< draft-ietf-netconf-sztp-csr-06.txt		draft-ietf-netconf-sztp-csr-07.txt >
	skipping to change at page 1, line 13 ¶		skipping to change at page 1, line 13 ¶
	NETCONF Working Group K. Watsen		NETCONF Working Group K. Watsen
	Internet-Draft Watsen Networks		Internet-Draft Watsen Networks
	Updates: 8572 (if approved) R. Housley		Updates: 8572 (if approved) R. Housley
	Intended status: Standards Track Vigil Security, LLC		Intended status: Standards Track Vigil Security, LLC
	Expires: 16 February 2022 S. Turner		Expires: 16 February 2022 S. Turner
	sn3rd		sn3rd
	15 August 2021		15 August 2021
	Conveying a Certificate Signing Request (CSR) in a Secure Zero Touch		Conveying a Certificate Signing Request (CSR) in a Secure Zero Touch
	Provisioning (SZTP) Bootstrapping Request		Provisioning (SZTP) Bootstrapping Request
	draft-ietf-netconf-sztp-csr-06		draft-ietf-netconf-sztp-csr-07
	Abstract		Abstract
	This draft extends the "get-bootstrapping-data" RPC defined in RFC		This draft extends the "get-bootstrapping-data" RPC defined in RFC
	8572 to include an optional certificate signing request (CSR),		8572 to include an optional certificate signing request (CSR),
	enabling a bootstrapping device to additionally obtain an identity		enabling a bootstrapping device to additionally obtain an identity
	certificate (e.g., an LDevID, from IEEE 802.1AR) as part of the		certificate (e.g., an LDevID, from IEEE 802.1AR) as part of the
	"onboarding information" response provided in the RPC-reply.		"onboarding information" response provided in the RPC-reply.
	Editorial Note (To be removed by RFC Editor)		Editorial Note (To be removed by RFC Editor)
	skipping to change at page 5, line 38 ¶		skipping to change at page 5, line 38 ¶
	+--:(cmp-csr)		+--:(cmp-csr)
	+---w cmp-csr? binary		+---w cmp-csr? binary
	structure: csr-request		structure: csr-request
	+--ro key-generation!		+--ro key-generation!
	| +--ro selected-algorithm		| +--ro selected-algorithm
	| +--ro algorithm-identifier binary		| +--ro algorithm-identifier binary
	+--ro csr-generation		+--ro csr-generation
	| +--ro selected-format		| +--ro selected-format
	| +--ro format-identifier identityref		| +--ro format-identifier identityref
	+--ro csr-parameters? ietf-crypto-types:csr-info		+--ro cert-req-info? ietf-crypto-types:csr-info
	The augmentation defines two kinds of parameters that an SZTP-client		The augmentation defines two kinds of parameters that an SZTP-client
	can send to an SZTP-server. The YANG structure defines one		can send to an SZTP-server. The YANG structure defines one
	collection of parameters that an SZTP-server can send to an SZTP-		collection of parameters that an SZTP-server can send to an SZTP-
	client.		client.
	In the order of their intended use:		In the order of their intended use:
	* The "csr-support" node is used by the SZTP-client to signal to the		* The "csr-support" node is used by the SZTP-client to signal to the
	SZTP-server that it supports the ability the generate CSRs. This		SZTP-server that it supports the ability the generate CSRs. This
	skipping to change at page 8, line 21 ¶		skipping to change at page 8, line 21 ¶
	+--ro error-path? instance-identifier		+--ro error-path? instance-identifier
	+--ro error-message? string		+--ro error-message? string
	+--ro error-info		+--ro error-info
	+--ro csr-request		+--ro csr-request
	+--ro key-generation!		+--ro key-generation!
	| +--ro selected-algorithm		| +--ro selected-algorithm
	| +--ro algorithm-identifier binary		| +--ro algorithm-identifier binary
	+--ro csr-generation		+--ro csr-generation
	| +--ro selected-format		| +--ro selected-format
	| +--ro format-identifier identityref		| +--ro format-identifier identityref
	+--ro csr-parameters? ct:csr-info		+--ro cert-req-info? ct:csr-info
	2.2. Example Usage		2.2. Example Usage
	| The examples below are encoded using JSON, but they could		| The examples below are encoded using JSON, but they could
	| equally well be encoded using XML, as is supported by SZTP.		| equally well be encoded using XML, as is supported by SZTP.
