rfc9641v4.txt | rfc9641.txt | |||
---|---|---|---|---|
skipping to change at line 174 ¶ | skipping to change at line 174 ¶ | |||
1.3. Adherence to the NMDA | 1.3. Adherence to the NMDA | |||
This document is compliant with the Network Management Datastore | This document is compliant with the Network Management Datastore | |||
Architecture (NMDA) [RFC8342]. For instance, trust anchors installed | Architecture (NMDA) [RFC8342]. For instance, trust anchors installed | |||
during manufacturing (e.g., for trusted, well-known services) are | during manufacturing (e.g., for trusted, well-known services) are | |||
expected to appear in <operational> (see Section 3). | expected to appear in <operational> (see Section 3). | |||
1.4. Conventions | 1.4. Conventions | |||
Various examples in this document use "BASE64VALUE=" as a placeholder | Various examples in this document use "BASE64VALUE=" as a placeholder | |||
value for binary data that has been base64 encoded (see Section 4 of | value for binary data that has been base64 encoded (see Section 9.8 | |||
[RFC4648]). This placeholder value is used because real | of [RFC7950]). This placeholder value is used because real | |||
base64-encoded structures are often many lines long and hence | base64-encoded structures are often many lines long and hence | |||
distracting to the example being presented. | distracting to the example being presented. | |||
Various examples in this document use the XML [W3C.REC-xml-20081126] | ||||
encoding. Other encodings, such as JSON [RFC8259], could | ||||
alternatively be used. | ||||
Various examples in this document contain long lines that may be | ||||
folded, as described in [RFC8792]. | ||||
This document uses the adjective "central" with the word "truststore" | This document uses the adjective "central" with the word "truststore" | |||
to refer to the top-level instance of the "truststore-grouping" | to refer to the top-level instance of the "truststore-grouping" | |||
grouping when the "central-truststore-supported" feature is enabled. | grouping when the "central-truststore-supported" feature is enabled. | |||
Please be aware that consuming YANG modules MAY instantiate the | Please be aware that consuming YANG modules MAY instantiate the | |||
"truststore-grouping" grouping in other locations. All such other | "truststore-grouping" grouping in other locations. All such other | |||
instances are not the "central" instance. | instances are not the "central" instance. | |||
2. The "ietf-truststore" Module | 2. The "ietf-truststore" Module | |||
This section defines a YANG 1.1 [RFC7950] module called "ietf- | This section defines a YANG 1.1 [RFC7950] module called "ietf- | |||
skipping to change at line 510 ¶ | skipping to change at line 517 ¶ | |||
+-- End entity certs for authenticating a set of remote servers | +-- End entity certs for authenticating a set of remote servers | |||
+-- Trust anchor certs for authenticating a set of remote clients | +-- Trust anchor certs for authenticating a set of remote clients | |||
+-- End entity certs for authenticating a set of remote clients | +-- End entity certs for authenticating a set of remote clients | |||
Public Key Bags | Public Key Bags | |||
+-- SSH keys to authenticate a set of remote SSH servers | +-- SSH keys to authenticate a set of remote SSH servers | |||
+-- SSH keys to authenticate a set of remote SSH clients | +-- SSH keys to authenticate a set of remote SSH clients | |||
+-- Raw public keys to authenticate a set of remote SSH servers | +-- Raw public keys to authenticate a set of remote SSH servers | |||
+-- Raw public keys to authenticate a set of remote SSH clients | +-- Raw public keys to authenticate a set of remote SSH clients | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
Note that long lines in examples are wrapped as described in | ||||
[RFC8792]. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<truststore | <truststore | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- A bag of Certificate Bags --> | <!-- A bag of Certificate Bags --> | |||
<certificate-bags> | <certificate-bags> | |||
<!-- Trust Anchor Certs for Authenticating Servers --> | <!-- Trust Anchor Certs for Authenticating Servers --> | |||
skipping to change at line 693 ¶ | skipping to change at line 695 ¶ | |||
</public-key-bag> | </public-key-bag> | |||
</public-key-bags> | </public-key-bags> | |||
</truststore> | </truststore> | |||
2.2.2. A Certificate Expiration Notification | 2.2.2. A Certificate Expiration Notification | |||
The following example illustrates the "certificate-expiration" | The following example illustrates the "certificate-expiration" | |||
notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | notification (per Section 2.1.4.7 of [RFC9640]) for a certificate | |||
configured in the truststore described in Section 2.2.1. | configured in the truststore described in Section 2.2.1. | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<notification | <notification | |||
xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | xmlns="urn:ietf:params:xml:ns:netconf:notification:1.0"> | |||
<eventTime>2018-05-25T00:01:00Z</eventTime> | <eventTime>2018-05-25T00:01:00Z</eventTime> | |||
<truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | <truststore xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore"> | |||
<certificate-bags> | <certificate-bags> | |||
<certificate-bag> | <certificate-bag> | |||
<name>trusted-client-ee-certs</name> | <name>trusted-client-ee-certs</name> | |||
<certificate> | <certificate> | |||
skipping to change at line 788 ¶ | skipping to change at line 788 ¶ | |||
ts:central-public-key-bag-ref | ts:central-public-key-bag-ref | |||
