--- 1/draft-ietf-netconf-tls-client-server-15.txt 2019-11-02 14:13:24.919256451 -0700
+++ 2/draft-ietf-netconf-tls-client-server-16.txt 2019-11-02 14:13:25.003258573 -0700
@@ -1,21 +1,21 @@
NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu
-Expires: April 20, 2020 Cisco Systems
+Expires: May 4, 2020 Cisco Systems
L. Xia
Huawei
- October 18, 2019
+ November 1, 2019
YANG Groupings for TLS Clients and TLS Servers
- draft-ietf-netconf-tls-client-server-15
+ draft-ietf-netconf-tls-client-server-16
Abstract
This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor)
@@ -40,42 +40,42 @@
o "XXXX" --> the assigned RFC value for this draft
o "YYYY" --> the assigned RFC value for I-D.ietf-netconf-trust-
anchors
o "ZZZZ" --> the assigned RFC value for I-D.ietf-netconf-keystore
Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement:
- o "2019-10-18" --> the publication date of this draft
+ o "2019-11-02" --> the publication date of this draft
The following Appendix section is to be removed prior to publication:
o Appendix A. Change Log
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on April 20, 2020.
+ This Internet-Draft will expire on May 4, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
@@ -118,20 +118,21 @@
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 44
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 45
A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 46
A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 46
+ A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 46
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 46
1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be
@@ -163,23 +164,23 @@
This section provides a tree diagram [RFC8340] for the "ietf-tls-
client" module that does not have groupings expanded.
module: ietf-tls-client
grouping tls-client-grouping
+-- client-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping
+-- server-authentication
- | +-- ca-certs! {ts:x509-certificates}?
+ | +-- ca-certs!
| | +---u ts:local-or-truststore-certs-grouping
- | +-- server-certs! {ts:x509-certificates}?
+ | +-- server-certs!
| +---u ts:local-or-truststore-certs-grouping
+-- hello-params {tls-client-hello-params-config}?
| +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-client-keepalives}?
+-- max-wait? uint16
+-- max-attempts? uint8
3.2. Example Usage
This section presents two examples showing the tls-client-grouping
@@ -258,30 +259,30 @@
3
3.3. YANG Module
This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
- file "ietf-tls-client@2019-10-18.yang"
+ file "ietf-tls-client@2019-11-02.yang"
module ietf-tls-client {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc;
import ietf-tls-common {
prefix tlscmn;
- revision-date 2019-10-18; // stable grouping definitions
+ revision-date 2019-11-02; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
import ietf-truststore {
prefix ts;
reference
"RFC YYYY: A YANG Data Model for a Truststore";
}
@@ -325,21 +326,21 @@
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
- revision 2019-10-18 {
+ revision 2019-11-02 {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls-client-hello-params-config {
description
@@ -383,43 +384,42 @@
The Transport Layer Security (TLS) Protocol Version 1.2
RFC ZZZZ:
YANG Data Model for a 'Keystore' Mechanism";
uses ks:local-or-keystore-end-entity-cert-with-key-grouping;
} // container client-identity
container server-authentication { // FIXME: what about PSKs?
nacm:default-deny-write;
must 'ca-certs or server-certs';
description
- "Trusted server identities.";
+ "Trusted server identities. Any combination of trusted
+ server identities is additive and unordered.";
container ca-certs {
- if-feature "ts:x509-certificates";
presence
"Indicates that the client can authenticate servers
using the configured trust anchor certificates.";
description
- "A list of certificate authority (CA) certificates used by
- the TLS client to authenticate TLS server certificates.
- A server certificate is authenticated if it has a valid
- chain of trust to a configured CA certificate.";
+ "A set of certificate authority (CA) certificates used by
+ the TLS client to authenticate TLS servers. A server
+ is authenticated if its certificate has a valid chain
+ of trust to a configured CA certificate.";
uses ts:local-or-truststore-certs-grouping;
}
container server-certs {
- if-feature "ts:x509-certificates";
presence
"Indicates that the client can authenticate servers
using the configured server certificates.";
description
- "A list of server certificates used by the TLS client
- to authenticate TLS server certificates. A server
- certificate is authenticated if it is an exact match
- to a configured server certificate.";
+ "A set of end-entity certificates used by the TLS client
+ to authenticate TLS servers. A server is authenticated
+ if its certificate is an exact match to a configured
+ server certificate.";
uses ts:local-or-truststore-certs-grouping;
}
} // container server-authentication
container hello-params {
nacm:default-deny-write;
if-feature "tls-client-hello-params-config";
uses tlscmn:hello-params-grouping;
description
"Configurable parameters for the TLS hello message.";
@@ -474,23 +475,23 @@
+-- server-identity
| +---u ks:local-or-keystore-end-entity-cert-with-key-grouping
+-- client-authentication!
| +-- (required-or-optional)
| | +--:(required)
| | | +-- required? empty
| | +--:(optional)
| | +-- optional? empty
| +-- (local-or-external)
| +--:(local) {local-client-auth-supported}?
- | | +-- ca-certs! {ts:x509-certificates}?
+ | | +-- ca-certs!
| | | +---u ts:local-or-truststore-certs-grouping
- | | +-- client-certs! {ts:x509-certificates}?
+ | | +-- client-certs!
| | +---u ts:local-or-truststore-certs-grouping
| +--:(external) {external-client-auth-supported}?
| +-- client-auth-defined-elsewhere? empty
+-- hello-params {tls-server-hello-params-config}?
| +---u tlscmn:hello-params-grouping
+-- keepalives! {tls-server-keepalives}?
+-- max-wait? uint16
+-- max-attempts? uint8
4.2. Example Usage
@@ -563,30 +564,30 @@
4.3. YANG Module
This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
- file "ietf-tls-server@2019-10-18.yang"
+ file "ietf-tls-server@2019-11-02.yang"
module ietf-tls-server {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss;
import ietf-tls-common {
prefix tlscmn;
- revision-date 2019-10-18; // stable grouping definitions
+ revision-date 2019-11-02; // stable grouping definitions
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
import ietf-truststore {
prefix ts;
reference
"RFC YYYY: A YANG Data Model for a Truststore";
}
@@ -629,21 +630,21 @@
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
- revision 2019-10-18 {
+ revision 2019-11-02 {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls-server-hello-params-config {
description
@@ -732,60 +733,56 @@
leaf optional {
type empty;
description
"Indicates that TLS-level client authentication is
optional.";
}
}
choice local-or-external {
mandatory true;
description
- "Indicates if the certificates needed to authenticate the
- client are configured locally or externally.
+ "Indicates if the credentials needed to authenticate the
+ clients are configured locally or externally.
- Configuring certificates externally enables applications
+ Configuring credentials externally enables applications
to place client authentication with client definitions,
- rather then in a data model principally concerned with
- configuring the transport.";
+ rather then in a part of a data model principally
+ concerned with configuring the TLS transport.";
case local {
if-feature "local-client-auth-supported";
- // must 'ca-certs or server-certs'; (case/must, YANG-Next)
description
"The certificates needed to authenticate the clients
- are configured withing the TLS configuration.
+ are configured within this TLS configuration.
How to extract an application-level user name from the
certificate is outside the scope of this data model.";
container ca-certs {
- if-feature "ts:x509-certificates";
presence
"Indicates that the server can authenticate clients
using the configured trust anchor certificates.";
description
- "A list of certificate authority (CA) certificates
- used by the TLS server to authenticate TLS client
- certificates. A client certificate is authenticated
- if it has a valid chain of trust to a configured CA
- certificate.";
+ "A set of certificate authority (CA) certificates used
+ by the TLS server to authenticate TLS clients. A
+ client is authenticated if its certificate has a
+ valid chain of trust to a configured CA certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
uses ts:local-or-truststore-certs-grouping;
}
container client-certs {
- if-feature "ts:x509-certificates";
presence
"Indicates that the server can authenticate clients
using the configured client certificates.";
description
- "A list of client certificates used by the TLS server
- to authenticate TLS client certificates. A clients
- certificate is authenticated if it is an exact match
+ "A set of end-entity certificates used by the TLS
+ server to authenticate TLS clients. A client is
+ authenticated if its certificate is an exact match
to a configured client certificate.";
reference
"RFC YYYY: YANG Data Model for Global Trust Anchors";
uses ts:local-or-truststore-certs-grouping;
}
}
case external {
if-feature "external-client-auth-supported";
description
"The certificates needed to authenticate the clients
@@ -1192,21 +1189,21 @@
5.3. YANG Module
This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446].