	An SZTP-client implementing this specification would signal to the		An SZTP-client implementing this specification would signal to the
	bootstrap server its willingness to generate a CSR by including the		bootstrap server its willingness to generate a CSR by including the
	"csr-support" node in its "get-bootstrapping-data" RPC, as		"csr-support" node in its "get-bootstrapping-data" RPC, as
	illustrated below.		illustrated below.
	skipping to change at page 10, line 28 ¶		skipping to change at page 10, line 28 ¶
	"key-generation": {		"key-generation": {
	"selected-algorithm": {		"selected-algorithm": {
	"algorithm-identifier": "BASE64VALUE="		"algorithm-identifier": "BASE64VALUE="
	}		}
	},		},
	"csr-generation": {		"csr-generation": {
	"selected-format": {		"selected-format": {
	"format-identifier": "ietf-ztp-types:p10-csr"		"format-identifier": "ietf-ztp-types:p10-csr"
	}		}
	},		},
	"csr-parameters": "BASE64VALUE="		"cert-req-info": "BASE64VALUE="
	}		}
	}		}
	}		}
	]		]
	}		}
	}		}
	Upon being prompted to provide a CSR, the SZTP-client would POST		Upon being prompted to provide a CSR, the SZTP-client would POST
	another "get-bootstrapping-data" request, but this time including one		another "get-bootstrapping-data" request, but this time including one
	of the "csr" nodes to convey its CSR to the SZTP-server:		of the "csr" nodes to convey its CSR to the SZTP-server:
	skipping to change at page 17, line 39 ¶		skipping to change at page 17, line 39 ¶
	+-- csr-generation		+-- csr-generation
	+-- supported-formats		+-- supported-formats
	+-- format-identifier* identityref		+-- format-identifier* identityref
	grouping csr-request-grouping		grouping csr-request-grouping
	+-- key-generation!		+-- key-generation!
	| +-- selected-algorithm		| +-- selected-algorithm
	| +-- algorithm-identifier binary		| +-- algorithm-identifier binary
	+-- csr-generation		+-- csr-generation
	| +-- selected-format		| +-- selected-format
	| +-- format-identifier identityref		| +-- format-identifier identityref
	+-- csr-parameters? ct:csr-info		+-- cert-req-info? ct:csr-info
	grouping csr-grouping		grouping csr-grouping
	+-- (csr-type)		+-- (csr-type)
	+--:(p10-csr)		+--:(p10-csr)
	| +-- p10-csr? ct:csr		| +-- p10-csr? ct:csr
	+--:(cmc-csr)		+--:(cmc-csr)
	| +-- cmc-csr? binary		| +-- cmc-csr? binary
	+--:(cmp-csr)		+--:(cmp-csr)
	+-- cmp-csr? binary		+-- cmp-csr? binary
	3.2. YANG Module		3.2. YANG Module
	skipping to change at page 23, line 6 ¶		skipping to change at page 23, line 6 ¶
	base zt:certificate-request-format;		base zt:certificate-request-format;
	}		}
	mandatory true;		mandatory true;
	description		description
	"A certificate request format to be used by the		"A certificate request format to be used by the
	ZTP-client.";		ZTP-client.";
	}		}
	}		}
	}		}
	leaf csr-parameters {		leaf cert-req-info {
	type ct:csr-info;		type ct:csr-info;
	description		description
	"A CertificationRequestInfo structure, as defined in		"A CertificationRequestInfo structure, as defined in
	RFC 2986, and modeled via a 'typedef' statement by		RFC 2986, and modeled via a 'typedef' statement by
	RFC AAAA.		RFC AAAA.
	Enables the ZTP-server to provide a fully-populated		Enables the ZTP-server to provide a fully-populated
	CertificationRequestInfo structure that the ZTP-client		CertificationRequestInfo structure that the ZTP-client
	only needs to sign in order to generate the complete		only needs to sign in order to generate the complete
	'CertificationRequest' structure to send to ZTP-server		'CertificationRequest' structure to send to ZTP-server
End of changes. 6 change blocks.
	6 lines changed or deleted		6 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/