||
| - The "encrypted-password" node's structure is discussed in | ||||
| Section 2.1.4.1. | - The "encrypted-password" node is an instance of the "encrypted- | |||
| value-grouping" discussed in Section 2.1.4.1. | ||||
| 2.1.4.3. The "symmetric-key-grouping" Grouping | 2.1.4.3. The "symmetric-key-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "symmetric-key-grouping" grouping. This tree diagram does not expand | "symmetric-key-grouping" grouping. This tree diagram does not expand | |||
| the internally used grouping statement(s): | the internally used "grouping" statement(s): | |||
| grouping symmetric-key-grouping: | grouping symmetric-key-grouping: | |||
| +-- key-format? identityref | +-- key-format? identityref | |||
| +-- (key-type) | +-- (key-type) | |||
| +--:(cleartext-symmetric-key) | +--:(cleartext-symmetric-key) | |||
| | +-- cleartext-symmetric-key? binary | | +-- cleartext-symmetric-key? binary | |||
| | {cleartext-symmetric-keys}? | | {cleartext-symmetric-keys}? | |||
| +--:(hidden-symmetric-key) {hidden-symmetric-keys}? | +--:(hidden-symmetric-key) {hidden-symmetric-keys}? | |||
| | +-- hidden-symmetric-key? empty | | +-- hidden-symmetric-key? empty | |||
| +--:(encrypted-symmetric-key) {encrypted-symmetric-keys}? | +--:(encrypted-symmetric-key) {encrypted-symmetric-keys}? | |||
| +-- encrypted-symmetric-key | +-- encrypted-symmetric-key | |||
| +---u encrypted-value-grouping | +---u encrypted-value-grouping | |||
| Comments: | Comments: | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "encrypted-value-grouping" grouping is discussed in | - The "encrypted-value-grouping" grouping is discussed in | |||
| Section 2.1.4.1. | Section 2.1.4.1. | |||
| * The "key-format" node is an identity-reference to the "symmetric- | * The "key-format" node is an identity-reference to the "symmetric- | |||
| key-format" abstract base identity discussed in Section 2.1.2, | key-format" abstract base identity discussed in Section 2.1.2, | |||
| enabling the symmetric key to be encoded using any of the formats | enabling the symmetric key to be encoded using any of the formats | |||
| defined by the derived identities. | defined by the derived identities. | |||
| * The "choice" statement enables the private key data to be | * The "choice" statement enables the private key data to be | |||
| skipping to change at page 12, line 34 ¶ | skipping to change at line 431 ¶ | |||
| * The "key-format" node is an identity-reference to the "symmetric- | * The "key-format" node is an identity-reference to the "symmetric- | |||
| key-format" abstract base identity discussed in Section 2.1.2, | key-format" abstract base identity discussed in Section 2.1.2, | |||
| enabling the symmetric key to be encoded using any of the formats | enabling the symmetric key to be encoded using any of the formats | |||
| defined by the derived identities. | defined by the derived identities. | |||
| * The "choice" statement enables the private key data to be | * The "choice" statement enables the private key data to be | |||
| cleartext, encrypted, or hidden, as follows: | cleartext, encrypted, or hidden, as follows: | |||
| - The "cleartext-symmetric-key" node can encode any cleartext key | - The "cleartext-symmetric-key" node can encode any cleartext key | |||
| value. | value. | |||
| - The "hidden-symmetric-key" node is of type "empty" as the real | - The "hidden-symmetric-key" node is of type "empty" as the real | |||
| value cannot be presented via the management interface. | value cannot be presented via the management interface. | |||
| - The "encrypted-symmetric-key" node's structure is discussed in | - The "encrypted-symmetric-key" node's structure is discussed in | |||
| Section 2.1.4.1. | Section 2.1.4.1. | |||
| 2.1.4.4. The "public-key-grouping" Grouping | 2.1.4.4. The "public-key-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "public-key-grouping" grouping. This tree diagram does not expand | "public-key-grouping" grouping. This tree diagram does not expand | |||
| any internally used grouping statement(s): | any internally used "grouping" statement(s): | |||
| grouping public-key-grouping: | grouping public-key-grouping: | |||
| +-- public-key-format identityref | +-- public-key-format identityref | |||
| +-- public-key binary | +-- public-key binary | |||
| Comments: | Comments: | |||
| * The "public-key-format" node is an identity-reference to the | * The "public-key-format" node is an identity-reference to the | |||
| "public-key-format" abstract base identity discussed in | "public-key-format" abstract base identity discussed in | |||
| Section 2.1.2, enabling the public key to be encoded using any of | Section 2.1.2, enabling the public key to be encoded using any of | |||
| skipping to change at page 13, line 19 ¶ | skipping to change at line 464 ¶ | |||
| * The "public-key" node is the public key data in the selected | * The "public-key" node is the public key data in the selected | |||
| format. No "choice" statement is used to hide or encrypt the | format. No "choice" statement is used to hide or encrypt the | |||
| public key data because it is unnecessary to do so for public | public key data because it is unnecessary to do so for public | |||
| keys. | keys. | |||
| 2.1.4.5. The "private-key-grouping" Grouping | 2.1.4.5. The "private-key-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "private-key-grouping" grouping. This tree diagram does not expand | "private-key-grouping" grouping. This tree diagram does not expand | |||
| the internally used grouping statement(s): | the internally used "grouping" statement(s): | |||
| grouping private-key-grouping: | grouping private-key-grouping: | |||
| +-- private-key-format? identityref | +-- private-key-format? identityref | |||
| +-- (private-key-type) | +-- (private-key-type) | |||
| +--:(cleartext-private-key) {cleartext-private-keys}? | +--:(cleartext-private-key) {cleartext-private-keys}? | |||
| | +-- cleartext-private-key? binary | | +-- cleartext-private-key? binary | |||
| +--:(hidden-private-key) {hidden-private-keys}? | +--:(hidden-private-key) {hidden-private-keys}? | |||
| | +-- hidden-private-key? empty | | +-- hidden-private-key? empty | |||
| +--:(encrypted-private-key) {encrypted-private-keys}? | +--:(encrypted-private-key) {encrypted-private-keys}? | |||
| +-- encrypted-private-key | +-- encrypted-private-key | |||
| +---u encrypted-value-grouping | +---u encrypted-value-grouping | |||
| Comments: | Comments: | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "encrypted-value-grouping" grouping is discussed in | - The "encrypted-value-grouping" grouping is discussed in | |||
| Section 2.1.4.1. | Section 2.1.4.1. | |||
| * The "private-key-format" node is an identity-reference to the | * The "private-key-format" node is an identity-reference to the | |||
| "private-key-format" abstract base identity discussed in | "private-key-format" abstract base identity discussed in | |||
| Section 2.1.2, enabling the private key to be encoded using any of | Section 2.1.2, enabling the private key to be encoded using any of | |||
| the formats defined by the derived identities. | the formats defined by the derived identities. | |||
| * The "choice" statement enables the private key data to be | * The "choice" statement enables the private key data to be | |||
| skipping to change at page 13, line 49 ¶ | skipping to change at line 494 ¶ | |||
| * The "private-key-format" node is an identity-reference to the | * The "private-key-format" node is an identity-reference to the | |||
| "private-key-format" abstract base identity discussed in | "private-key-format" abstract base identity discussed in | |||
| Section 2.1.2, enabling the private key to be encoded using any of | Section 2.1.2, enabling the private key to be encoded using any of | |||
| the formats defined by the derived identities. | the formats defined by the derived identities. | |||
| * The "choice" statement enables the private key data to be | * The "choice" statement enables the private key data to be | |||
| cleartext, encrypted, or hidden, as follows: | cleartext, encrypted, or hidden, as follows: | |||
| - The "cleartext-private-key" node can encode any cleartext key | - The "cleartext-private-key" node can encode any cleartext key | |||
| value. | value. | |||
| - The "hidden-private-key" node is of type "empty" as the real | - The "hidden-private-key" node is of type "empty" as the real | |||
| value cannot be presented via the management interface. | value cannot be presented via the management interface. | |||
| - The "encrypted-private-key" node's structure is discussed in | - The "encrypted-private-key" node's structure is discussed in | |||
| Section 2.1.4.1. | Section 2.1.4.1. | |||
| 2.1.4.6. The "asymmetric-key-pair-grouping" Grouping | 2.1.4.6. The "asymmetric-key-pair-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "asymmetric-key-pair-grouping" grouping. This tree diagram does not | "asymmetric-key-pair-grouping" grouping. This tree diagram does not | |||
| expand the internally used grouping statement(s): | expand the internally used "grouping" statement(s): | |||
| grouping asymmetric-key-pair-grouping: | grouping asymmetric-key-pair-grouping: | |||
| +---u public-key-grouping | +---u public-key-grouping | |||
| +---u private-key-grouping | +---u private-key-grouping | |||
| Comments: | Comments: | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "public-key-grouping" grouping is discussed in | - The "public-key-grouping" grouping is discussed in | |||
| Section 2.1.4.4. | Section 2.1.4.4. | |||
| - The "private-key-grouping" grouping is discussed in | - The "private-key-grouping" grouping is discussed in | |||
| Section 2.1.4.5. | Section 2.1.4.5. | |||
| 2.1.4.7. The "certificate-expiration-grouping" Grouping | 2.1.4.7. The "certificate-expiration-grouping" Grouping | |||
| The following tree diagram [RFC8340] illustrates the "certificate- | This section presents a tree diagram [RFC8340] illustrating the | |||
| expiration-grouping" grouping: | "certificate-expiration-grouping" grouping: | |||
| grouping certificate-expiration-grouping: | grouping certificate-expiration-grouping: | |||
| +---n certificate-expiration | +---n certificate-expiration | |||
| {certificate-expiration-notification}? | {certificate-expiration-notification}? | |||
| +-- expiration-date yang:date-and-time | +-- expiration-date yang:date-and-time | |||
| Comments: | Comments: | |||
| * This grouping's only purpose is to define the "certificate- | * This grouping's only purpose is to define the "certificate- | |||
| expiration" notification statement, used by the groupings defined | expiration" notification statement, used by the groupings defined | |||
| in Section 2.1.4.8 and Section 2.1.4.9. | in Sections 2.1.4.8 and 2.1.4.9. | |||
| * The "certificate-expiration" notification enables servers to | * The "certificate-expiration" notification enables servers to | |||
| notify clients when certificates are nearing expiration. | notify clients when certificates are nearing expiration. | |||
| * The "expiration-date" node indicates when the designated | * The "expiration-date" node indicates when the designated | |||
| certificate will (or did) expire. | certificate will (or did) expire. | |||
| * Identification of the certificate that is expiring is built into | * Identification of the certificate that is expiring is built into | |||
| the notification itself. For an example, please see | the notification itself. For an example, please see | |||
| Section 2.2.3. | Section 2.2.3. | |||
| 2.1.4.8. The "trust-anchor-cert-grouping" Grouping | 2.1.4.8. The "trust-anchor-cert-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "trust-anchor-cert-grouping" grouping. This tree diagram does not | "trust-anchor-cert-grouping" grouping. This tree diagram does not | |||
| expand the internally used grouping statement(s): | expand the internally used "grouping" statement(s): | |||
| grouping trust-anchor-cert-grouping: | grouping trust-anchor-cert-grouping: | |||
| +-- cert-data? trust-anchor-cert-cms | +-- cert-data? trust-anchor-cert-cms | |||
| +---u certificate-expiration-grouping | +---u certificate-expiration-grouping | |||
| Comments: | Comments: | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "certificate-expiration-grouping" grouping is discussed in | - The "certificate-expiration-grouping" grouping is discussed in | |||
| Section 2.1.4.7. | Section 2.1.4.7. | |||
| * The "cert-data" node contains a chain of one or more certificates | * The "cert-data" node contains a chain of one or more certificates | |||
| containing at most one self-signed certificates (the "root" | containing at most one self-signed certificate (the "root" | |||
| certificate), encoded using a "signed-data-cms" typedef discussed | certificate), encoded using a "signed-data-cms" typedef discussed | |||
| in Section 2.1.3. | in Section 2.1.3. | |||
| 2.1.4.9. The "end-entity-cert-grouping" Grouping | 2.1.4.9. The "end-entity-cert-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the "end- | This section presents a tree diagram [RFC8340] illustrating the "end- | |||
| entity-cert-grouping" grouping. This tree diagram does not expand | entity-cert-grouping" grouping. This tree diagram does not expand | |||
| the internally used grouping statement(s): | the internally used "grouping" statement(s): | |||
| grouping end-entity-cert-grouping: | grouping end-entity-cert-grouping: | |||
| +-- cert-data? end-entity-cert-cms | +-- cert-data? end-entity-cert-cms | |||
| +---u certificate-expiration-grouping | +---u certificate-expiration-grouping | |||
| Comments: | Comments: | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "certificate-expiration-grouping" grouping is discussed in | - The "certificate-expiration-grouping" grouping is discussed in | |||
| Section 2.1.4.7. | Section 2.1.4.7. | |||
| * The "cert-data" node contains a chain of one or more certificates | * The "cert-data" node contains a chain of one or more certificates | |||
| containing at most one certificate that is neither self-signed nor | containing at most one certificate that is not self-signed and | |||
| having Basic constraint "CA true", encoded using a "signed-data- | does not have Basic constraint "CA true" (where "CA" means | |||
| cms" typedef discussed in Section 2.1.3. | Certification Authority), encoded using a "signed-data-cms" | |||
| typedef discussed in Section 2.1.3. | ||||
| 2.1.4.10. The "generate-csr-grouping" Grouping | 2.1.4.10. The "generate-csr-grouping" Grouping | |||
| The following tree diagram [RFC8340] illustrates the "generate-csr- | This section presents a tree diagram [RFC8340] illustrating the | |||
| grouping" grouping: | "generate-csr-grouping" grouping: | |||
| grouping generate-csr-grouping: | grouping generate-csr-grouping: | |||
| +---x generate-csr {csr-generation}? | +---x generate-csr {csr-generation}? | |||
| +---w input | +---w input | |||
| | +---w csr-format identityref | | +---w csr-format identityref | |||
| | +---w csr-info csr-info | | +---w csr-info csr-info | |||
| +--ro output | +--ro output | |||
| +--ro (csr-type) | +--ro (csr-type) | |||
| +--:(p10-csr) | +--:(p10-csr) | |||
| +--ro p10-csr? p10-csr | +--ro p10-csr? p10-csr | |||
| Comments: | Comments: | |||
| * This grouping's only purpose is to define the "generate- | * This grouping's only purpose is to define the "generate-csr" | |||
| certificate-signing-request" action statement, used by the | action statement, used by the groupings defined in Sections | |||
| groupings defined in Section 2.1.4.11 and Section 2.1.4.12. | 2.1.4.11 and 2.1.4.12. | |||
| * This action takes as input a "csr-info" type and returns a "csr" | * This action takes two input parameters: a "csr-info” parameter, | |||
| type, both of which are discussed in Section 2.1.3. | for what content should be in the certificate, and a “csr-format” | |||
| parameter, for what CSR format to return. The action returns the | ||||
| CSR in the specified format. Both the “csr-info” and “csr” types | ||||
| are discussed in Section 2.1.3. | ||||
| * For an example, please see Section 2.2.2. | * For an example, please see Section 2.2.2. | |||
| 2.1.4.11. The "asymmetric-key-pair-with-cert-grouping" Grouping | 2.1.4.11. The "asymmetric-key-pair-with-cert-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "asymmetric-key-pair-with-cert-grouping" grouping. This tree diagram | "asymmetric-key-pair-with-cert-grouping" grouping. This tree diagram | |||
| does not expand the internally used grouping statement(s): | does not expand the internally used "grouping" statement(s): | |||
| grouping asymmetric-key-pair-with-cert-grouping: | grouping asymmetric-key-pair-with-cert-grouping: | |||
| +---u asymmetric-key-pair-grouping | +---u asymmetric-key-pair-grouping | |||
| +---u end-entity-cert-grouping | +---u end-entity-cert-grouping | |||
| +---u generate-csr-grouping | +---u generate-csr-grouping | |||
| Comments: | Comments: | |||
| * This grouping defines an asymmetric key with at most one | * This grouping defines an asymmetric key with at most one | |||
| associated certificate, a commonly needed combination in protocol | associated certificate, a commonly needed combination in protocol | |||
| models. | models. | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "asymmetric-key-pair-grouping" grouping is discussed in | - The "asymmetric-key-pair-grouping" grouping is discussed in | |||
| Section 2.1.4.6. | Section 2.1.4.6. | |||
| - The "end-entity-cert-grouping" grouping is discussed in | - The "end-entity-cert-grouping" grouping is discussed in | |||
| Section 2.1.4.9. | Section 2.1.4.9. | |||
| - The "generate-csr-grouping" grouping is discussed in | - The "generate-csr-grouping" grouping is discussed in | |||
| Section 2.1.4.10. | Section 2.1.4.10. | |||
| 2.1.4.12. The "asymmetric-key-pair-with-certs-grouping" Grouping | 2.1.4.12. The "asymmetric-key-pair-with-certs-grouping" Grouping | |||
| This section presents a tree diagram [RFC8340] illustrating the | This section presents a tree diagram [RFC8340] illustrating the | |||
| "asymmetric-key-pair-with-certs-grouping" grouping. This tree | "asymmetric-key-pair-with-certs-grouping" grouping. This tree | |||
| diagram does not expand the internally used grouping statement(s): | diagram does not expand the internally used "grouping" statement(s): | |||
| grouping asymmetric-key-pair-with-certs-grouping: | grouping asymmetric-key-pair-with-certs-grouping: | |||
| +---u asymmetric-key-pair-grouping | +---u asymmetric-key-pair-grouping | |||
| +-- certificates | +-- certificates | |||
| | +-- certificate* [name] | | +-- certificate* [name] | |||
| | +-- name? string | | +-- name string | |||
| | +---u end-entity-cert-grouping | | +---u end-entity-cert-grouping | |||
| +---u generate-csr-grouping | +---u generate-csr-grouping | |||
| Comments: | Comments: | |||
| * This grouping defines an asymmetric key with one or more | * This grouping defines an asymmetric key with one or more | |||
| associated certificates, a commonly needed combination in | associated certificates, a commonly needed combination in | |||
| configuration models. | configuration models. | |||
| * For the referenced grouping statement(s): | * For the referenced "grouping" statement(s): | |||
| - The "asymmetric-key-pair-grouping" grouping is discussed in | - The "asymmetric-key-pair-grouping" grouping is discussed in | |||
| Section 2.1.4.6. | Section 2.1.4.6. | |||
| - The "end-entity-cert-grouping" grouping is discussed in | - The "end-entity-cert-grouping" grouping is discussed in | |||
| Section 2.1.4.9. | Section 2.1.4.9. | |||
| - The "generate-csr-grouping" grouping is discussed in | - The "generate-csr-grouping" grouping is discussed in | |||
| Section 2.1.4.10. | Section 2.1.4.10. | |||
| 2.1.5. Protocol-accessible Nodes | 2.1.5. Protocol-Accessible Nodes | |||
| The "ietf-crypto-types" module does not contain any protocol- | The "ietf-crypto-types" module does not contain any protocol- | |||
| accessible nodes, but the module needs to be "implemented", as | accessible nodes, but the module needs to be "implemented", as | |||
| described in Section 5.6.5 of [RFC7950], in order for the identities | described in Section 5.6.5 of [RFC7950], in order for the identities | |||
| in Section 2.1.2 to be defined. | in Section 2.1.2 to be defined. | |||
| 2.2. Example Usage | 2.2. Example Usage | |||
| 2.2.1. The "symmetric-key-grouping", "asymmetric-key-pair-with-certs- | 2.2.1. The "symmetric-key-grouping", "asymmetric-key-pair-with-certs- | |||
| grouping", and "password-grouping" Groupings | grouping", and "password-grouping" Groupings | |||
| The following non-normative module is constructed in order to | The following non-normative module is constructed in order to | |||
| illustrate the use of the "symmetric-key-grouping" (Section 2.1.4.3), | illustrate the use of the "symmetric-key-grouping" (Section 2.1.4.3), | |||
| the "asymmetric-key-pair-with-certs-grouping" (Section 2.1.4.12), and | the "asymmetric-key-pair-with-certs-grouping" (Section 2.1.4.12), and | |||
| the "password-grouping" (Section 2.1.4.2) grouping statements. | the "password-grouping" (Section 2.1.4.2) "grouping" statements. | |||
| Notably, this example module and associated configuration data | Notably, this example module and associated configuration data | |||
| illustrates that a hidden private key (ex-hidden-asymmetric-key) has | illustrates that a hidden private key (ex-hidden-asymmetric-key) has | |||
| been used to encrypt a symmetric key (ex-encrypted-one-symmetric- | been used to encrypt a symmetric key (ex-encrypted-one-symmetric- | |||
| based-symmetric-key) that has been used to encrypt another private | based-symmetric-key) that has been used to encrypt another private | |||
| key (ex-encrypted-rsa-based-asymmetric-key). Additionally, the | key (ex-encrypted-rsa-based-asymmetric-key). Additionally, the | |||
| symmetric key is also used to encrypt a password (ex-encrypted- | symmetric key is also used to encrypt a password (ex-encrypted- | |||
| password). | password). | |||
| 2.2.1.1. Example Module | 2.2.1.1. Example Module | |||
| module ex-crypto-types-usage { | module ex-crypto-types-usage { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "https://example.com/ns/example-crypto-types-usage"; | namespace "https://example.com/ns/example-crypto-types-usage"; | |||
| prefix ectu; | prefix ectu; | |||
| import ietf-crypto-types { | import ietf-crypto-types { | |||
| prefix ct; | prefix ct; | |||
| reference | reference | |||
| "RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
| } | } | |||
| organization | organization | |||
| "Example Corporation"; | "Example Corporation"; | |||
| contact | contact | |||
| "YANG Designer <mailto:yang.designer@example.com>"; | "YANG Designer <mailto:yang.designer@example.com>"; | |||
| description | description | |||
| "This example module illustrates the 'symmetric-key-grouping' | "This example module illustrates the 'symmetric-key-grouping' | |||
| and 'asymmetric-key-grouping' groupings defined in the | and 'asymmetric-key-grouping' groupings defined in the | |||
| 'ietf-crypto-types' module defined in RFC AAAA."; | 'ietf-crypto-types' module defined in RFC 9640."; | |||
| revision 2024-03-16 { | revision 2024-03-16 { | |||
| description | description | |||
| "Initial version"; | "Initial version."; | |||
| reference | reference | |||
| "RFC AAAA: Common YANG Data Types for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
| } | } | |||
| container symmetric-keys { | container symmetric-keys { | |||
| description | description | |||
| "A container of symmetric keys."; | "A container of symmetric keys."; | |||
| list symmetric-key { | list symmetric-key { | |||
| key "name"; | key "name"; | |||
| description | description | |||
| "A symmetric key"; | "A symmetric key."; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "An arbitrary name for this key."; | "An arbitrary name for this key."; | |||
| } | } | |||
| uses ct:symmetric-key-grouping { | uses ct:symmetric-key-grouping { | |||
| augment "key-type/encrypted-symmetric-key/" | augment "key-type/encrypted-symmetric-key/" | |||
| + "encrypted-symmetric-key/encrypted-by" { | + "encrypted-symmetric-key/encrypted-by" { | |||
| description | description | |||
| "Augments in a choice statement enabling the | "Augments in a 'choice' statement enabling the | |||
| encrypting key to be any other symmetric or | encrypting key to be any other symmetric or | |||
| asymmetric key."; | asymmetric key."; | |||
| uses encrypted-by-grouping; | uses encrypted-by-grouping; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| container asymmetric-keys { | container asymmetric-keys { | |||
| description | description | |||
| "A container of asymmetric keys."; | "A container of asymmetric keys."; | |||
| skipping to change at page 19, line 32 ¶ | skipping to change at line 773 ¶ | |||
| key "name"; | key "name"; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "An arbitrary name for this key."; | "An arbitrary name for this key."; | |||
| } | } | |||
| uses ct:asymmetric-key-pair-with-certs-grouping { | uses ct:asymmetric-key-pair-with-certs-grouping { | |||
| augment "private-key-type/encrypted-private-key/" | augment "private-key-type/encrypted-private-key/" | |||
| + "encrypted-private-key/encrypted-by" { | + "encrypted-private-key/encrypted-by" { | |||
| description | description | |||
| "Augments in a choice statement enabling the | "Augments in a 'choice' statement enabling the | |||
| encrypting key to be any other symmetric or | encrypting key to be any other symmetric or | |||
| asymmetric key."; | asymmetric key."; | |||
| uses encrypted-by-grouping; | uses encrypted-by-grouping; | |||
| } | } | |||
| } | } | |||
| description | description | |||
| "An asymmetric key pair with associated certificates."; | "An asymmetric key pair with associated certificates."; | |||
| } | } | |||
| } | } | |||
| container passwords { | container passwords { | |||
| skipping to change at page 20, line 8 ¶ | skipping to change at line 797 ¶ | |||
| key "name"; | key "name"; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "An arbitrary name for this password."; | "An arbitrary name for this password."; | |||
| } | } | |||
| uses ct:password-grouping { | uses ct:password-grouping { | |||
| augment "password-type/encrypted-password/" | augment "password-type/encrypted-password/" | |||
| + "encrypted-password/encrypted-by" { | + "encrypted-password/encrypted-by" { | |||
| description | description | |||
| "Augments in a choice statement enabling the | "Augments in a 'choice' statement enabling the | |||
| encrypting key to be any symmetric or | encrypting key to be any symmetric or | |||
| asymmetric key."; | asymmetric key."; | |||
| uses encrypted-by-grouping; | uses encrypted-by-grouping; | |||
| } | } | |||
| } | } | |||
| description | description | |||
| "A password."; | "A password."; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 21, line 7 ¶ | skipping to change at line 842 ¶ | |||
| description | description | |||
| "Identifies the asymmetric key that encrypts this key."; | "Identifies the asymmetric key that encrypts this key."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| 2.2.1.2. Tree Diagram for the Example Module | 2.2.1.2. Tree Diagram for the Example Module | |||
| The tree diagram [RFC8340] for this example module follows: | The tree diagram [RFC8340] for this example module is as follows: | |||
| module: ex-crypto-types-usage | module: ex-crypto-types-usage | |||
| +--rw symmetric-keys | +--rw symmetric-keys | |||
| | +--rw symmetric-key* [name] | | +--rw symmetric-key* [name] | |||
| | +--rw name string | | +--rw name string | |||
| | +--rw key-format? identityref | | +--rw key-format? identityref | |||
| | +--rw (key-type) | | +--rw (key-type) | |||
| | +--:(cleartext-symmetric-key) | | +--:(cleartext-symmetric-key) | |||
| | | +--rw cleartext-symmetric-key? binary | | | +--rw cleartext-symmetric-key? binary | |||
| | | {cleartext-symmetric-keys}? | | | {cleartext-symmetric-keys}? | |||
| skipping to change at page 22, line 37 ¶ | skipping to change at line 921 ¶ | |||
| | +--:(symmetric-key-ref) | | +--:(symmetric-key-ref) | |||
| | | +--rw symmetric-key-ref? leafref | | | +--rw symmetric-key-ref? leafref | |||
| | +--:(asymmetric-key-ref) | | +--:(asymmetric-key-ref) | |||
| | +--rw asymmetric-key-ref? leafref | | +--rw asymmetric-key-ref? leafref | |||
| +--rw encrypted-value-format identityref | +--rw encrypted-value-format identityref | |||
| +--rw encrypted-value binary | +--rw encrypted-value binary | |||
| 2.2.1.3. Usage Example for the Example Module | 2.2.1.3. Usage Example for the Example Module | |||
| Finally, the following example illustrates various symmetric and | Finally, the following example illustrates various symmetric and | |||
| asymmetric keys as they might appear in configuration: | asymmetric keys as they might appear in configuration. | |||
| =============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
| <symmetric-keys | <symmetric-keys | |||
| xmlns="https://example.com/ns/example-crypto-types-usage" | xmlns="https://example.com/ns/example-crypto-types-usage" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
| <symmetric-key> | <symmetric-key> | |||
| <name>ex-hidden-symmetric-key</name> | <name>ex-hidden-symmetric-key</name> | |||
| <hidden-symmetric-key/> | <hidden-symmetric-key/> | |||
| </symmetric-key> | </symmetric-key> | |||
| skipping to change at page 25, line 9 ¶ | skipping to change at line 1037 ¶ | |||
| <symmetric-key-ref>ex-encrypted-one-symmetric-based-symmetri\ | <symmetric-key-ref>ex-encrypted-one-symmetric-based-symmetri\ | |||
| c-key</symmetric-key-ref> | c-key</symmetric-key-ref> | |||
| </encrypted-by> | </encrypted-by> | |||
| <encrypted-value-format>ct:cms-encrypted-data-format</encrypte\ | <encrypted-value-format>ct:cms-encrypted-data-format</encrypte\ | |||
| d-value-format> | d-value-format> | |||
| <encrypted-value>BASE64VALUE=</encrypted-value> | <encrypted-value>BASE64VALUE=</encrypted-value> | |||
| </encrypted-password> | </encrypted-password> | |||
| </password> | </password> | |||
| </passwords> | </passwords> | |||
| 2.2.2. The "generate-certificate-signing-request" Action | 2.2.2. The "generate-csr" Action | |||
| The following example illustrates the "generate-certificate-signing- | The following example illustrates the "generate-csr" action, | |||
| request" action, discussed in Section 2.1.4.10, with the NETCONF | discussed in Section 2.1.4.10, with the NETCONF protocol. | |||
| protocol. | ||||
| REQUEST | REQUEST | |||
| <rpc message-id="101" | <rpc message-id="101" | |||
| xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" | xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" | |||
| xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
| <action xmlns="urn:ietf:params:xml:ns:yang:1"> | <action xmlns="urn:ietf:params:xml:ns:yang:1"> | |||
| <asymmetric-keys | <asymmetric-keys | |||
| xmlns="https://example.com/ns/example-crypto-types-usage"> | xmlns="https://example.com/ns/example-crypto-types-usage"> | |||
| <asymmetric-key> | <asymmetric-key> | |||
| skipping to change at page 27, line 4 ¶ | skipping to change at line 1123 ¶ | |||
| prefix yang; | prefix yang; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| import ietf-netconf-acm { | import ietf-netconf-acm { | |||
| prefix nacm; | prefix nacm; | |||
| reference | reference | |||
| "RFC 8341: Network Configuration Access Control Model"; | "RFC 8341: Network Configuration Access Control Model"; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETCONF (Network Configuration) Working Group"; | "IETF NETCONF (Network Configuration) Working Group"; | |||
| contact | contact | |||
| "WG Web: https://datatracker.ietf.org/wg/netconf | "WG Web: https://datatracker.ietf.org/wg/netconf | |||