- file "ietf-tls-common@2019-10-18.yang"
+ file "ietf-tls-common@2019-11-02.yang"
module ietf-tls-common {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn;
organization
"IETF NETCONF (Network Configuration) Working Group";
contact
@@ -1233,21 +1230,21 @@
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC
itself for full legal notices.;
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all
capitals, as shown here.";
- revision 2019-10-18 {
+ revision 2019-11-02 {
description
"Initial version";
reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers";
}
// Features
feature tls-1_0 {
description
@@ -1320,41 +1317,41 @@
}
// Identities
identity tls-version-base {
description
"Base identity used to identify TLS protocol versions.";
}
identity tls-1.0 {
- base tls-version-base;
if-feature "tls-1_0";
+ base tls-version-base;
description
"TLS Protocol Version 1.0.";
reference
"RFC 2246: The TLS Protocol Version 1.0";
}
identity tls-1.1 {
- base tls-version-base;
if-feature "tls-1_1";
+ base tls-version-base;
description
"TLS Protocol Version 1.1.";
reference
"RFC 4346: The Transport Layer Security (TLS) Protocol
Version 1.1";
}
identity tls-1.2 {
- base tls-version-base;
if-feature "tls-1_2";
+ base tls-version-base;
description
"TLS Protocol Version 1.2.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity cipher-suite-base {
description
@@ -1373,192 +1370,192 @@
identity rsa-with-aes-256-cbc-sha {
base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity rsa-with-aes-128-cbc-sha256 {
- base cipher-suite-base;
if-feature "tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity rsa-with-aes-256-cbc-sha256 {
- base cipher-suite-base;
if-feature "tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-128-cbc-sha {
- base cipher-suite-base;
if-feature "tls-dhe";
+ base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-256-cbc-sha {
- base cipher-suite-base;
if-feature "tls-dhe";
+ base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-128-cbc-sha256 {
- base cipher-suite-base;
if-feature "tls-dhe and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity dhe-rsa-with-aes-256-cbc-sha256 {
- base cipher-suite-base;
if-feature "tls-dhe and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA256.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-ecdsa-with-aes-256-cbc-sha384 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-128-cbc-sha256 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-256-cbc-sha384 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-ecdsa-with-aes-128-gcm-sha256 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-ecdsa-with-aes-256-gcm-sha384 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-128-gcm-sha256 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity ecdhe-rsa-with-aes-256-gcm-sha384 {
- base cipher-suite-base;
if-feature "tls-ecc and tls-gcm and tls-sha2";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.";
reference
"RFC 5289: TLS Elliptic Curve Cipher Suites with
SHA-256/384 and AES Galois Counter Mode (GCM)";
}
identity rsa-with-3des-ede-cbc-sha {
- base cipher-suite-base;
if-feature "tls-3des";
+ base cipher-suite-base;
description
"Cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
identity ecdhe-rsa-with-3des-ede-cbc-sha {
- base cipher-suite-base;
if-feature "tls-ecc and tls-3des";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
identity ecdhe-rsa-with-aes-128-cbc-sha {
- base cipher-suite-base;
if-feature "tls-ecc";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
identity ecdhe-rsa-with-aes-256-cbc-sha {
- base cipher-suite-base;
if-feature "tls-ecc";
+ base cipher-suite-base;
description
"Cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.";
reference
"RFC 8422: Elliptic Curve Cryptography (ECC) Cipher Suites
for Transport Layer Security (TLS)";
}
// Groupings
grouping hello-params-grouping {
@@ -1718,30 +1715,30 @@
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn
reference: RFC XXXX
8. References
8.1. Normative References
[I-D.ietf-netconf-crypto-types]
Watsen, K. and H. Wang, "Common YANG Data Types for
- Cryptography", draft-ietf-netconf-crypto-types-10 (work in
- progress), July 2019.
+ Cryptography", draft-ietf-netconf-crypto-types-11 (work in
+ progress), October 2019.
[I-D.ietf-netconf-keystore]
Watsen, K., "A YANG Data Model for a Keystore", draft-
- ietf-netconf-keystore-12 (work in progress), July 2019.
+ ietf-netconf-keystore-13 (work in progress), October 2019.
[I-D.ietf-netconf-trust-anchors]
Watsen, K., "A YANG Data Model for a Truststore", draft-
- ietf-netconf-trust-anchors-05 (work in progress), June
+ ietf-netconf-trust-anchors-06 (work in progress), October
2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
DOI 10.17487/RFC5288, August 2008,
@@ -1973,20 +1970,31 @@
o Updated examples to reflect ietf-crypto-types change (e.g.,
identities --> enumerations)
A.16. 14 to 15
o Updated "server-authentication" and "client-authentication" nodes
from being a leaf of type "ts:certificates-ref" to a container
that uses "ts:local-or-truststore-certs-grouping".
+A.17. 15 to 16
+
+ o Removed unnecessary if-feature statements in the -client and
+ -server modules.
+
+ o Cleaned up some description statements in the -client and -server
+ modules.
+
+ o Fixed a canonical ordering issue in ietf-tls-common detected by
+ new pyang.
+
Acknowledgements
The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, David
Lamparter, Alan Luchuk, Ladislav Lhotka, Radek Krejci, Tom Petch,
Juergen Schoenwaelder, Phil Shafer, Sean Turner, and Bert Wijnen.
Authors' Addresses