The following example provides two equivalent instances of each | The following example provides two equivalent instances of each | |||
grouping, the first being a reference to a truststore and the second | grouping, the first being a reference to a truststore and the second | |||
being defined inline. The instance having a reference to a | being defined inline. The instance having a reference to a | |||
truststore is consistent with the truststore defined in | truststore is consistent with the truststore defined in | |||
Section 2.2.1. The two instances are equivalent, as the inlined | Section 2.2.1. The two instances are equivalent, as the inlined | |||
instance example contains the same values defined by the truststore | instance example contains the same values defined by the truststore | |||
instance referenced by its sibling example. | instance referenced by its sibling example. | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
=============== NOTE: '\' line wrapping per RFC 8792 ================ | =============== NOTE: '\' line wrapping per RFC 8792 ================ | |||
<truststore-usage | <truststore-usage | |||
xmlns="https://example.com/ns/example-truststore-usage" | xmlns="https://example.com/ns/example-truststore-usage" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types"> | |||
<!-- The following two equivalent examples illustrate --> | <!-- The following two equivalent examples illustrate --> | |||
<!-- the "inline-or-truststore-certs-grouping" grouping: --> | <!-- the "inline-or-truststore-certs-grouping" grouping: --> | |||
<cert> | <cert> | |||
skipping to change at line 1328 ¶ | skipping to change at line 1326 ¶ | |||
The primary characteristic of the built-in trust anchors is that they | The primary characteristic of the built-in trust anchors is that they | |||
are provided by the server, as opposed to configuration. As such, | are provided by the server, as opposed to configuration. As such, | |||
they are present in <operational> (Section 5.3 of [RFC8342]) and | they are present in <operational> (Section 5.3 of [RFC8342]) and | |||
<system> [NETMOD-SYSTEM-CONFIG], if implemented. | <system> [NETMOD-SYSTEM-CONFIG], if implemented. | |||
The example below illustrates what the truststore in <operational> | The example below illustrates what the truststore in <operational> | |||
might look like for a server in its factory default state. Note that | might look like for a server in its factory default state. Note that | |||
the built-in trust anchor bags have the "or:origin" annotation value | the built-in trust anchor bags have the "or:origin" annotation value | |||
"or:system". | "or:system". | |||
The following example uses the XML [W3C.REC-xml-20081126] encoding. | ||||
<truststore | <truststore | |||
xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | xmlns="urn:ietf:params:xml:ns:yang:ietf-truststore" | |||
xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | xmlns:ct="urn:ietf:params:xml:ns:yang:ietf-crypto-types" | |||
xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | xmlns:or="urn:ietf:params:xml:ns:yang:ietf-origin" | |||
or:origin="or:intended"> | or:origin="or:intended"> | |||
<certificate-bags> | <certificate-bags> | |||
<certificate-bag or:origin="or:system"> | <certificate-bag or:origin="or:system"> | |||
<name>Built-In Manufacturer Trust Anchor Certificates</name> | <name>Built-In Manufacturer Trust Anchor Certificates</name> | |||
<description> | <description> | |||
skipping to change at line 1547 ¶ | skipping to change at line 1543 ¶ | |||
Watsen, K., "RESTCONF Client and Server Models", Work in | Watsen, K., "RESTCONF Client and Server Models", Work in | |||
Progress, Internet-Draft, draft-ietf-netconf-restconf- | Progress, Internet-Draft, draft-ietf-netconf-restconf- | |||
client-server-38, 14 August 2024, | client-server-38, 14 August 2024, | |||
<https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | <https://datatracker.ietf.org/doc/html/draft-ietf-netconf- | |||
restconf-client-server-38>. | restconf-client-server-38>. | |||
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
<https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
[RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data | ||||
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, | ||||
<https://www.rfc-editor.org/info/rfc4648>. | ||||
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for | |||
the Network Configuration Protocol (NETCONF)", RFC 6020, | the Network Configuration Protocol (NETCONF)", RFC 6020, | |||
DOI 10.17487/RFC6020, October 2010, | DOI 10.17487/RFC6020, October 2010, | |||
<https://www.rfc-editor.org/info/rfc6020>. | <https://www.rfc-editor.org/info/rfc6020>. | |||
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | ||||
Interchange Format", STD 90, RFC 8259, | ||||
DOI 10.17487/RFC8259, December 2017, | ||||
<https://www.rfc-editor.org/info/rfc8259>. | ||||
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | |||
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8340>. | <https://www.rfc-editor.org/info/rfc8340>. | |||
[RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | |||
and R. Wilton, "Network Management Datastore Architecture | and R. Wilton, "Network Management Datastore Architecture | |||
(NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | |||
<https://www.rfc-editor.org/info/rfc8342>. | <https://www.rfc-editor.org/info/rfc8342>. | |||
[RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | [RFC8407] Bierman, A., "Guidelines for Authors and Reviewers of | |||
End of changes. 8 change blocks. | ||||
17 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |