draft-ietf-netconf-tls-client-server-20.txt   draft-ietf-netconf-tls-client-server-21.txt 
NETCONF Working Group K. Watsen NETCONF Working Group K. Watsen
Internet-Draft Watsen Networks Internet-Draft Watsen Networks
Intended status: Standards Track G. Wu Intended status: Standards Track G. Wu
Expires: 9 January 2021 Cisco Systems Expires: 11 January 2021 Cisco Systems
8 July 2020 10 July 2020
YANG Groupings for TLS Clients and TLS Servers YANG Groupings for TLS Clients and TLS Servers
draft-ietf-netconf-tls-client-server-20 draft-ietf-netconf-tls-client-server-21
Abstract Abstract
This document defines three YANG modules: the first defines groupings This document defines three YANG modules: the first defines groupings
for a generic TLS client, the second defines groupings for a generic for a generic TLS client, the second defines groupings for a generic
TLS server, and the third defines common identities and groupings TLS server, and the third defines common identities and groupings
used by both the client and the server. It is intended that these used by both the client and the server. It is intended that these
groupings will be used by applications using the TLS protocol. groupings will be used by applications using the TLS protocol.
Editorial Note (To be removed by RFC Editor) Editorial Note (To be removed by RFC Editor)
skipping to change at page 1, line 46 skipping to change at page 1, line 46
* "CCCC" --> the assigned RFC value for draft-ietf-netconf-keystore * "CCCC" --> the assigned RFC value for draft-ietf-netconf-keystore
* "DDDD" --> the assigned RFC value for draft-ietf-netconf-tcp- * "DDDD" --> the assigned RFC value for draft-ietf-netconf-tcp-
client-server client-server
* "FFFF" --> the assigned RFC value for this draft * "FFFF" --> the assigned RFC value for this draft
Artwork in this document contains placeholder values for the date of Artwork in this document contains placeholder values for the date of
publication of this draft. Please apply the following replacement: publication of this draft. Please apply the following replacement:
* "2020-07-08" --> the publication date of this draft * "2020-07-10" --> the publication date of this draft
The following Appendix section is to be removed prior to publication: The following Appendix section is to be removed prior to publication:
* Appendix A. Change Log * Appendix A. Change Log
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 9 January 2021. This Internet-Draft will expire on 11 January 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 4 1.1. Relation to other RFCs . . . . . . . . . . . . . . . . . 4
1.2. Specification Language . . . . . . . . . . . . . . . . . 6 1.2. Specification Language . . . . . . . . . . . . . . . . . 6
1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6 1.3. Adherence to the NMDA . . . . . . . . . . . . . . . . . . 6
2. The "ietf-tls-common" Module . . . . . . . . . . . . . . . . 6 2. The "ietf-tls-common" Module . . . . . . . . . . . . . . . . 6
2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 7 2.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 7
2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 9 2.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 9
2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10 2.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 10
3. The "ietf-tls-client" Module . . . . . . . . . . . . . . . . 19 3. The "ietf-tls-client" Module . . . . . . . . . . . . . . . . 19
3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 19 3.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 19
3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 21 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 21
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 24 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 24
4. The "ietf-tls-server" Module . . . . . . . . . . . . . . . . 32 4. The "ietf-tls-server" Module . . . . . . . . . . . . . . . . 32
4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 32 4.1. Data Model Overview . . . . . . . . . . . . . . . . . . . 32
4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 34 4.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 35
4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 38 4.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 39
5. Security Considerations . . . . . . . . . . . . . . . . . . . 45 5. Security Considerations . . . . . . . . . . . . . . . . . . . 46
5.1. The "ietf-tls-common" YANG Module . . . . . . . . . . . . 45 5.1. The "ietf-tls-common" YANG Module . . . . . . . . . . . . 46
5.2. The "ietf-tls-client" YANG Module . . . . . . . . . . . . 46 5.2. The "ietf-tls-client" YANG Module . . . . . . . . . . . . 47
5.3. The "ietf-tls-server" YANG Module . . . . . . . . . . . . 47 5.3. The "ietf-tls-server" YANG Module . . . . . . . . . . . . 48
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49
6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 48 6.1. The "IETF XML" Registry . . . . . . . . . . . . . . . . . 49
6.2. The YANG Module Names Registry . . . . . . . . . . . . . 48 6.2. The "YANG Module Names" Registry . . . . . . . . . . . . 49
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 48 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.1. Normative References . . . . . . . . . . . . . . . . . . 48 7.1. Normative References . . . . . . . . . . . . . . . . . . 49
7.2. Informative References . . . . . . . . . . . . . . . . . 50 7.2. Informative References . . . . . . . . . . . . . . . . . 51
Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 52 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 53
A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 52 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 52 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 52 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 52 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 53
A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 53 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 53 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 53 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 53 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 53 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 54
A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 55
A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 55
A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 55
A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 54 A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 55
A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.14. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 56
A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.15. 13 to 14 . . . . . . . . . . . . . . . . . . . . . . . . 56
A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.16. 14 to 15 . . . . . . . . . . . . . . . . . . . . . . . . 56
A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.17. 15 to 16 . . . . . . . . . . . . . . . . . . . . . . . . 56
A.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 55 A.18. 16 to 17 . . . . . . . . . . . . . . . . . . . . . . . . 56
A.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 56 A.19. 17 to 18 . . . . . . . . . . . . . . . . . . . . . . . . 57
A.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 56 A.20. 18 to 19 . . . . . . . . . . . . . . . . . . . . . . . . 57
A.21. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 56 A.21. 19 to 20 . . . . . . . . . . . . . . . . . . . . . . . . 57
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 57 A.22. 20 to 21 . . . . . . . . . . . . . . . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 57 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 58
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 58
1. Introduction 1. Introduction
This document defines three YANG 1.1 [RFC7950] modules: the first This document defines three YANG 1.1 [RFC7950] modules: the first
defines a grouping for a generic TLS client, the second defines a defines a grouping for a generic TLS client, the second defines a
grouping for a generic TLS server, and the third defines identities grouping for a generic TLS server, and the third defines identities
and groupings common to both the client and the server (TLS is and groupings common to both the client and the server (TLS is
defined in [RFC5246]). It is intended that these groupings will be defined in [RFC5246]). It is intended that these groupings will be
used by applications using the TLS protocol. For instance, these used by applications using the TLS protocol. For instance, these
groupings could be used to help define the data model for an HTTPS groupings could be used to help define the data model for an HTTPS
skipping to change at page 10, line 27 skipping to change at page 10, line 27
</hello-params> </hello-params>
2.3. YANG Module 2.3. YANG Module
This YANG module has a normative references to [RFC4346], [RFC5246], This YANG module has a normative references to [RFC4346], [RFC5246],
[RFC5288], [RFC5289], and [RFC8422]. [RFC5288], [RFC5289], and [RFC8422].
This YANG module has a informative references to [RFC2246], This YANG module has a informative references to [RFC2246],
[RFC4346], [RFC5246], and [RFC8446]. [RFC4346], [RFC5246], and [RFC8446].
<CODE BEGINS> file "ietf-tls-common@2020-07-08.yang" <CODE BEGINS> file "ietf-tls-common@2020-07-10.yang"
module ietf-tls-common { module ietf-tls-common {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-common";
prefix tlscmn; prefix tlscmn;
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
skipping to change at page 11, line 8 skipping to change at page 11, line 8
Copyright (c) 2020 IETF Trust and the persons identified Copyright (c) 2020 IETF Trust and the persons identified
as authors of the code. All rights reserved. as authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with Redistribution and use in source and binary forms, with
or without modification, is permitted pursuant to, and or without modification, is permitted pursuant to, and
subject to the license terms contained in, the Simplified subject to the license terms contained in, the Simplified
BSD License set forth in Section 4.c of the IETF Trust's BSD License set forth in Section 4.c of the IETF Trust's
Legal Provisions Relating to IETF Documents Legal Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC FFFF
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2020-07-08 { revision 2020-07-10 {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-1_0 { feature tls-1_0 {
description description
"TLS Protocol Version 1.0 is supported."; "TLS Protocol Version 1.0 is supported.";
reference reference
"RFC 2246: The TLS Protocol Version 1.0"; "RFC 2246: The TLS Protocol Version 1.0";
} }
skipping to change at page 18, line 37 skipping to change at page 18, line 37
"Parameters regarding cipher suites."; "Parameters regarding cipher suites.";
leaf-list cipher-suite { leaf-list cipher-suite {
type identityref { type identityref {
base cipher-suite-base; base cipher-suite-base;
} }
ordered-by user; ordered-by user;
description description
"Acceptable cipher suites in order of descending "Acceptable cipher suites in order of descending
preference. The configured host key algorithms should preference. The configured host key algorithms should
be compatible with the algorithm used by the configured be compatible with the algorithm used by the configured
private key. Please see Section 5 of RFC XXXX for private key. Please see Section 5 of RFC FFFF for
valid combinations. valid combinations.
If this leaf-list is not configured (has zero elements) If this leaf-list is not configured (has zero elements)
the acceptable cipher suites are implementation- the acceptable cipher suites are implementation-
defined."; defined.";
reference reference
"RFC XXXX: YANG Groupings for TLS Clients and TLS Servers"; "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
3. The "ietf-tls-client" Module 3. The "ietf-tls-client" Module
3.1. Data Model Overview 3.1. Data Model Overview
skipping to change at page 22, line 10 skipping to change at page 22, line 10
<!-- how this client will authenticate itself to the server --> <!-- how this client will authenticate itself to the server -->
<client-identity> <client-identity>
<certificate> <certificate>
<local-definition> <local-definition>
<public-key-format>ct:subject-public-key-info-format</public\ <public-key-format>ct:subject-public-key-info-format</public\
-key-format> -key-format>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\ <private-key-format>ct:rsa-private-key-format</private-key-f\
ormat> ormat>
<private-key>base64encodedvalue==</private-key> <cleartext-private-key>base64encodedvalue==</cleartext-priva\
te-key>
<cert-data>base64encodedvalue==</cert-data> <cert-data>base64encodedvalue==</cert-data>
</local-definition> </local-definition>
</certificate> </certificate>
<!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME <!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME
<raw-private-key> <raw-private-key>
<local-definition> <local-definition>
<public-key-format>ct:subject-public-key-info-format</public\ <public-key-format>ct:subject-public-key-info-format</public\
-key-format> -key-format>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\ <private-key-format>ct:rsa-private-key-format</private-key-f\
ormat> ormat>
<private-key>base64encodedvalue==</private-key> <cleartext-private-key>base64encodedvalue==</cleartext-priva\
te-key>
</local-definition> </local-definition>
</raw-private-key> </raw-private-key>
<psk> <psk>
<local-definition> <local-definition>
<key-format>ct:octet-string-key-format</key-format> <key-format>ct:octet-string-key-format</key-format>
<key>base64encodedvalue==</key> <cleartext-key>base64encodedvalue==</cleartext-key>
</local-definition> </local-definition>
</psk> </psk>
--> -->
</client-identity> </client-identity>
<!-- which certificates will this client trust --> <!-- which certificates will this client trust -->
<server-authentication> <server-authentication>
<ca-certs> <ca-certs>
<local-definition> <local-definition>
<certificate> <certificate>
skipping to change at page 24, line 50 skipping to change at page 25, line 5
</test-peer-aliveness> </test-peer-aliveness>
</keepalives> </keepalives>
</tls-client> </tls-client>
3.3. YANG Module 3.3. YANG Module
This YANG module has normative references to This YANG module has normative references to
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-client@2020-07-08.yang" <CODE BEGINS> file "ietf-tls-client@2020-07-10.yang"
module ietf-tls-client { module ietf-tls-client {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-client";
prefix tlsc; prefix tlsc;
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
} }
skipping to change at page 25, line 35 skipping to change at page 25, line 38
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC CCCC: A YANG Data Model for a Keystore"; "RFC CCCC: A YANG Data Model for a Keystore";
} }
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2020-07-08; // stable grouping definitions revision-date 2020-07-10; // stable grouping definitions
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
skipping to change at page 26, line 26 skipping to change at page 26, line 28
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2020-07-08 { revision 2020-07-10 {
description description
"Initial version"; "Initial version";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-client-hello-params-config { feature tls-client-hello-params-config {
description description
skipping to change at page 35, line 23 skipping to change at page 35, line 33
<!-- how this server will authenticate itself to the client --> <!-- how this server will authenticate itself to the client -->
<server-identity> <server-identity>
<certificate> <certificate>
<local-definition> <local-definition>
<public-key-format>ct:subject-public-key-info-format</public\ <public-key-format>ct:subject-public-key-info-format</public\
-key-format> -key-format>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\ <private-key-format>ct:rsa-private-key-format</private-key-f\
ormat> ormat>
<private-key>base64encodedvalue==</private-key> <cleartext-private-key>base64encodedvalue==</cleartext-priva\
te-key>
<cert-data>base64encodedvalue==</cert-data> <cert-data>base64encodedvalue==</cert-data>
</local-definition> </local-definition>
</certificate> </certificate>
<!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME <!-- TESTED, BUT COMMENTED OUT DUE TO ONLY ONE ALLOWED AT A TIME
<raw-private-key> <raw-private-key>
<local-definition> <local-definition>
<public-key-format>ct:subject-public-key-info-format</public\ <public-key-format>ct:subject-public-key-info-format</public\
-key-format> -key-format>
<public-key>base64encodedvalue==</public-key> <public-key>base64encodedvalue==</public-key>
<private-key-format>ct:rsa-private-key-format</private-key-f\ <private-key-format>ct:rsa-private-key-format</private-key-f\
ormat> ormat>
<private-key>base64encodedvalue==</private-key> <cleartext-private-key>base64encodedvalue==</cleartext-priva\
te-key>
</local-definition> </local-definition>
</raw-private-key> </raw-private-key>
<psk> <psk>
<local-definition> <local-definition>
<key-format>ct:octet-string-key-format</key-format> <key-format>ct:octet-string-key-format</key-format>
<key>base64encodedvalue==</key> <cleartext-key>base64encodedvalue==</cleartext-key>
</local-definition> </local-definition>
</psk> </psk>
--> -->
</server-identity> </server-identity>
<!-- which certificates will this server trust --> <!-- which certificates will this server trust -->
<client-authentication> <client-authentication>
<ca-certs> <ca-certs>
<local-definition> <local-definition>
<certificate> <certificate>
skipping to change at page 38, line 10 skipping to change at page 39, line 10
<peer-allowed-to-send/> <peer-allowed-to-send/>
</keepalives> </keepalives>
</tls-server> </tls-server>
4.3. YANG Module 4.3. YANG Module
This YANG module has a normative references to [RFC5246], This YANG module has a normative references to [RFC5246],
[I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore]. [I-D.ietf-netconf-trust-anchors] and [I-D.ietf-netconf-keystore].
<CODE BEGINS> file "ietf-tls-server@2020-07-08.yang" <CODE BEGINS> file "ietf-tls-server@2020-07-10.yang"
module ietf-tls-server { module ietf-tls-server {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server"; namespace "urn:ietf:params:xml:ns:yang:ietf-tls-server";
prefix tlss; prefix tlss;
import ietf-netconf-acm { import ietf-netconf-acm {
prefix nacm; prefix nacm;
reference reference
"RFC 8341: Network Configuration Access Control Model"; "RFC 8341: Network Configuration Access Control Model";
skipping to change at page 38, line 43 skipping to change at page 39, line 43
} }
import ietf-keystore { import ietf-keystore {
prefix ks; prefix ks;
reference reference
"RFC CCCC: A YANG Data Model for a Keystore"; "RFC CCCC: A YANG Data Model for a Keystore";
} }
import ietf-tls-common { import ietf-tls-common {
prefix tlscmn; prefix tlscmn;
revision-date 2020-07-08; // stable grouping definitions revision-date 2020-07-10; // stable grouping definitions
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
} }
organization organization
"IETF NETCONF (Network Configuration) Working Group"; "IETF NETCONF (Network Configuration) Working Group";
contact contact
"WG Web: <http://datatracker.ietf.org/wg/netconf/> "WG Web: <http://datatracker.ietf.org/wg/netconf/>
WG List: <mailto:netconf@ietf.org> WG List: <mailto:netconf@ietf.org>
skipping to change at page 39, line 33 skipping to change at page 40, line 33
(https://www.rfc-editor.org/info/rfcFFFF); see the RFC (https://www.rfc-editor.org/info/rfcFFFF); see the RFC
itself for full legal notices. itself for full legal notices.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL',
'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED',
'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document
are to be interpreted as described in BCP 14 (RFC 2119) are to be interpreted as described in BCP 14 (RFC 2119)
(RFC 8174) when, and only when, they appear in all (RFC 8174) when, and only when, they appear in all
capitals, as shown here."; capitals, as shown here.";
revision 2020-07-08 { revision 2020-07-10 {
description description
"Initial version"; "Initial version";
reference reference
"RFC FFFF: YANG Groupings for TLS Clients and TLS Servers"; "RFC FFFF: YANG Groupings for TLS Clients and TLS Servers";
} }
// Features // Features
feature tls-server-hello-params-config { feature tls-server-hello-params-config {
description description
skipping to change at page 48, line 7 skipping to change at page 49, line 7
instance, any modification to a key or reference to a key may instance, any modification to a key or reference to a key may
dramatically alter the implemented security policy. For this reason, dramatically alter the implemented security policy. For this reason,
the NACM extension "default-deny-write" has been set for all data the NACM extension "default-deny-write" has been set for all data
nodes defined in this module. nodes defined in this module.
This module does not define any RPCs, actions, or notifications, and This module does not define any RPCs, actions, or notifications, and
thus the security consideration for such is not provided here. thus the security consideration for such is not provided here.
6. IANA Considerations 6. IANA Considerations
6.1. The IETF XML Registry 6.1. The "IETF XML" Registry
This document registers three URIs in the "ns" subregistry of the This document registers three URIs in the "ns" subregistry of the
IETF XML Registry [RFC3688]. Following the format in [RFC3688], the IETF XML Registry [RFC3688]. Following the format in [RFC3688], the
following registrations are requested: following registrations are requested:
URI: urn:ietf:params:xml:ns:yang:ietf-tls-common URI: urn:ietf:params:xml:ns:yang:ietf-tls-common
Registrant Contact: The NETCONF WG of the IETF. Registrant Contact: The NETCONF WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-tls-client URI: urn:ietf:params:xml:ns:yang:ietf-tls-client
Registrant Contact: The NETCONF WG of the IETF. Registrant Contact: The NETCONF WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-tls-server URI: urn:ietf:params:xml:ns:yang:ietf-tls-server
Registrant Contact: The NETCONF WG of the IETF. Registrant Contact: The NETCONF WG of the IETF.
XML: N/A, the requested URI is an XML namespace. XML: N/A, the requested URI is an XML namespace.
6.2. The YANG Module Names Registry 6.2. The "YANG Module Names" Registry
This document registers three YANG modules in the YANG Module Names This document registers three YANG modules in the YANG Module Names
registry [RFC6020]. Following the format in [RFC6020], the following registry [RFC6020]. Following the format in [RFC6020], the following
registrations are requested: registrations are requested:
name: ietf-tls-common name: ietf-tls-common
namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common namespace: urn:ietf:params:xml:ns:yang:ietf-tls-common
prefix: tlscmn prefix: tlscmn
reference: RFC FFFF reference: RFC FFFF
skipping to change at page 57, line 19 skipping to change at page 58, line 19
statement to its ancestor. statement to its ancestor.
* Expanded "Data Model Overview section(s) [remove "wall" of tree * Expanded "Data Model Overview section(s) [remove "wall" of tree
diagrams]. diagrams].
* Moved the "ietf-ssh-common" module section to proceed the other * Moved the "ietf-ssh-common" module section to proceed the other
two module sections. two module sections.
* Updated the Security Considerations section. * Updated the Security Considerations section.
A.22. 20 to 21
* Updated examples to reflect new "cleartext-" prefix in the crypto-
types draft.
Acknowledgements Acknowledgements
The authors would like to thank for following for lively discussions The authors would like to thank for following for lively discussions
on list and in the halls (ordered by last name): Andy Bierman, Martin on list and in the halls (ordered by last name): Andy Bierman, Martin
Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, Radek Krejci, Bjorklund, Benoit Claise, Mehmet Ersue, Balazs Kovacs, Radek Krejci,
David Lamparter, Ladislav Lhotka, Alan Luchuk, Tom Petch, Juergen David Lamparter, Ladislav Lhotka, Alan Luchuk, Tom Petch, Juergen
Schoenwaelder, Phil Shafer, Sean Turner, Michal Vasko, Bert Wijnen, Schoenwaelder, Phil Shafer, Sean Turner, Michal Vasko, Bert Wijnen,
and Liang Xia. and Liang Xia.
Authors' Addresses Authors' Addresses
 End of changes. 27 change blocks. 
63 lines changed or deleted 74 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/