| WG List: NETCONF WG list <mailto:netconf@ietf.org> | WG List: NETCONF WG list <mailto:netconf@ietf.org> | |||
| Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | Author: Kent Watsen <mailto:kent+ietf@watsen.net>"; | |||
| description | description | |||
| "This module defines common YANG types for cryptographic | "This module defines common YANG types for cryptographic | |||
| applications. | applications. | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
| are to be interpreted as described in BCP 14 (RFC 2119) | ||||
| (RFC 8174) when, and only when, they appear in all | ||||
| capitals, as shown here. | ||||
| Copyright (c) 2024 IETF Trust and the persons identified | Copyright (c) 2024 IETF Trust and the persons identified | |||
| as authors of the code. All rights reserved. | as authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with | Redistribution and use in source and binary forms, with | |||
| or without modification, is permitted pursuant to, and | or without modification, is permitted pursuant to, and | |||
| subject to the license terms contained in, the Revised | subject to the license terms contained in, the Revised | |||
| BSD License set forth in Section 4.c of the IETF Trust's | BSD License set forth in Section 4.c of the IETF Trust's | |||
| Legal Provisions Relating to IETF Documents | Legal Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| This version of this YANG module is part of RFC AAAA | This version of this YANG module is part of RFC 9640 | |||
| (https://www.rfc-editor.org/info/rfcAAAA); see the RFC | (https://www.rfc-editor.org/info/rfc9640); see the RFC | |||
| itself for full legal notices. | itself for full legal notices."; | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', | ||||
| 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', | ||||
| 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document | ||||
| are to be interpreted as described in BCP 14 (RFC 2119) | ||||
| (RFC 8174) when, and only when, they appear in all | ||||
| capitals, as shown here."; | ||||
| revision 2024-03-16 { | revision 2024-03-16 { | |||
| description | description | |||
| "Initial version"; | "Initial version."; | |||
| reference | reference | |||
| "RFC AAAA: YANG Data Types and Groupings for Cryptography"; | "RFC 9640: YANG Data Types and Groupings for Cryptography"; | |||
| } | } | |||
| /****************/ | /****************/ | |||
| /* Features */ | /* Features */ | |||
| /****************/ | /****************/ | |||
| feature one-symmetric-key-format { | feature one-symmetric-key-format { | |||
| description | description | |||
| "Indicates that the server supports the | "Indicates that the server supports the | |||
| 'one-symmetric-key-format' identity."; | 'one-symmetric-key-format' identity."; | |||
| skipping to change at page 30, line 45 ¶ | skipping to change at line 1309 ¶ | |||
| an RSAPrivateKey (from RFC 8017), encoded using ASN.1 | an RSAPrivateKey (from RFC 8017), encoded using ASN.1 | |||
| distinguished encoding rules (DER), as specified in | distinguished encoding rules (DER), as specified in | |||
| ITU-T X.690."; | ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 8017: | "RFC 8017: | |||
| PKCS #1: RSA Cryptography Specifications Version 2.2 | PKCS #1: RSA Cryptography Specifications Version 2.2 | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| identity ec-private-key-format { | identity ec-private-key-format { | |||
| base private-key-format; | base private-key-format; | |||
| description | description | |||
| "Indicates that the private key value is encoded as | "Indicates that the private key value is encoded as | |||
| an ECPrivateKey (from RFC 5915), encoded using ASN.1 | an ECPrivateKey (from RFC 5915), encoded using ASN.1 | |||
| distinguished encoding rules (DER), as specified in | distinguished encoding rules (DER), as specified in | |||
| ITU-T X.690."; | ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 5915: | "RFC 5915: | |||
| Elliptic Curve Private Key Structure | Elliptic Curve Private Key Structure | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| identity one-asymmetric-key-format { | identity one-asymmetric-key-format { | |||
| if-feature "one-asymmetric-key-format"; | if-feature "one-asymmetric-key-format"; | |||
| base private-key-format; | base private-key-format; | |||
| description | description | |||
| "Indicates that the private key value is a CMS | "Indicates that the private key value is a | |||
| OneAsymmetricKey structure, as defined in RFC 5958, | Cryptographic Message Syntax (CMS) OneAsymmetricKey | |||
| encoded using ASN.1 distinguished encoding rules | structure, as defined in RFC 5958, encoded using | |||
| (DER), as specified in ITU-T X.690."; | ASN.1 distinguished encoding rules (DER), as | |||
| specified in ITU-T X.690."; | ||||
| reference | reference | |||
| "RFC 5958: Asymmetric Key Packages | "RFC 5958: | |||
| Asymmetric Key Packages | ||||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /***************************************************/ | /***************************************************/ | |||
| /* Identities for Public Key Format Structures */ | /* Identities for Public Key Format Structures */ | |||
| /***************************************************/ | /***************************************************/ | |||
| identity ssh-public-key-format { | identity ssh-public-key-format { | |||
| base public-key-format; | base public-key-format; | |||
| description | description | |||
| "Indicates that the public key value is an SSH public key, | "Indicates that the public key value is a Secure Shell (SSH) | |||
| as specified by RFC 4253, Section 6.6, i.e.: | public key, as specified in RFC 4253, Section 6.6, i.e.: | |||
| string certificate or public key format | string certificate or public key format | |||
| identifier | identifier | |||
| byte[n] key/certificate data."; | byte[n] key/certificate data."; | |||
| reference | reference | |||
| "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | "RFC 4253: The Secure Shell (SSH) Transport Layer Protocol"; | |||
| } | } | |||
| identity subject-public-key-info-format { | identity subject-public-key-info-format { | |||
| base public-key-format; | base public-key-format; | |||
| description | description | |||
| "Indicates that the public key value is a SubjectPublicKeyInfo | "Indicates that the public key value is a SubjectPublicKeyInfo | |||
| structure, as described in RFC 5280 encoded using ASN.1 | structure, as described in RFC 5280, encoded using ASN.1 | |||
| distinguished encoding rules (DER), as specified in | distinguished encoding rules (DER), as specified in | |||
| ITU-T X.690."; | ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 5280: | "RFC 5280: | |||
| Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile | and Certificate Revocation List (CRL) Profile | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /******************************************************/ | /******************************************************/ | |||
| /* Identities for Symmetric Key Format Structures */ | /* Identities for Symmetric Key Format Structures */ | |||
| /******************************************************/ | /******************************************************/ | |||
| identity octet-string-key-format { | identity octet-string-key-format { | |||
| base symmetric-key-format; | base symmetric-key-format; | |||
| description | description | |||
| "Indicates that the key is encoded as a raw octet string. | "Indicates that the key is encoded as a raw octet string. | |||
| The length of the octet string MUST be appropriate for | The length of the octet string MUST be appropriate for | |||
| the associated algorithm's block size. | the associated algorithm's block size. | |||
| The identity of the associated algorithm is outside the | The identity of the associated algorithm is outside the | |||
| scope of this specification. This is also true when | scope of this specification. This is also true when | |||
| the octet string has been encrypted."; | the octet string has been encrypted."; | |||
| } | } | |||
| identity one-symmetric-key-format { | identity one-symmetric-key-format { | |||
| if-feature "one-symmetric-key-format"; | if-feature "one-symmetric-key-format"; | |||
| base symmetric-key-format; | base symmetric-key-format; | |||
| description | description | |||
| "Indicates that the private key value is a CMS | "Indicates that the private key value is a CMS | |||
| OneSymmetricKey structure, as defined in RFC 6031, | OneSymmetricKey structure, as defined in RFC 6031, | |||
| encoded using ASN.1 distinguished encoding rules | encoded using ASN.1 distinguished encoding rules | |||
| (DER), as specified in ITU-T X.690."; | (DER), as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 6031: Cryptographic Message Syntax (CMS) | "RFC 6031: | |||
| Symmetric Key Package Content Type | Cryptographic Message Syntax (CMS) | |||
| Symmetric Key Package Content Type | ||||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /*************************************************/ | /*************************************************/ | |||
| /* Identities for Encrypted Value Structures */ | /* Identities for Encrypted Value Structures */ | |||
| /*************************************************/ | /*************************************************/ | |||
| identity encrypted-value-format { | identity encrypted-value-format { | |||
| description | description | |||
| "Base format identity for encrypted values."; | "Base format identity for encrypted values."; | |||
| } | } | |||
| skipping to change at page 33, line 40 ¶ | skipping to change at line 1451 ¶ | |||
| } | } | |||
| identity cms-encrypted-data-format { | identity cms-encrypted-data-format { | |||
| if-feature "cms-encrypted-data-format"; | if-feature "cms-encrypted-data-format"; | |||
| base symmetrically-encrypted-value-format; | base symmetrically-encrypted-value-format; | |||
| description | description | |||
| "Indicates that the encrypted value conforms to | "Indicates that the encrypted value conforms to | |||
| the 'encrypted-data-cms' type with the constraint | the 'encrypted-data-cms' type with the constraint | |||
| that the 'unprotectedAttrs' value is not set."; | that the 'unprotectedAttrs' value is not set."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS) | "RFC 5652: | |||
| Cryptographic Message Syntax (CMS) | ||||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| identity cms-enveloped-data-format { | identity cms-enveloped-data-format { | |||
| if-feature "cms-enveloped-data-format"; | if-feature "cms-enveloped-data-format"; | |||
| base asymmetrically-encrypted-value-format; | base asymmetrically-encrypted-value-format; | |||
| description | description | |||
| "Indicates that the encrypted value conforms to the | "Indicates that the encrypted value conforms to the | |||
| 'enveloped-data-cms' type with the following constraints: | 'enveloped-data-cms' type with the following constraints: | |||
| The EnvelopedData structure MUST have exactly one | The EnvelopedData structure MUST have exactly one | |||
| 'RecipientInfo'. | 'RecipientInfo'. | |||
| If the asymmetric key supports public key cryptography | If the asymmetric key supports public key cryptography | |||
| (e.g., RSA), then the 'RecipientInfo' must be a | (e.g., RSA), then the 'RecipientInfo' must be a | |||
| 'KeyTransRecipientInfo' with the 'RecipientIdentifier' | 'KeyTransRecipientInfo' with the 'RecipientIdentifier' | |||
| using a 'subjectKeyIdentifier' with the value set using | using a 'subjectKeyIdentifier' with the value set using | |||
| 'method 1' in RFC 7093 over the recipient's public key. | 'method 1' in RFC 7093 over the recipient's public key. | |||
| Otherwise, if the asymmetric key supports key agreement | Otherwise, if the asymmetric key supports key agreement | |||
| (e.g., ECC), then the 'RecipientInfo' must be a | (e.g., Elliptic Curve Cryptography (ECC)), then the | |||
| 'KeyAgreeRecipientInfo'. The 'OriginatorIdentifierOrKey' | 'RecipientInfo' must be a 'KeyAgreeRecipientInfo'. The | |||
| value must use the 'OriginatorPublicKey' alternative. | 'OriginatorIdentifierOrKey' value must use the | |||
| The 'UserKeyingMaterial' value must not be present. | 'OriginatorPublicKey' alternative. The | |||
| There must be exactly one 'RecipientEncryptedKeys' value | 'UserKeyingMaterial' value must not be present. There | |||
| must be exactly one 'RecipientEncryptedKeys' value | ||||
| having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId' | having the 'KeyAgreeRecipientIdentifier' set to 'rKeyId' | |||
| with the value set using 'method 1' in RFC 7093 over the | with the value set using 'method 1' in RFC 7093 over the | |||
| recipient's public key."; | recipient's public key."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS) | "RFC 5652: | |||
| Cryptographic Message Syntax (CMS) | ||||
| RFC 7093: | RFC 7093: | |||
| Additional Methods for Generating Key | Additional Methods for Generating Key | |||
| Identifiers Values | Identifiers Values | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /*********************************************************/ | /*********************************************************/ | |||
| /* Identities for Certificate Signing Request Formats */ | /* Identities for Certificate Signing Request Formats */ | |||
| /*********************************************************/ | /*********************************************************/ | |||
| identity csr-format { | identity csr-format { | |||
| description | description | |||
| "A base identity for the certificate signing request | "A base identity for the certificate signing request | |||
| formats. Additional derived identities MAY be defined | formats. Additional derived identities MAY be defined | |||
| by future efforts."; | by future efforts."; | |||
| } | } | |||
| identity p10-csr-format { | identity p10-csr-format { | |||
| if-feature "p10-csr-format"; | if-feature "p10-csr-format"; | |||
| base csr-format; | base csr-format; | |||
| description | description | |||
| "Indicates the 'CertificationRequest' structure | "Indicates the CertificationRequest structure | |||
| defined in RFC 2986."; | defined in RFC 2986."; | |||
| reference | reference | |||
| "RFC 2986: PKCS #10: Certification Request Syntax | "RFC 2986: PKCS #10: Certification Request Syntax | |||
| Specification Version 1.7"; | Specification Version 1.7"; | |||
| } | } | |||
| /***************************************************/ | /***************************************************/ | |||
| /* Typedefs for ASN.1 structures from RFC 2986 */ | /* Typedefs for ASN.1 structures from RFC 2986 */ | |||
| /***************************************************/ | /***************************************************/ | |||
| typedef csr-info { | typedef csr-info { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A CertificationRequestInfo structure, as defined in | "A CertificationRequestInfo structure, as defined in | |||
| RFC 2986, encoded using ASN.1 distinguished encoding | RFC 2986, encoded using ASN.1 distinguished encoding | |||
| rules (DER), as specified in ITU-T X.690."; | rules (DER), as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 2986: PKCS #10: Certification Request Syntax | "RFC 2986: | |||
| Specification Version 1.7 | PKCS #10: Certification Request Syntax | |||
| Specification Version 1.7 | ||||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| typedef p10-csr { | typedef p10-csr { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A CertificationRequest structure, as specified in | "A CertificationRequest structure, as specified in | |||
| RFC 2986, encoded using ASN.1 distinguished encoding | RFC 2986, encoded using ASN.1 distinguished encoding | |||
| rules (DER), as specified in ITU-T X.690."; | rules (DER), as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 2986: | "RFC 2986: | |||
| PKCS #10: Certification Request Syntax Specification | PKCS #10: Certification Request Syntax Specification | |||
| Version 1.7 | Version 1.7 | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /***************************************************/ | /***************************************************/ | |||
| /* Typedefs for ASN.1 structures from RFC 5280 */ | /* Typedefs for ASN.1 structures from RFC 5280 */ | |||
| /***************************************************/ | /***************************************************/ | |||
| typedef x509 { | typedef x509 { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A Certificate structure, as specified in RFC 5280, | "A Certificate structure, as specified in RFC 5280, | |||
| encoded using ASN.1 distinguished encoding rules (DER), | encoded using ASN.1 distinguished encoding rules (DER), | |||
| as specified in ITU-T X.690."; | as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 5280: | "RFC 5280: | |||
| Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile | and Certificate Revocation List (CRL) Profile | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| typedef crl { | typedef crl { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A CertificateList structure, as specified in RFC 5280, | "A CertificateList structure, as specified in RFC 5280, | |||
| encoded using ASN.1 distinguished encoding rules (DER), | encoded using ASN.1 distinguished encoding rules (DER), | |||
| as specified in ITU-T X.690."; | as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 5280: | "RFC 5280: | |||
| Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile | and Certificate Revocation List (CRL) Profile | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /***************************************************/ | /***************************************************/ | |||
| /* Typedefs for ASN.1 structures from RFC 6960 */ | /* Typedefs for ASN.1 structures from RFC 6960 */ | |||
| /***************************************************/ | /***************************************************/ | |||
| typedef oscp-request { | typedef oscp-request { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A OCSPRequest structure, as specified in RFC 6960, | "A OCSPRequest structure, as specified in RFC 6960, | |||
| skipping to change at page 37, line 4 ¶ | skipping to change at line 1611 ¶ | |||
| typedef oscp-request { | typedef oscp-request { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A OCSPRequest structure, as specified in RFC 6960, | "A OCSPRequest structure, as specified in RFC 6960, | |||
| encoded using ASN.1 distinguished encoding rules | encoded using ASN.1 distinguished encoding rules | |||
| (DER), as specified in ITU-T X.690."; | (DER), as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 6960: | "RFC 6960: | |||
| X.509 Internet Public Key Infrastructure Online | X.509 Internet Public Key Infrastructure Online | |||
| Certificate Status Protocol - OCSP | Certificate Status Protocol - OCSP | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| typedef oscp-response { | typedef oscp-response { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A OCSPResponse structure, as specified in RFC 6960, | "A OCSPResponse structure, as specified in RFC 6960, | |||
| encoded using ASN.1 distinguished encoding rules | encoded using ASN.1 distinguished encoding rules | |||
| (DER), as specified in ITU-T X.690."; | (DER), as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 6960: | "RFC 6960: | |||
| X.509 Internet Public Key Infrastructure Online | X.509 Internet Public Key Infrastructure Online | |||
| Certificate Status Protocol - OCSP | Certificate Status Protocol - OCSP | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| /***********************************************/ | /***********************************************/ | |||
| /* Typedefs for ASN.1 structures from 5652 */ | /* Typedefs for ASN.1 structures from 5652 */ | |||
| /***********************************************/ | /***********************************************/ | |||
| typedef cms { | typedef cms { | |||
| type binary; | type binary; | |||
| description | description | |||
| "A ContentInfo structure, as specified in RFC 5652, | "A ContentInfo structure, as specified in RFC 5652, | |||
| encoded using ASN.1 distinguished encoding rules (DER), | encoded using ASN.1 distinguished encoding rules (DER), | |||
| as specified in ITU-T X.690."; | as specified in ITU-T X.690."; | |||
| reference | reference | |||
| "RFC 5652: | "RFC 5652: | |||
| Cryptographic Message Syntax (CMS) | Cryptographic Message Syntax (CMS) | |||
| ITU-T X.690: | ITU-T X.690: | |||
| Information technology - ASN.1 encoding rules: | Information technology - ASN.1 encoding rules: | |||
| Specification of Basic Encoding Rules (BER), | Specification of Basic Encoding Rules (BER), | |||
| Canonical Encoding Rules (CER) and Distinguished | Canonical Encoding Rules (CER) and Distinguished | |||
| Encoding Rules (DER) 02/2021."; | Encoding Rules (DER) 02/2021"; | |||
| } | } | |||
| typedef data-content-cms { | typedef data-content-cms { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||
| data content type, as described by Section 4 in RFC 5652."; | data content type, as described in Section 4 of RFC 5652."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| typedef signed-data-cms { | typedef signed-data-cms { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||
| signed-data content type, as described by Section 5 in | signed-data content type, as described in Section 5 of | |||
| RFC 5652."; | RFC 5652."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| typedef enveloped-data-cms { | typedef enveloped-data-cms { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||
| enveloped-data content type, as described by Section 6 | enveloped-data content type, as described in Section 6 | |||
| in RFC 5652."; | of RFC 5652."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| typedef digested-data-cms { | typedef digested-data-cms { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||
| digested-data content type, as described by Section 7 | digested-data content type, as described in Section 7 | |||
| in RFC 5652."; | of RFC 5652."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| typedef encrypted-data-cms { | typedef encrypted-data-cms { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||
| encrypted-data content type, as described by Section 8 | encrypted-data content type, as described in Section 8 | |||
| in RFC 5652."; | of RFC 5652."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| typedef authenticated-data-cms { | typedef authenticated-data-cms { | |||
| type cms; | type cms; | |||
| description | description | |||
| "A CMS structure whose top-most content type MUST be the | "A CMS structure whose top-most content type MUST be the | |||
| authenticated-data content type, as described by Section 9 | authenticated-data content type, as described in Section 9 | |||
| in RFC 5652."; | of RFC 5652."; | |||
| reference | reference | |||
| "RFC 5652: Cryptographic Message Syntax (CMS)"; | "RFC 5652: Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| /*********************************************************/ | /*********************************************************/ | |||
| /* Typedefs for ASN.1 structures related to RFC 5280 */ | /* Typedefs for ASN.1 structures related to RFC 5280 */ | |||
| /*********************************************************/ | /*********************************************************/ | |||
| typedef trust-anchor-cert-x509 { | typedef trust-anchor-cert-x509 { | |||
| type x509; | type x509; | |||
| description | description | |||
| "A Certificate structure that MUST encode a self-signed | "A Certificate structure that MUST encode a self-signed | |||
| root certificate."; | root certificate."; | |||
| } | } | |||
| typedef end-entity-cert-x509 { | typedef end-entity-cert-x509 { | |||
| type x509; | type x509; | |||
| description | description | |||
| "A Certificate structure that MUST encode a certificate | "A Certificate structure that MUST encode a certificate | |||
| that is neither self-signed nor having Basic constraint | that is neither self-signed nor has Basic constraint | |||
| CA true."; | CA true."; | |||
| } | } | |||
| /*********************************************************/ | /*********************************************************/ | |||
| /* Typedefs for ASN.1 structures related to RFC 5652 */ | /* Typedefs for ASN.1 structures related to RFC 5652 */ | |||
| /*********************************************************/ | /*********************************************************/ | |||
| typedef trust-anchor-cert-cms { | typedef trust-anchor-cert-cms { | |||
| type signed-data-cms; | type signed-data-cms; | |||
| description | description | |||
| "A CMS SignedData structure that MUST contain the chain of | "A CMS SignedData structure that MUST contain the chain of | |||
| X.509 certificates needed to authenticate the certificate | X.509 certificates needed to authenticate the certificate | |||
| presented by a client or end-entity. | presented by a client or end entity. | |||
| The CMS MUST contain only a single chain of certificates. | The CMS MUST contain only a single chain of certificates. | |||
| The client or end-entity certificate MUST only authenticate | The client or end-entity certificate MUST only authenticate | |||
| to the last intermediate CA certificate listed in the chain. | to the last intermediate CA certificate listed in the chain. | |||
| In all cases, the chain MUST include a self-signed root | In all cases, the chain MUST include a self-signed root | |||
| certificate. In the case where the root certificate is | certificate. In the case where the root certificate is | |||
| itself the issuer of the client or end-entity certificate, | itself the issuer of the client or end-entity certificate, | |||
| only one certificate is present. | only one certificate is present. | |||
| skipping to change at page 40, line 14 ¶ | skipping to change at line 1765 ¶ | |||
| policy) revocation objects with which the device can | policy) revocation objects with which the device can | |||
| verify the revocation status of the certificates. | verify the revocation status of the certificates. | |||
| This CMS encodes the degenerate form of the SignedData | This CMS encodes the degenerate form of the SignedData | |||
| structure (RFC 5652, Section 5.2) that is commonly used | structure (RFC 5652, Section 5.2) that is commonly used | |||
| to disseminate X.509 certificates and revocation objects | to disseminate X.509 certificates and revocation objects | |||
| (RFC 5280)."; | (RFC 5280)."; | |||
| reference | reference | |||
| "RFC 5280: | "RFC 5280: | |||
| Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile. | and Certificate Revocation List (CRL) Profile | |||
| RFC 5652: | RFC 5652: | |||
| Cryptographic Message Syntax (CMS)"; | Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| typedef end-entity-cert-cms { | typedef end-entity-cert-cms { | |||
| type signed-data-cms; | type signed-data-cms; | |||
| description | description | |||
| "A CMS SignedData structure that MUST contain the end | "A CMS SignedData structure that MUST contain the end-entity | |||
| entity certificate itself, and MAY contain any number | certificate itself and MAY contain any number | |||
| of intermediate certificates leading up to a trust | of intermediate certificates leading up to a trust | |||
| anchor certificate. The trust anchor certificate | anchor certificate. The trust anchor certificate | |||
| MAY be included as well. | MAY be included as well. | |||
| The CMS MUST contain a single end entity certificate. | The CMS MUST contain a single end-entity certificate. | |||
| The CMS MUST NOT contain any spurious certificates. | The CMS MUST NOT contain any spurious certificates. | |||
| This CMS structure MAY (as applicable where this type is | This CMS structure MAY (as applicable where this type is | |||
| used) also contain suitably fresh (as defined by local | used) also contain suitably fresh (as defined by local | |||
| policy) revocation objects with which the device can | policy) revocation objects with which the device can | |||
| verify the revocation status of the certificates. | verify the revocation status of the certificates. | |||
| This CMS encodes the degenerate form of the SignedData | This CMS encodes the degenerate form of the SignedData | |||
| structure (RFC 5652, Section 5.2) that is commonly | structure (RFC 5652, Section 5.2) that is commonly | |||
| used to disseminate X.509 certificates and revocation | used to disseminate X.509 certificates and revocation | |||
| objects (RFC 5280)."; | objects (RFC 5280)."; | |||
| reference | reference | |||
| "RFC 5280: | "RFC 5280: | |||
| Internet X.509 Public Key Infrastructure Certificate | Internet X.509 Public Key Infrastructure Certificate | |||
| and Certificate Revocation List (CRL) Profile. | and Certificate Revocation List (CRL) Profile | |||
| RFC 5652: | RFC 5652: | |||
| Cryptographic Message Syntax (CMS)"; | Cryptographic Message Syntax (CMS)"; | |||
| } | } | |||
| /*****************/ | /*****************/ | |||
| /* Groupings */ | /* Groupings */ | |||
| /*****************/ | /*****************/ | |||
| grouping encrypted-value-grouping { | grouping encrypted-value-grouping { | |||
| description | description | |||
| "A reusable grouping for a value that has been encrypted by | "A reusable grouping for a value that has been encrypted by | |||
| a referenced symmetric or asymmetric key."; | a referenced symmetric or asymmetric key."; | |||
| container encrypted-by { | container encrypted-by { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| description | description | |||
| "An empty container enabling a reference to the key that | "An empty container enabling a reference to the key that | |||
| encrypted the value to be augmented in. The referenced | encrypted the value to be augmented in. The referenced | |||
| key MUST be a symmetric key or an asymmetric key. | key MUST be a symmetric key or an asymmetric key. | |||
| A symmetric key MUST be referenced via a leaf node called | A symmetric key MUST be referenced via a leaf node called | |||
| 'symmetric-key-ref'. An asymmetric key MUST be referenced | 'symmetric-key-ref'. An asymmetric key MUST be referenced | |||
| via a leaf node called 'asymmetric-key-ref'. | via a leaf node called 'asymmetric-key-ref'. | |||
| The leaf nodes MUST be direct descendants in the data tree, | The leaf nodes MUST be direct descendants in the data tree | |||
| and MAY be direct descendants in the schema tree (e.g., | and MAY be direct descendants in the schema tree (e.g., | |||
| choice/case statements are allowed, but not a container)."; | 'choice'/'case' statements are allowed but not a | |||
| container)."; | ||||
| } | } | |||
| leaf encrypted-value-format { | leaf encrypted-value-format { | |||
| type identityref { | type identityref { | |||
| base encrypted-value-format; | base encrypted-value-format; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Identifies the format of the 'encrypted-value' leaf. | "Identifies the format of the 'encrypted-value' leaf. | |||
| If 'encrypted-by' points to a symmetric key, then a | If 'encrypted-by' points to a symmetric key, then an | |||
| 'symmetrically-encrypted-value-format' based identity | identity based on 'symmetrically-encrypted-value-format' | |||
| MUST be set (e.g., cms-encrypted-data-format). | MUST be set (e.g., 'cms-encrypted-data-format'). | |||
| If 'encrypted-by' points to an asymmetric key, then an | If 'encrypted-by' points to an asymmetric key, then an | |||
| 'asymmetrically-encrypted-value-format' based identity | identity based on 'asymmetrically-encrypted-value-format' | |||
| MUST be set (e.g., cms-enveloped-data-format)."; | MUST be set (e.g., 'cms-enveloped-data-format')."; | |||
| } | } | |||
| leaf encrypted-value { | leaf encrypted-value { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| type binary; | type binary; | |||
| must '../encrypted-by'; | must '../encrypted-by'; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The value, encrypted using the referenced symmetric | "The value, encrypted using the referenced symmetric | |||
| or asymmetric key. The value MUST be encoded using | or asymmetric key. The value MUST be encoded using | |||
| the format associated with the 'encrypted-value-format' | the format associated with the 'encrypted-value-format' | |||
| skipping to change at page 42, line 4 ¶ | skipping to change at line 1852 ¶ | |||
| type binary; | type binary; | |||
| must '../encrypted-by'; | must '../encrypted-by'; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The value, encrypted using the referenced symmetric | "The value, encrypted using the referenced symmetric | |||
| or asymmetric key. The value MUST be encoded using | or asymmetric key. The value MUST be encoded using | |||
| the format associated with the 'encrypted-value-format' | the format associated with the 'encrypted-value-format' | |||
| leaf."; | leaf."; | |||
| } | } | |||
| } | } | |||
| grouping password-grouping { | grouping password-grouping { | |||
| description | description | |||
| "A password used for authenticating to a remote system. | "A password used for authenticating to a remote system. | |||
| The 'ianach:crypt-hash' typedef from RFC 7317 should be | The 'ianach:crypt-hash' typedef from RFC 7317 should be | |||
| used instead when needing a password to authencate a | used instead when needing a password to authenticate a | |||
| local account."; | local account."; | |||
| choice password-type { | choice password-type { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Choice between password types."; | "Choice between password types."; | |||
| case cleartext-password { | case cleartext-password { | |||
| if-feature "cleartext-passwords"; | if-feature "cleartext-passwords"; | |||
| leaf cleartext-password { | leaf cleartext-password { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| skipping to change at page 42, line 51 ¶ | skipping to change at line 1900 ¶ | |||
| type identityref { | type identityref { | |||
| base symmetric-key-format; | base symmetric-key-format; | |||
| } | } | |||
| description | description | |||
| "Identifies the symmetric key's format. Implementations | "Identifies the symmetric key's format. Implementations | |||
| SHOULD ensure that the incoming symmetric key value is | SHOULD ensure that the incoming symmetric key value is | |||
| encoded in the specified format. | encoded in the specified format. | |||
| For encrypted keys, the value is the decrypted key's | For encrypted keys, the value is the decrypted key's | |||
| format (i.e., the 'encrypted-value-format' conveys the | format (i.e., the 'encrypted-value-format' conveys the | |||
| encrypted key's format."; | encrypted key's format)."; | |||
| } | } | |||
| choice key-type { | choice key-type { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Choice between key types."; | "Choice between key types."; | |||
| case cleartext-symmetric-key { | case cleartext-symmetric-key { | |||
| leaf cleartext-symmetric-key { | leaf cleartext-symmetric-key { | |||
| if-feature "cleartext-symmetric-keys"; | if-feature "cleartext-symmetric-keys"; | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| skipping to change at page 43, line 28 ¶ | skipping to change at line 1924 ¶ | |||
| "The binary value of the key. The interpretation of | "The binary value of the key. The interpretation of | |||
| the value is defined by the 'key-format' field."; | the value is defined by the 'key-format' field."; | |||
| } | } | |||
| } | } | |||
| case hidden-symmetric-key { | case hidden-symmetric-key { | |||
| if-feature "hidden-symmetric-keys"; | if-feature "hidden-symmetric-keys"; | |||
| leaf hidden-symmetric-key { | leaf hidden-symmetric-key { | |||
| type empty; | type empty; | |||
| must 'not(../key-format)'; | must 'not(../key-format)'; | |||
| description | description | |||
| "A hidden key is not exportable, and not extractable, | "A hidden key is not exportable and not extractable; | |||
| and therefore, it is of type 'empty' as its value is | therefore, it is of type 'empty' as its value is | |||
| inaccessible via management interfaces. Though hidden | inaccessible via management interfaces. Though hidden | |||
| to users, such keys are not hidden to the server and | to users, such keys are not hidden to the server and | |||
| may be referenced by configuration to indicate which | may be referenced by configuration to indicate which | |||
| key a server should use for a cryptographic operation. | key a server should use for a cryptographic operation. | |||
| How such keys are created is outside the scope of this | How such keys are created is outside the scope of this | |||
| module."; | module."; | |||
| } | } | |||
| } | } | |||
| case encrypted-symmetric-key { | case encrypted-symmetric-key { | |||
| if-feature "encrypted-symmetric-keys"; | if-feature "encrypted-symmetric-keys"; | |||
| container encrypted-symmetric-key { | container encrypted-symmetric-key { | |||
| skipping to change at page 44, line 13 ¶ | skipping to change at line 1958 ¶ | |||
| grouping public-key-grouping { | grouping public-key-grouping { | |||
| description | description | |||
| "A public key."; | "A public key."; | |||
| leaf public-key-format { | leaf public-key-format { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| type identityref { | type identityref { | |||
| base public-key-format; | base public-key-format; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Identifies the public key's format. Implementations SHOULD | "Identifies the public key's format. Implementations SHOULD | |||
| ensure that the incoming public key value is encoded in the | ensure that the incoming public key value is encoded in the | |||
| specified format."; | specified format."; | |||
| } | } | |||
| leaf public-key { | leaf public-key { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| type binary; | type binary; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "The binary value of the public key. The interpretation | "The binary value of the public key. The interpretation | |||
| of the value is defined by 'public-key-format' field."; | of the value is defined by the 'public-key-format' field."; | |||
| } | } | |||
| } | } | |||
| grouping private-key-grouping { | grouping private-key-grouping { | |||
| description | description | |||
| "A private key."; | "A private key."; | |||
| leaf private-key-format { | leaf private-key-format { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| type identityref { | type identityref { | |||
| base private-key-format; | base private-key-format; | |||
| } | } | |||
| description | description | |||
| "Identifies the private key's format. Implementations SHOULD | "Identifies the private key's format. Implementations SHOULD | |||
| ensure that the incoming private key value is encoded in the | ensure that the incoming private key value is encoded in the | |||
| specified format. | specified format. | |||
| For encrypted keys, the value is the decrypted key's | For encrypted keys, the value is the decrypted key's | |||
| format (i.e., the 'encrypted-value-format' conveys the | format (i.e., the 'encrypted-value-format' conveys the | |||
| encrypted key's format."; | encrypted key's format)."; | |||
| } | } | |||
| choice private-key-type { | choice private-key-type { | |||
| nacm:default-deny-write; | nacm:default-deny-write; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Choice between key types."; | "Choice between key types."; | |||
| case cleartext-private-key { | case cleartext-private-key { | |||
| if-feature "cleartext-private-keys"; | if-feature "cleartext-private-keys"; | |||
| leaf cleartext-private-key { | leaf cleartext-private-key { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| type binary; | type binary; | |||
| must '../private-key-format'; | must '../private-key-format'; | |||
| description | description | |||
| "The value of the binary key The key's value is | "The value of the binary key. The key's value is | |||
| interpreted by the 'private-key-format' field."; | interpreted by the 'private-key-format' field."; | |||
| } | } | |||
| } | } | |||
| case hidden-private-key { | case hidden-private-key { | |||
| if-feature "hidden-private-keys"; | if-feature "hidden-private-keys"; | |||
| leaf hidden-private-key { | leaf hidden-private-key { | |||
| type empty; | type empty; | |||
| must 'not(../private-key-format)'; | must 'not(../private-key-format)'; | |||
| description | description | |||
| "A hidden key. It is of type 'empty' as its value is | "A hidden key. It is of type 'empty' as its value is | |||
| inaccessible via management interfaces. Though hidden | inaccessible via management interfaces. Though hidden | |||
| to users, such keys are not hidden to the server and | to users, such keys are not hidden to the server and | |||
| and may be referenced by configuration to indicate which | may be referenced by configuration to indicate which | |||
| key a server should use for a cryptographic operation. | key a server should use for a cryptographic operation. | |||
| How such keys are created is outside the scope of this | How such keys are created is outside the scope of this | |||
| module."; | module."; | |||
| } | } | |||
| } | } | |||
| case encrypted-private-key { | case encrypted-private-key { | |||
| if-feature "encrypted-private-keys"; | if-feature "encrypted-private-keys"; | |||
| container encrypted-private-key { | container encrypted-private-key { | |||
| must '../private-key-format'; | must '../private-key-format'; | |||
| description | description | |||
| skipping to change at page 45, line 47 ¶ | skipping to change at line 2040 ¶ | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping asymmetric-key-pair-grouping { | grouping asymmetric-key-pair-grouping { | |||
| description | description | |||
| "A private key and, optionally, its associated public key. | "A private key and, optionally, its associated public key. | |||
| Implementations MUST ensure that the two keys, when both | Implementations MUST ensure that the two keys, when both | |||
| are specified, are a matching pair."; | are specified, are a matching pair."; | |||
| uses public-key-grouping { | uses public-key-grouping { | |||
| refine public-key-format { | refine "public-key-format" { | |||
| mandatory false; | mandatory false; | |||
| } | } | |||
| refine public-key { | refine "public-key" { | |||
| mandatory false; | mandatory false; | |||
| } | } | |||
| } | } | |||
| uses private-key-grouping; | uses private-key-grouping; | |||
| } | } | |||
| grouping certificate-expiration-grouping { | grouping certificate-expiration-grouping { | |||
| description | description | |||
| "A notification for when a certificate is about to, or | "A notification for when a certificate is about to expire or | |||
| already has, expired."; | has already expired."; | |||
| notification certificate-expiration { | notification certificate-expiration { | |||
| if-feature "certificate-expiration-notification"; | if-feature "certificate-expiration-notification"; | |||
| description | description | |||
| "A notification indicating that the configured certificate | "A notification indicating that the configured certificate | |||
| is either about to expire or has already expired. When to | is either about to expire or has already expired. When to | |||
| send notifications is an implementation specific decision, | send notifications is an implementation-specific decision, | |||
| but it is RECOMMENDED that a notification be sent once a | but it is RECOMMENDED that a notification be sent once a | |||
| month for 3 months, then once a week for four weeks, and | month for 3 months, then once a week for four weeks, and | |||
| then once a day thereafter until the issue is resolved. | then once a day thereafter until the issue is resolved. | |||
| If the certificate's Issuer maintains a Certificate | If the certificate's issuer maintains a Certificate | |||
| Revocation List (CRL), the expiration notification MAY | Revocation List (CRL), the expiration notification MAY | |||
| be sent if the CRL is about to expire."; | be sent if the CRL is about to expire."; | |||
| leaf expiration-date { | leaf expiration-date { | |||
| type yang:date-and-time; | type yang:date-and-time; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Identifies the expiration date on the certificate."; | "Identifies the expiration date on the certificate."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| grouping trust-anchor-cert-grouping { | grouping trust-anchor-cert-grouping { | |||
| description | description | |||
| "A trust anchor certificate, and a notification for when | "A trust anchor certificate and a notification for when | |||
| it is about to (or already has) expire."; | it is about to expire or has already expired."; | |||
| leaf cert-data { | leaf cert-data { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| type trust-anchor-cert-cms; | type trust-anchor-cert-cms; | |||
| description | description | |||
| "The binary certificate data for this certificate."; | "The binary certificate data for this certificate."; | |||
| } | } | |||
| uses certificate-expiration-grouping; | uses certificate-expiration-grouping; | |||
| } | } | |||
| grouping end-entity-cert-grouping { | grouping end-entity-cert-grouping { | |||
| description | description | |||
| "An end entity certificate, and a notification for when | "An end-entity certificate and a notification for when | |||
| it is about to (or already has) expire. Implementations | it is about to expire or has already expired. Implementations | |||
| SHOULD assert that, where used, the end entity certificate | SHOULD assert that, where used, the end-entity certificate | |||
| contains the expected public key."; | contains the expected public key."; | |||
| leaf cert-data { | leaf cert-data { | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| type end-entity-cert-cms; | type end-entity-cert-cms; | |||
| description | description | |||
| "The binary certificate data for this certificate."; | "The binary certificate data for this certificate."; | |||
| } | } | |||
| uses certificate-expiration-grouping; | uses certificate-expiration-grouping; | |||
| } | } | |||
| skipping to change at page 47, line 26 ¶ | skipping to change at line 2115 ¶ | |||
| description | description | |||
| "Defines the 'generate-csr' action."; | "Defines the 'generate-csr' action."; | |||
| action generate-csr { | action generate-csr { | |||
| if-feature "csr-generation"; | if-feature "csr-generation"; | |||
| nacm:default-deny-all; | nacm:default-deny-all; | |||
| description | description | |||
| "Generates a certificate signing request structure for | "Generates a certificate signing request structure for | |||
| the associated asymmetric key using the passed subject | the associated asymmetric key using the passed subject | |||
| and attribute values. | and attribute values. | |||
| This action statement is only available when the | This 'action' statement is only available when the | |||
| associated 'public-key-format' node's value is | associated 'public-key-format' node's value is | |||
| 'subject-public-key-info-format'."; | 'subject-public-key-info-format'."; | |||
| input { | input { | |||
| leaf csr-format { | leaf csr-format { | |||
| type identityref { | type identityref { | |||
| base csr-format; | base csr-format; | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "Specifies the format for the returned certificate."; | "Specifies the format for the returned certificate."; | |||
| } | } | |||
| leaf csr-info { | leaf csr-info { | |||
| type csr-info; | type csr-info; | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "A CertificationRequestInfo structure, as defined in | "A CertificationRequestInfo structure, as defined in | |||
| RFC 2986. | RFC 2986. | |||
| Enables the client to provide a fully-populated | Enables the client to provide a fully populated | |||
| CertificationRequestInfo structure that the server | CertificationRequestInfo structure that the server | |||
| only needs to sign in order to generate the complete | only needs to sign in order to generate the complete | |||
| 'CertificationRequest' structure to return in the | CertificationRequest structure to return in the | |||
| 'output'. | 'output'. | |||
| The 'AlgorithmIdentifier' field contained inside | The 'AlgorithmIdentifier' field contained inside | |||
| the 'SubjectPublicKeyInfo' field MUST be one known | the 'SubjectPublicKeyInfo' field MUST be one known | |||
| to be supported by the device."; | to be supported by the device."; | |||
| reference | reference | |||
| "RFC 2986: | "RFC 2986: | |||
| PKCS #10: Certification Request Syntax Specification | PKCS #10: Certification Request Syntax Specification | |||
| RFC AAAA: | RFC 9640: | |||
| YANG Data Types and Groupings for Cryptography"; | YANG Data Types and Groupings for Cryptography"; | |||
| } | } | |||
| } | } | |||
| output { | output { | |||
| choice csr-type { | choice csr-type { | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "A choice amongst certificate signing request formats. | "A choice amongst certificate signing request formats. | |||
| Additional formats MAY be augmented into this 'choice' | Additional formats MAY be augmented into this 'choice' | |||
| statement by future efforts."; | statement by future efforts."; | |||
| skipping to change at page 48, line 33 ¶ | skipping to change at line 2168 ¶ | |||
| leaf p10-csr { | leaf p10-csr { | |||
| type p10-csr; | type p10-csr; | |||
| description | description | |||
| "A CertificationRequest, as defined in RFC 2986."; | "A CertificationRequest, as defined in RFC 2986."; | |||
| } | } | |||
| description | description | |||
| "A CertificationRequest, as defined in RFC 2986."; | "A CertificationRequest, as defined in RFC 2986."; | |||
| reference | reference | |||
| "RFC 2986: | "RFC 2986: | |||
| PKCS #10: Certification Request Syntax Specification | PKCS #10: Certification Request Syntax Specification | |||
| RFC AAAA: | RFC 9640: | |||
| YANG Data Types and Groupings for Cryptography"; | YANG Data Types and Groupings for Cryptography"; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } // generate-csr-grouping | } // generate-csr-grouping | |||
| grouping asymmetric-key-pair-with-cert-grouping { | grouping asymmetric-key-pair-with-cert-grouping { | |||
| description | description | |||
| "A private/public key pair and an associated certificate. | "A private/public key pair and an associated certificate. | |||
| skipping to change at page 49, line 32 ¶ | skipping to change at line 2216 ¶ | |||
| refine "cert-data" { | refine "cert-data" { | |||
| mandatory true; | mandatory true; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| uses generate-csr-grouping; | uses generate-csr-grouping; | |||
| } // asymmetric-key-pair-with-certs-grouping | } // asymmetric-key-pair-with-certs-grouping | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| 3. Security Considerations | 3. Security Considerations | |||
| 3.1. No Support for CRMF | 3.1. No Support for CRMF | |||
| This document uses PKCS #10 [RFC2986] for the "generate-certificate- | This document uses PKCS #10 [RFC2986] for the "generate-csr" action. | |||
| signing-request" action. The use of Certificate Request Message | The use of Certificate Request Message Format (CRMF) [RFC4211] was | |||
| Format (CRMF) [RFC4211] was considered, but it was unclear if there | considered, but it was unclear if there was market demand for it. If | |||
| was market demand for it. If it is desired to support CRMF in the | it is desired to support CRMF in the future, a backwards compatible | |||
| future, a backwards compatible solution can be defined at that time. | solution can be defined at that time. | |||
| 3.2. No Support for Key Generation | 3.2. No Support for Key Generation | |||
| Early revisions of this document included "rpc" statements for | Early revisions of this document included "rpc" statements for | |||
| generating symmetric and asymmetric keys. These statements were | generating symmetric and asymmetric keys. These statements were | |||
| removed due to an inability to obtain consensus for how to | removed due to an inability to obtain consensus for how to | |||
| generically identify the key-algorithm to use. Hence, the solution | generically identify the key algorithm to use. Hence, the solution | |||
| presented in this document only supports keys to be configured via an | presented in this document only supports keys to be configured via an | |||
| external client. | external client. | |||
| Separate protocol-specific modules can present protocol-specific key- | Separate protocol-specific modules can present protocol-specific key- | |||
| generating RPCs (e.g., the "generate-public-key" RPC in | generating RPCs (e.g., the "generate-asymmetric-key-pair" RPC in | |||
| [I-D.ietf-netconf-ssh-client-server] and | [RFC9644] and [RFC9645]). | |||
| [I-D.ietf-netconf-tls-client-server]). | ||||
| 3.3. Unconstrained Public Key Usage | 3.3. Unconstrained Public Key Usage | |||
| This module defines the "public-key-grouping" grouping, which enables | This module defines the "public-key-grouping" grouping, which enables | |||
| the configuration of public keys without constraints on their usage, | the configuration of public keys without constraints on their usage, | |||
| e.g., what operations the key is allowed to be used for (encryption, | e.g., what operations the key is allowed to be used for (e.g., | |||
| verification, both). | encryption, verification, or both). | |||
| The "asymmetric-key-pair-grouping" grouping uses the aforementioned | The "asymmetric-key-pair-grouping" grouping uses the aforementioned | |||
| "public-key-grouping" grouping, and carries the same traits. | "public-key-grouping" grouping and carries the same traits. | |||
| The "asymmetric-key-pair-with-cert-grouping" grouping uses the | The "asymmetric-key-pair-with-cert-grouping" grouping uses the | |||
| aforementioned "asymmetric-key-pair-grouping" grouping, whereby | aforementioned "asymmetric-key-pair-grouping" grouping, whereby | |||
| associated certificates MUST constrain the usage of the public key | associated certificates MUST constrain the usage of the public key | |||
| according to local policy. | according to local policy. | |||
| 3.4. Unconstrained Private Key Usage | 3.4. Unconstrained Private Key Usage | |||
| This module defines the "asymmetric-key-pair-grouping" grouping, | This module defines the "asymmetric-key-pair-grouping" grouping, | |||
| which enables the configuration of private keys without constraints | which enables the configuration of private keys without constraints | |||
| on their usage, e.g., what operations the key is allowed to be used | on their usage, e.g., what operations the key is allowed to be used | |||
| for (e.g., signature, decryption, both). | for (e.g., signature, decryption, or both). | |||
| The "asymmetric-key-pair-with-cert-grouping" uses the aforementioned | The "asymmetric-key-pair-with-cert-grouping" grouping uses the | |||
| "asymmetric-key-pair-grouping" grouping, whereby configured | aforementioned "asymmetric-key-pair-grouping" grouping, whereby | |||
| certificates (e.g., identity certificates) may constrain the use of | configured certificates (e.g., identity certificates) may constrain | |||
| the public key according to local policy. | the use of the public key according to local policy. | |||
| 3.5. Cleartext Passwords and Keys | 3.5. Cleartext Passwords and Keys | |||
| The module contained within this document enables, only when specific | The module contained within this document enables, only when specific | |||
| "feature" statements are enabled, for the cleartext value of | "feature" statements are enabled, for the cleartext value of | |||
| passwords and keys to be stored in the configuration database. | passwords and keys to be stored in the configuration database. | |||
| Storing cleartext values for passwords and keys is NOT RECOMMENDED. | Storing cleartext values for passwords and keys is NOT RECOMMENDED. | |||
| 3.6. Encrypting Passwords and Keys | 3.6. Encrypting Passwords and Keys | |||
| The module contained within this document enables cleartext passwords | The module contained within this document enables cleartext passwords | |||
| and keys to be encrypted via another key, either symmetric or | and keys to be encrypted via another key, either symmetric or | |||
| asymmetric. Both formats use a CMS structure (EncryptedData and | asymmetric. Both formats use a CMS structure (EncryptedData and | |||
| EnvelopedData respectively), which allows any encryption algorithm to | EnvelopedData, respectively), which allows any encryption algorithm | |||
| be used. | to be used. | |||
| To securely encrypt a password or key with a symmetric key, a proper | To securely encrypt a password or key with a symmetric key, a proper | |||
| block cipher mode such as an AEAD or CBC MUST be used. This ensures | block cipher mode, such as an Authenticated Encryption with | |||
| that a random IV is part of the input, which guarantees that the | Associated Data (AEAD) or Cipher Block Chaining (CBC), MUST be used. | |||
| output for encrypting the same password or key still produces a | This ensures that a random Initialization Vector (IV) is part of the | |||
| different unpredictable ciphertext. This avoids leaking that some | input, which guarantees that the output for encrypting the same | |||
| encrypted keys or passwords are the same and makes it much harder to | password or key still produces a different unpredictable ciphertext. | |||
| pre-generate rainbow tables to brute force attack weak passwords. | This avoids leaking that some encrypted keys or passwords are the | |||
| The ECB block cipher mode MUST NOT be used. | same and makes it much harder to pre-generate rainbow tables to | |||
| brute-force attack weak passwords. The Electronic Codebook (ECB) | ||||
| block cipher mode MUST NOT be used. | ||||
| 3.7. Deletion of Cleartext Key Values | 3.7. Deletion of Cleartext Key Values | |||
| This module defines storage for cleartext key values that SHOULD be | This module defines storage for cleartext key values that SHOULD be | |||
| zeroized when deleted, so as to prevent the remnants of their | zeroized when deleted so as to prevent the remnants of their | |||
| persisted storage locations from being analyzed in any meaningful | persisted storage locations from being analyzed in any meaningful | |||
| way. | way. | |||
| The cleartext key values are the "cleartext-symmetric-key" node | The cleartext key values are the "cleartext-symmetric-key" node | |||
| defined in the "symmetric-key-grouping" grouping (Section 2.1.4.3) | defined in the "symmetric-key-grouping" grouping (Section 2.1.4.3) | |||
| and the "cleartext-private-key" node defined in the "asymmetric-key- | and the "cleartext-private-key" node defined in the "asymmetric-key- | |||
| pair-grouping" grouping ("Section 2.1.4.6). | pair-grouping" grouping (Section 2.1.4.6). | |||
| 3.8. Considerations for the "ietf-crypto-types" YANG Module | 3.8. Considerations for the "ietf-crypto-types" YANG Module | |||
| This section follows the template defined in Section 3.7.1 of | This section is modeled after the template defined in Section 3.7.1 | |||
| [RFC8407]. | of [RFC8407]. | |||
| The YANG module in this document defines "grouping" statements that | The "ietf-crypto-types" YANG module defines "grouping" statements | |||
| are designed to be accessed via YANG based management protocols, such | that are designed to be accessed via YANG-based management protocols, | |||
| as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these protocols | such as NETCONF [RFC6241] and RESTCONF [RFC8040]. Both of these | |||
| have mandatory-to-implement secure transport layers (e.g., SSH, TLS) | protocols have mandatory-to-implement secure transport layers (e.g., | |||
| with mutual authentication. | Secure Shell (SSH) [RFC4252], TLS [RFC8446], and QUIC [RFC9000]) and | |||
| mandatory-to-implement mutual authentication. | ||||
| The Network Access Control Model (NACM) [RFC8341] provides the means | The Network Configuration Access Control Model (NACM) [RFC8341] | |||
| to restrict access for particular users to a pre-configured subset of | provides the means to restrict access for particular users to a | |||
| all available protocol operations and content. | preconfigured subset of all available protocol operations and | |||
| content. | ||||
| Since the module in this document only defines groupings, these | Since the module in this document only defines groupings, these | |||
| considerations are primarily for the designers of other modules that | considerations are primarily for the designers of other modules that | |||
| use these groupings. | use these groupings. | |||
| Some of the readable data nodes defined in this YANG module may be | Some of the readable data nodes defined in this YANG module may be | |||
| considered sensitive or vulnerable in some network environments. It | considered sensitive or vulnerable in some network environments. It | |||
| is thus important to control read access (e.g., via get, get-config, | is thus important to control read access (e.g., via get, get-config, | |||
| or notification) to these data nodes. The following subtrees and | or notification) to these data nodes. The following subtrees and | |||
| data nodes have particular sensitivity/vulnerability: | data nodes have particular sensitivity/vulnerability: | |||
| skipping to change at page 52, line 33 ¶ | skipping to change at line 2355 ¶ | |||
| operations such that, in normal use cases, it should never be | operations such that, in normal use cases, it should never be | |||
| returned to a client. For this reason, the NACM extension | returned to a client. For this reason, the NACM extension | |||
| "default-deny-all" has been applied to it. | "default-deny-all" has been applied to it. | |||
| * The "cleartext-private-key" node: | * The "cleartext-private-key" node: | |||
| The "cleartext-private-key" node defined in the "asymmetric- | The "cleartext-private-key" node defined in the "asymmetric- | |||
| key-pair-grouping" grouping is additionally sensitive to read | key-pair-grouping" grouping is additionally sensitive to read | |||
| operations such that, in normal use cases, it should never be | operations such that, in normal use cases, it should never be | |||
| returned to a client. For this reason, the NACM extension | returned to a client. For this reason, the NACM extension | |||
| "default-deny-all" has been applied. | "default-deny-all" has been applied to it. | |||
| * The "cert-data" node: | * The "cert-data" node: | |||
| The "cert-data" node, defined in both the "trust-anchor-cert- | The "cert-data" node defined in both the "trust-anchor-cert- | |||
| grouping" and "end-entity-cert-grouping" groupings, is | grouping" and "end-entity-cert-grouping" groupings is | |||
| additionally sensitive to read operations, as certificates may | additionally sensitive to read operations, as certificates may | |||
| provide insight into which other resources/applications/servers | provide insight into which other resources/applications/servers | |||
| this particular server communicates with, as well as | this particular server communicates with, as well as | |||
| potentially divulge personally identifying information (e.g., | potentially divulge personally identifying information (e.g., | |||
| end-entity certificates). For this reason, the NACM extension | end-entity certificates). For this reason, the NACM extension | |||
| "default-deny-all" has been applied. | "default-deny-all" has been applied to it. | |||
| All the writable data nodes defined by all the groupings defined in | All the writable data nodes defined by all the groupings defined in | |||
| this module may be considered sensitive or vulnerable in some network | this module may be considered sensitive or vulnerable in some network | |||
| environments. For instance, even the modification of a public key or | environments. For instance, even the modification of a public key or | |||
| a certificate can dramatically alter the implemented security policy. | a certificate can dramatically alter the implemented security policy. | |||
| For this reason, the NACM extension "default-deny-write" has been | For this reason, the NACM extension "default-deny-write" has been | |||
| applied to all the data nodes defined in the module. | applied to all the data nodes defined in the module. | |||
| Some of the operations in this YANG module may be considered | Some of the operations in this YANG module may be considered | |||
| sensitive or vulnerable in some network environments. It is thus | sensitive or vulnerable in some network environments. It is thus | |||
| important to control access to these operations. These are the | important to control access to these operations. These are the | |||
| operations and their sensitivity/vulnerability: | operations and their sensitivity/vulnerability: | |||
| * generate-certificate-signing-request: | * generate-csr: | |||
| This "action" statement SHOULD only be executed by authorized | This "action" statement SHOULD only be executed by authorized | |||
| users. For this reason, the NACM extension "default-deny-all" | users. For this reason, the NACM extension "default-deny-all" | |||
| has been applied. Note that NACM uses "default-deny-all" to | has been applied. Note that NACM uses "default-deny-all" to | |||
| protect "RPC" and "action" statements; it does not define, | protect "rpc" and "action" statements; it does not define, | |||
| e.g., an extension called "default-deny-execute". | e.g., an extension called "default-deny-execute". | |||
| For this action, it is RECOMMENDED that implementations assert | For this action, it is RECOMMENDED that implementations assert | |||
| channel binding [RFC5056], so as to ensure that the application | channel binding [RFC5056] so as to ensure that the application | |||
| layer that sent the request is the same as the device | layer that sent the request is the same as the device | |||
| authenticated when the secure transport layer was established. | authenticated when the secure transport layer was established. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| 4.1. The "IETF XML" Registry | 4.1. The IETF XML Registry | |||
| This document registers one URI in the "ns" subregistry of the "IETF | IANA has registered the following URI in the "ns" registry of the | |||
| XML" registry [RFC3688]. Following the format in [RFC3688], the | "IETF XML Registry" [RFC3688]. | |||
| following registration is requested: | ||||
| URI: urn:ietf:params:xml:ns:yang:ietf-crypto-types | URI: urn:ietf:params:xml:ns:yang:ietf-crypto-types | |||
| Registrant Contact: The IESG | Registrant Contact: The IESG | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A; the requested URI is an XML namespace. | |||
| 4.2. The "YANG Module Names" Registry | 4.2. The YANG Module Names Registry | |||
| This document registers one YANG module in the "YANG Module Names" | IANA has registered the following YANG module in the "YANG Module | |||
| registry [RFC6020]. Following the format in [RFC6020], the following | Names" registry [RFC6020]. | |||
| registration is requested: | ||||
| name: ietf-crypto-types | Name: ietf-crypto-types | |||
| namespace: urn:ietf:params:xml:ns:yang:ietf-crypto-types | Namespace: urn:ietf:params:xml:ns:yang:ietf-crypto-types | |||
| prefix: ct | Prefix: ct | |||
| reference: RFC AAAA | Reference: RFC 9640 | |||
| 5. References | 5. References | |||
| 5.1. Normative References | 5.1. Normative References | |||
| [ITU.X680.2021] | [ITU.X680.2021] | |||
| International Telecommunication Union, "Information | ITU-T, "Information technology - Abstract Syntax Notation | |||
| technology - Abstract Syntax Notation One (ASN.1): | One (ASN.1): Specification of basic notation", ITU-T | |||
| Recommendation X.680, ISO/IEC 8824-1:2021, February 2021, | ||||
| Specification of basic notation", ITU-T Recommendation | ||||
| X.680, ISO/IEC 8824-1:2021, February 2021, | ||||
| <https://www.itu.int/rec/T-REC-X.680-202102-I>. | <https://www.itu.int/rec/T-REC-X.680-202102-I>. | |||
| [ITU.X690.2021] | [ITU.X690.2021] | |||
| International Telecommunication Union, "Information | ITU-T, "Information Technology - ASN.1 encoding rules: | |||
| Technology - ASN.1 encoding rules: Specification of Basic | Specification of Basic Encoding Rules (BER), Canonical | |||
| Encoding Rules (BER), Canonical Encoding Rules (CER) and | Encoding Rules (CER) and Distinguished Encoding Rules | |||
| Distinguished Encoding Rules (DER)", ITU-T Recommendation | (DER)", ITU-T Recommendation X.690, ISO/IEC 8825-1:2021, | |||
| X.690, ISO/IEC 8825-1:2021, February 2021, | February 2021, | |||
| <https://www.itu.int/rec/T-REC-X.690-202102-I>. | <https://www.itu.int/rec/T-REC-X.690-202102-I>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | ||||
| Request Syntax Specification Version 1.7", RFC 2986, | ||||
| DOI 10.17487/RFC2986, November 2000, | ||||
| <https://www.rfc-editor.org/info/rfc2986>. | ||||
| [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | ||||
| Authentication Protocol", RFC 4252, DOI 10.17487/RFC4252, | ||||
| January 2006, <https://www.rfc-editor.org/info/rfc4252>. | ||||
| [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) | |||
| Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | Transport Layer Protocol", RFC 4253, DOI 10.17487/RFC4253, | |||
| January 2006, <https://www.rfc-editor.org/info/rfc4253>. | January 2006, <https://www.rfc-editor.org/info/rfc4253>. | |||
| [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., | |||
| Housley, R., and W. Polk, "Internet X.509 Public Key | Housley, R., and W. Polk, "Internet X.509 Public Key | |||
| Infrastructure Certificate and Certificate Revocation List | Infrastructure Certificate and Certificate Revocation List | |||
| (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, | |||
| <https://www.rfc-editor.org/info/rfc5280>. | <https://www.rfc-editor.org/info/rfc5280>. | |||
| [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, | |||
| RFC 5652, DOI 10.17487/RFC5652, September 2009, | RFC 5652, DOI 10.17487/RFC5652, September 2009, | |||
| <https://www.rfc-editor.org/info/rfc5652>. | <https://www.rfc-editor.org/info/rfc5652>. | |||
| [RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key | ||||
| Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010, | ||||
| <https://www.rfc-editor.org/info/rfc5915>. | ||||
| [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, | [RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, | |||
| DOI 10.17487/RFC5958, August 2010, | DOI 10.17487/RFC5958, August 2010, | |||
| <https://www.rfc-editor.org/info/rfc5958>. | <https://www.rfc-editor.org/info/rfc5958>. | |||
| [RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax | [RFC6031] Turner, S. and R. Housley, "Cryptographic Message Syntax | |||
| (CMS) Symmetric Key Package Content Type", RFC 6031, | (CMS) Symmetric Key Package Content Type", RFC 6031, | |||
| DOI 10.17487/RFC6031, December 2010, | DOI 10.17487/RFC6031, December 2010, | |||
| <https://www.rfc-editor.org/info/rfc6031>. | <https://www.rfc-editor.org/info/rfc6031>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | ||||
| and A. Bierman, Ed., "Network Configuration Protocol | ||||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6241>. | ||||
| [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., | [RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A., | |||
| Galperin, S., and C. Adams, "X.509 Internet Public Key | Galperin, S., and C. Adams, "X.509 Internet Public Key | |||
| Infrastructure Online Certificate Status Protocol - OCSP", | Infrastructure Online Certificate Status Protocol - OCSP", | |||
| RFC 6960, DOI 10.17487/RFC6960, June 2013, | RFC 6960, DOI 10.17487/RFC6960, June 2013, | |||
| <https://www.rfc-editor.org/info/rfc6960>. | <https://www.rfc-editor.org/info/rfc6960>. | |||
| [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||
| RFC 6991, DOI 10.17487/RFC6991, July 2013, | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||
| <https://www.rfc-editor.org/info/rfc6991>. | <https://www.rfc-editor.org/info/rfc6991>. | |||
| skipping to change at page 55, line 23 ¶ | skipping to change at line 2502 ¶ | |||
| [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
| RFC 7950, DOI 10.17487/RFC7950, August 2016, | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
| <https://www.rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
| [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | [RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch, | |||
| "PKCS #1: RSA Cryptography Specifications Version 2.2", | "PKCS #1: RSA Cryptography Specifications Version 2.2", | |||
| RFC 8017, DOI 10.17487/RFC8017, November 2016, | RFC 8017, DOI 10.17487/RFC8017, November 2016, | |||
| <https://www.rfc-editor.org/info/rfc8017>. | <https://www.rfc-editor.org/info/rfc8017>. | |||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | ||||
| Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | ||||
| <https://www.rfc-editor.org/info/rfc8040>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Access Control Model", STD 91, RFC 8341, | Access Control Model", STD 91, RFC 8341, | |||
| DOI 10.17487/RFC8341, March 2018, | DOI 10.17487/RFC8341, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8341>. | <https://www.rfc-editor.org/info/rfc8341>. | |||
| 5.2. Informative References | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8446>. | ||||
| [I-D.ietf-netconf-crypto-types] | [RFC9000] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based | |||
| Watsen, K., "YANG Data Types and Groupings for | Multiplexed and Secure Transport", RFC 9000, | |||
| Cryptography", Work in Progress, Internet-Draft, draft- | DOI 10.17487/RFC9000, May 2021, | |||
| ietf-netconf-crypto-types-33, 1 March 2024, | <https://www.rfc-editor.org/info/rfc9000>. | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
| crypto-types-33>. | ||||
| [I-D.ietf-netconf-http-client-server] | 5.2. Informative References | |||
| [HTTP-CLIENT-SERVER] | ||||
| Watsen, K., "YANG Groupings for HTTP Clients and HTTP | Watsen, K., "YANG Groupings for HTTP Clients and HTTP | |||
| Servers", Work in Progress, Internet-Draft, draft-ietf- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
| netconf-http-client-server-19, 1 March 2024, | netconf-http-client-server-23, 15 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
| http-client-server-19>. | ||||
| [I-D.ietf-netconf-keystore] | ||||
| Watsen, K., "A YANG Data Model for a Keystore and Keystore | ||||
| Operations", Work in Progress, Internet-Draft, draft-ietf- | ||||
| netconf-keystore-34, 1 March 2024, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| keystore-34>. | http-client-server-23>. | |||
| [I-D.ietf-netconf-netconf-client-server] | [NETCONF-CLIENT-SERVER] | |||
| Watsen, K., "NETCONF Client and Server Models", Work in | Watsen, K., "NETCONF Client and Server Models", Work in | |||
| Progress, Internet-Draft, draft-ietf-netconf-netconf- | Progress, Internet-Draft, draft-ietf-netconf-netconf- | |||
| client-server-35, 1 March 2024, | client-server-37, 14 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| netconf-client-server-35>. | netconf-client-server-37>. | |||
| [I-D.ietf-netconf-restconf-client-server] | [RESTCONF-CLIENT-SERVER] | |||
| Watsen, K., "RESTCONF Client and Server Models", Work in | Watsen, K., "RESTCONF Client and Server Models", Work in | |||
| Progress, Internet-Draft, draft-ietf-netconf-restconf- | Progress, Internet-Draft, draft-ietf-netconf-restconf- | |||
| client-server-35, 1 March 2024, | client-server-38, 14 August 2024, | |||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
| restconf-client-server-35>. | ||||
| [I-D.ietf-netconf-ssh-client-server] | ||||
| Watsen, K., "YANG Groupings for SSH Clients and SSH | ||||
| Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
| netconf-ssh-client-server-39, 1 March 2024, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
| ssh-client-server-39>. | ||||
| [I-D.ietf-netconf-tcp-client-server] | ||||
| Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | ||||
| and TCP Servers", Work in Progress, Internet-Draft, draft- | ||||
| ietf-netconf-tcp-client-server-23, 1 March 2024, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
| tcp-client-server-23>. | ||||
| [I-D.ietf-netconf-tls-client-server] | ||||
| Watsen, K., "YANG Groupings for TLS Clients and TLS | ||||
| Servers", Work in Progress, Internet-Draft, draft-ietf- | ||||
| netconf-tls-client-server-40, 1 March 2024, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | ||||
| tls-client-server-40>. | ||||
| [I-D.ietf-netconf-trust-anchors] | ||||
| Watsen, K., "A YANG Data Model for a Truststore", Work in | ||||
| Progress, Internet-Draft, draft-ietf-netconf-trust- | ||||
| anchors-27, 1 March 2024, | ||||
| <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
| trust-anchors-27>. | restconf-client-server-38>. | |||
| [RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification | ||||
| Request Syntax Specification Version 1.7", RFC 2986, | ||||
| DOI 10.17487/RFC2986, November 2000, | ||||
| <https://www.rfc-editor.org/info/rfc2986>. | ||||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | [RFC4211] Schaad, J., "Internet X.509 Public Key Infrastructure | |||
| Certificate Request Message Format (CRMF)", RFC 4211, | Certificate Request Message Format (CRMF)", RFC 4211, | |||
| DOI 10.17487/RFC4211, September 2005, | DOI 10.17487/RFC4211, September 2005, | |||
| <https://www.rfc-editor.org/info/rfc4211>. | <https://www.rfc-editor.org/info/rfc4211>. | |||
| [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||
| Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | |||
| <https://www.rfc-editor.org/info/rfc5056>. | <https://www.rfc-editor.org/info/rfc5056>. | |||
| [RFC5915] Turner, S. and D. Brown, "Elliptic Curve Private Key | ||||
| Structure", RFC 5915, DOI 10.17487/RFC5915, June 2010, | ||||
| <https://www.rfc-editor.org/info/rfc5915>. | ||||
| [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
| the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
| <https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | ||||
| and A. Bierman, Ed., "Network Configuration Protocol | ||||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6241>. | ||||
| [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for | [RFC7317] Bierman, A. and M. Bjorklund, "A YANG Data Model for | |||
| System Management", RFC 7317, DOI 10.17487/RFC7317, August | System Management", RFC 7317, DOI 10.17487/RFC7317, August | |||
| 2014, <https://www.rfc-editor.org/info/rfc7317>. | 2014, <https://www.rfc-editor.org/info/rfc7317>. | |||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
| Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | Interchange Format", STD 90, RFC 8259, | |||
| <https://www.rfc-editor.org/info/rfc8040>. | DOI 10.17487/RFC8259, December 2017, | |||
| <https://www.rfc-editor.org/info/rfc8259>. | ||||
| [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
| BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
| [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
| and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
| (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
| <https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
| [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
| Documents Containing YANG Data Models", BCP 216, RFC 8407, | Documents Containing YANG Data Models", BCP 216, RFC 8407, | |||
| DOI 10.17487/RFC8407, October 2018, | DOI 10.17487/RFC8407, October 2018, | |||
| <https://www.rfc-editor.org/info/rfc8407>. | <https://www.rfc-editor.org/info/rfc8407>. | |||
| Appendix A. Change Log | [RFC8792] Watsen, K., Auerswald, E., Farrel, A., and Q. Wu, | |||
| "Handling Long Lines in Content of Internet-Drafts and | ||||
| A.1. I-D to 00 | RFCs", RFC 8792, DOI 10.17487/RFC8792, June 2020, | |||
| <https://www.rfc-editor.org/info/rfc8792>. | ||||
| * Removed groupings and notifications. | ||||
| * Added typedefs for identityrefs. | ||||
| * Added typedefs for other RFC 5280 structures. | ||||
| * Added typedefs for other RFC 5652 structures. | ||||
| * Added convenience typedefs for RFC 4253, RFC 5280, and RFC 5652. | ||||
| A.2. 00 to 01 | ||||
| * Moved groupings from the draft-ietf-netconf-keystore here. | ||||
| A.3. 01 to 02 | ||||
| * Removed unwanted "mandatory" and "must" statements. | ||||
| * Added many new crypto algorithms (thanks Haiguang!) | ||||
| * Clarified in asymmetric-key-pair-with-certs-grouping, in | ||||
| certificates/certificate/name/description, that if the name MUST | ||||
| NOT match the name of a certificate that exists independently in | ||||
| <operational>, enabling certs installed by the manufacturer (e.g., | ||||
| an IDevID). | ||||
| A.4. 02 to 03 | ||||
| * renamed base identity 'asymmetric-key-encryption-algorithm' to | ||||
| 'asymmetric-key-algorithm'. | ||||
| * added new 'asymmetric-key-algorithm' identities for secp192r1, | ||||
| secp224r1, secp256r1, secp384r1, and secp521r1. | ||||
| * removed 'mac-algorithm' identities for mac-aes-128-ccm, mac-aes- | ||||
| 192-ccm, mac-aes-256-ccm, mac-aes-128-gcm, mac-aes-192-gcm, mac- | ||||
| aes-256-gcm, and mac-chacha20-poly1305. | ||||
| * for all -cbc and -ctr identities, renamed base identity | ||||
| 'symmetric-key-encryption-algorithm' to 'encryption-algorithm'. | ||||
| * for all -ccm and -gcm identities, renamed base identity | ||||
| 'symmetric-key-encryption-algorithm' to 'encryption-and-mac- | ||||
| algorithm' and renamed the identity to remove the "enc-" prefix. | ||||
| * for all the 'signature-algorithm' based identities, renamed from | ||||
| 'rsa-*' to 'rsassa-*'. | ||||
| * removed all of the "x509v3-" prefixed 'signature-algorithm' based | ||||
| identities. | ||||
| * added 'key-exchange-algorithm' based identities for 'rsaes-oaep' | ||||
| and 'rsaes-pkcs1-v1_5'. | ||||
| * renamed typedef 'symmetric-key-encryption-algorithm-ref' to | ||||
| 'symmetric-key-algorithm-ref'. | ||||
| * renamed typedef 'asymmetric-key-encryption-algorithm-ref' to | ||||
| 'asymmetric-key-algorithm-ref'. | ||||
| * added typedef 'encryption-and-mac-algorithm-ref'. | ||||
| * Updated copyright date, boilerplate template, affiliation, and | ||||
| folding algorithm. | ||||
| A.5. 03 to 04 | ||||
| * ran YANG module through formatter. | ||||
| A.6. 04 to 05 | ||||
| * fixed broken symlink causing reformatted YANG module to not show. | ||||
| A.7. 05 to 06 | ||||
| * Added NACM annotations. | ||||
| * Updated Security Considerations section. | ||||
| * Added 'asymmetric-key-pair-with-cert-grouping' grouping. | ||||
| * Removed text from 'permanently-hidden' enum regarding such keys | ||||
| not being backed up or restored. | ||||
| * Updated the boilerplate text in module-level "description" | ||||
| statement to match copyeditor convention. | ||||
| * Added an explanation to the 'public-key-grouping' and 'asymmetric- | ||||
| key-pair-grouping' statements as for why the nodes are not | ||||
| mandatory (e.g., because they may exist only in <operational>. | ||||
| * Added 'must' expressions to the 'public-key-grouping' and | ||||
| 'asymmetric-key-pair-grouping' statements ensuring sibling nodes | ||||
| are either all exist or do not all exist. | ||||
| * Added an explanation to the 'permanently-hidden' that the value | ||||
| cannot be configured directly by clients and servers MUST fail any | ||||
| attempt to do so. | ||||
| * Added 'trust-anchor-certs-grouping' and 'end-entity-certs- | ||||
| grouping' (the plural form of existing groupings). | ||||
| * Now states that keys created in <operational> by the *-hidden-key | ||||
| actions are bound to the lifetime of the parent 'config true' | ||||
| node, and that subsequent invocations of either action results in | ||||
| a failure. | ||||
| A.8. 06 to 07 | ||||
| * Added clarifications that implementations SHOULD assert that | ||||
| configured certificates contain the matching public key. | ||||
| * Replaced the 'generate-hidden-key' and 'install-hidden-key' | ||||
| actions with special 'crypt-hash' -like input/output values. | ||||
| A.9. 07 to 08 | ||||
| * Removed the 'generate-key and 'hidden-key' features. | ||||
| * Added grouping symmetric-key-grouping | ||||
| * Modified 'asymmetric-key-pair-grouping' to have a 'choice' | ||||
| statement for the keystone module to augment into, as well as | ||||
| replacing the 'union' with leafs (having different NACM settings. | ||||
| A.10. 08 to 09 | ||||
| * Converting algorithm from identities to enumerations. | ||||
| A.11. 09 to 10 | ||||
| * All the below changes are to the algorithm enumerations defined in | ||||
| ietf-crypto-types. | ||||
| * Add in support for key exchange over x.25519 and x.448 based on | ||||
| RFC 8418. | ||||
| * Add in SHAKE-128, SHAKE-224, SHAKE-256, SHAKE-384 and SHAKE 512 | ||||
| * Revise/add in enum of signature algorithm for x25519 and x448 | ||||
| * Add in des3-cbc-sha1 for IPSec | ||||
| * Add in sha1-des3-kd for IPSec | ||||
| * Add in definit for rc4-hmac and rc4-hmac-exp. These two | ||||
| algorithms have been deprecated in RFC 8429. But some existing | ||||
| draft in i2nsf may still want to use them. | ||||
| * Add x25519 and x448 curve for asymmetric algorithms | ||||
| * Add signature algorithms ed25519, ed25519-cts, ed25519ph | ||||
| * add signature algorithms ed448, ed448ph | ||||
| * Add in rsa-sha2-256 and rsa-sha2-512 for SSH protocols (rfc8332) | ||||
| A.12. 10 to 11 | ||||
| * Added a "key-format" identity. | ||||
| * Added symmetric keys to the example in Section 2.2. | ||||
| A.13. 11 to 12 | ||||
| * Removed all non-essential (to NC/RC) algorithm types. | ||||
| * Moved remaining algorithm types each into its own module. | ||||
| * Added a 'config false' "algorithms-supported" list to each of the | ||||
| algorithm-type modules. | ||||
| A.14. 12 to 13 | ||||
| * Added the four features: "[encrypted-]one-[a]symmetric-key- | ||||
| format", each protecting a 'key-format' identity of the same name. | ||||
| * Added 'must' expressions asserting that the 'key-format' leaf | ||||
| exists whenever a non-hidden key is specified. | ||||
| * Improved the 'description' statements and added 'reference' | ||||
| statements for the 'key-format' identities. | ||||
| * Added a questionable forward reference to "encrypted-*" leafs in a | ||||
| couple 'when' expressions. | ||||
| * Did NOT move "config false" alg-supported lists to SSH/TLS drafts. | ||||
| A.15. 13 to 14 | ||||
| * Resolved the "FIXME: forward ref" issue by modulating 'must', | ||||
| 'when', and 'mandatory' expressions. | ||||
| * Moved the 'generatesymmetric-key' and 'generate-asymmetric-key' | ||||
| actions from ietf-keystore to ietf-crypto-types, now as RPCs. | ||||
| * Cleaned up various description statements and removed lingering | ||||
| FIXMEs. | ||||
| * Converted the "iana-<alg-type>-algs" YANG modules to IANA | ||||
| registries with instructions for how to generate modules from the | ||||
| registries, whenever they may be updated. | ||||
| A.16. 14 to 15 | ||||
| * Removed the IANA-maintained registries for symmetric, asymmetric, | ||||
| and hash algorithms. | ||||
| * Removed the "generate-symmetric-key" and "generate-asymmetric-key" | ||||
| RPCs. | ||||
| * Removed the "algorithm" node in the various symmetric and | ||||
| asymmetric key groupings. | ||||
| * Added 'typedef csr' and 'feature certificate-signing-request- | ||||
| generation'. | ||||
| * Refined a usage of "end-entity-cert-grouping" to make the "cert" | ||||
| node mandatory true. | ||||
| * Added a "Note to Reviewers" note to first page. | ||||
| A.17. 15 to 16 | ||||
| * Updated draft title (refer to "Groupings" too). | ||||
| * Removed 'end-entity-certs-grouping' as it wasn't being used | ||||
| anywhere. | ||||
| * Removed 'trust-anchor-certs-grouping' as it was no longer being | ||||
| used after modifying 'inline-or-truststore-certs-grouping' to use | ||||
| lists (not leaf-lists). | ||||
| * Renamed "cert" to "cert-data" in trust-anchor-cert-grouping. | ||||
| * Added "csr-info" typedef, to complement the existing "csr" | ||||
| typedef. | ||||
| * Added "ocsp-request" and "ocsp-response" typedefs, to complement | ||||
| the existing "crl" typedef. | ||||
| * Added "encrypted" cases to both symmetric-key-grouping and | ||||
| asymmetric-key-pair-grouping (Moved from Keystore draft). | ||||
| * Expanded "Data Model Overview section(s) [remove "wall" of tree | ||||
| diagrams]. | ||||
| * Updated the Security Considerations section. | ||||
| A.18. 16 to 17 | ||||
| * [Re]-added a "Strength of Keys Configured" Security Consideration | ||||
| * Prefixed "cleartext-" in the "key" and "private-key" node names. | ||||
| A.19. 17 to 18 | ||||
| * Fixed issues found by the SecDir review of the "keystore" draft. | ||||
| * Added "password-grouping", discussed during the IETF 108 session. | ||||
| A.20. 18 to 19 | ||||
| * Added a "Unconstrained Public Key Usage" Security Consideration to | ||||
| address concern raised by SecDir of the 'truststore' draft. | ||||
| * Added a "Unconstrained Private Key Usage" Security Consideration | ||||
| to address concern raised by SecDir of the 'truststore' draft. | ||||
| * Changed the encryption strategy, after conferring with Russ | ||||
| Housley. | ||||
| * Added a "password-grouping" example to the "crypto-types-usage" | ||||
| example. | ||||
| * Added an "Encrypting Passwords" section to Security Consideration. | ||||
| * Addressed other comments raised by YANG Doctor. | ||||
| A.21. 19 to 20 | ||||
| * Nits found via YANG Doctors reviews. | ||||
| * Aligned modules with `pyang -f` formatting. | ||||
| A.22. 20 to 21 | ||||
| * Replaced "base64encodedvalue==" with "BASE64VALUE=". | ||||
| * Accommodated SecDir review by Valery Smyslov. | ||||
| A.23. 21 to 22 | ||||
| * fixup the 'WG Web' and 'WG List' lines in YANG module(s) | ||||
| * fixup copyright (i.e., s/Simplified/Revised/) in YANG module(s) | ||||
| * added 'hidden-keys' feature. | ||||
| A.24. 22 to 23 | ||||
| * Fixed an example to reference correct key. | ||||
| * Fixed an example to not have line-returns around the encoding for | ||||
| a binary value. | ||||
| A.25. 23 to 24 | ||||
| * Added mandatory leaf "csr-format" to action "generate-csr". | ||||
| * s/certificate-signing-request/csr/g in the YANG module. | ||||
| A.26. 24 to 25 | ||||
| * Updated per Shepherd reviews impacting the suite of drafts. | ||||
| A.27. 25 to 26 | ||||
| * Updated per Shepherd reviews impacting the suite of drafts. | ||||
| A.28. 26 to 27 | ||||
| * Updated per Tom Petch and AD reviews. | ||||
| * Renamed numerous "feature" statements and some "grouping" | ||||
| statements (in YANG) | ||||
| * Added "csr-format" and "p10-csr-format" identities to doc (they | ||||
| were already in YANG) | ||||
| * Clarified that the 'rsa-private-key-format' and 'ec-private-key- | ||||
| format' formats must be encoded using DER | ||||
| * Added 'if-feature cleartext-passwords' statement to 'case | ||||
| cleartext-password' in grouping 'password-grouping'. | ||||
| * Added 'if-feature cleartext-keys' statement to 'case cleartext- | ||||
| key' in grouping 'symmetric-key-grouping'. | ||||
| * Added 'if-feature cleartext-cleartext-private-keys' statement to | ||||
| 'case cleartext-private-key' in grouping 'asymmetric-key- | ||||
| grouping'. | ||||
| * Updated Section titles. | ||||
| * Clarified Security Considerations about the "generate-public-key" | ||||
| RPCs. | ||||
| A.29. 27 to 28 | ||||
| * Mostly addresses AD review comments. | ||||
| * Also addresses on-list comment regarding public-keys being | ||||
| "mandatory true." | ||||
| * Added note to Editor to fix line foldings. | ||||
| * Factored 'private-key-grouping' from 'asymmetric-key-pair- | ||||
| grouping'. | ||||
| * Made public-key in 'asymmetric-key-pair-grouping' be "mandatory | ||||
| false". | ||||
| * Renamed 'encrypted-by-choice-grouping' to 'encrypted-by-grouping'. | ||||
| A.30. 28 to 29 | ||||
| * Addresses Gen-ART review by Dale Worley. | ||||
| * Addresses review by Tom Petch. | ||||
| A.31. 29 to 30 | ||||
| * Addresses 1st-round of IESG reviews. | ||||
| A.32. 30 to 32 | ||||
| * Addresses issues found in OpsDir of the ssh-client-server draft. | [RFC9641] Watsen, K., "A YANG Data Model for a Truststore", | |||
| RFC 9641, DOI 10.17487/RFC9641, September 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9641>. | ||||
| * Removed "Strength of Keys Conveyed" section. | [RFC9642] Watsen, K., "A YANG Data Model for a Keystore", RFC 9642, | |||
| DOI 10.17487/RFC9642, September 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9642>. | ||||
| * Renamed Security Considerations section s/Template for/ | [RFC9643] Watsen, K. and M. Scharf, "YANG Groupings for TCP Clients | |||
| Considerations for/ | and TCP Servers", RFC 9643, DOI 10.17487/RFC9643, | |||
| September 2024, <https://www.rfc-editor.org/info/rfc9643>. | ||||
| * Improved Security Consideration for 'cert-data' node. | [RFC9644] Watsen, K., "YANG Groupings for SSH Clients and SSH | |||
| Servers", RFC 9644, DOI 10.17487/RFC9644, September 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9644>. | ||||
| A.33. 32 to 34 | [RFC9645] Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
| Servers", RFC 9645, DOI 10.17487/RFC9645, September 2024, | ||||
| <https://www.rfc-editor.org/info/rfc9645>. | ||||
| * Nothing changed. Only bumped for automation... | [W3C.REC-xml-20081126] | |||
| Bray, T., Paoli, J., Sperberg-McQueen, C.M., Maler, E., | ||||
| and F. Yergeau, "Extensible Markup Language (XML) 1.0 | ||||
| (Fifth Edition)", World Wide Web Consortium | ||||
| Recommendation REC-xml-20081126, November 2008, | ||||
| <https://www.w3.org/TR/2008/REC-xml-20081126/>. | ||||
| Acknowledgements | Acknowledgements | |||
| The authors would like to thank the following for lively discussions | The authors would like to thank the following for lively discussions | |||
| on list and in the halls (ordered by first name): Balázs Kovács, | on list and in the halls (ordered by first name): Balázs Kovács, | |||
| Carsten Bormann, Dale Worley, Eric Voit, Éric Vyncke, Francesca | Carsten Bormann, Dale Worley, Eric Voit, Éric Vyncke, Francesca | |||
| Palombini, Jürgen Schönwälder, Lars Eggert, Liang Xia, Martin | Palombini, Jürgen Schönwälder, Lars Eggert, Liang Xia, Mahesh | |||
| Björklund, Mahesh Jethanandani, Murray Kucherawy, Nick Hancock, Orie | Jethanandani, Martin Björklund, Murray Kucherawy, Nick Hancock, Orie | |||
| Steele, Paul Wouters, Rich Salz, Rifaat Shekh-Yusef, Rob Wilton, | Steele, Paul Wouters, Rich Salz, Rifaat Shekh-Yusef, Rob Wilton, | |||
| Roman Danyliw, Russ Housley, Sandra Murphy, Tom Petch, Valery | Roman Danyliw, Russ Housley, Sandra Murphy, Tom Petch, Valery | |||
| Smyslov, Wang Haiguang, Warren Kumari, and Zaheduzzaman Sarker. | Smyslov, Wang Haiguang, Warren Kumari, and Zaheduzzaman Sarker. | |||
| Author's Address | Author's Address | |||
| Kent Watsen | Kent Watsen | |||
| Watsen Networks | Watsen Networks | |||
| Email: kent+ietf@watsen.net | Email: kent+ietf@watsen.net | |||
| End of changes. 198 change blocks. | ||||
| 853 lines changed or deleted | 417 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||