idnits 2.17.1 draft-ietf-netconf-keystore-13.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 186 has weird spacing: '...on-date yan...' == Line 192 has weird spacing: '...request bin...' == Line 357 has weird spacing: '...on-date yan...' == Line 363 has weird spacing: '...request bin...' == Line 390 has weird spacing: '...on-date yan...' == (7 more instances...) -- The document date (October 18, 2019) is 1651 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-netconf-crypto-types-10 Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group K. Watsen 3 Internet-Draft Watsen Networks 4 Intended status: Standards Track October 18, 2019 5 Expires: April 20, 2020 7 A YANG Data Model for a Keystore 8 draft-ietf-netconf-keystore-13 10 Abstract 12 This document defines a YANG 1.1 module called "ietf-keystore" that 13 enables centralized configuration of both symmetric and asymmetric 14 keys. The secret value for both key types may be encrypted. 15 Asymmetric keys may be associated with certificates. Notifications 16 are sent when certificates are about to expire. 18 Editorial Note (To be removed by RFC Editor) 20 This draft contains many placeholder values that need to be replaced 21 with finalized values at the time of publication. This note 22 summarizes all of the substitutions that are needed. No other RFC 23 Editor instructions are specified elsewhere in this document. 25 Artwork in this document contains shorthand references to drafts in 26 progress. Please apply the following replacements: 28 o "VVVV" --> the assigned RFC value for this draft 30 Artwork in this document contains placeholder values for the date of 31 publication of this draft. Please apply the following replacement: 33 o "2019-10-18" --> the publication date of this draft 35 The following Appendix section is to be removed prior to publication: 37 o Appendix A. Change Log 39 Status of This Memo 41 This Internet-Draft is submitted in full conformance with the 42 provisions of BCP 78 and BCP 79. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF). Note that other groups may also distribute 46 working documents as Internet-Drafts. The list of current Internet- 47 Drafts is at https://datatracker.ietf.org/drafts/current/. 49 Internet-Drafts are draft documents valid for a maximum of six months 50 and may be updated, replaced, or obsoleted by other documents at any 51 time. It is inappropriate to use Internet-Drafts as reference 52 material or to cite them other than as "work in progress." 54 This Internet-Draft will expire on April 20, 2020. 56 Copyright Notice 58 Copyright (c) 2019 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents 63 (https://trustee.ietf.org/license-info) in effect on the date of 64 publication of this document. Please review these documents 65 carefully, as they describe your rights and restrictions with respect 66 to this document. Code Components extracted from this document must 67 include Simplified BSD License text as described in Section 4.e of 68 the Trust Legal Provisions and are provided without warranty as 69 described in the Simplified BSD License. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 74 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 75 3. The Keystore Model . . . . . . . . . . . . . . . . . . . . . 4 76 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 4 77 3.2. Example Usage . . . . . . . . . . . . . . . . . . . . . . 13 78 3.2.1. A Keystore Instance . . . . . . . . . . . . . . . . . 14 79 3.2.2. The "generate-symmetric-key" RPC . . . . . . . . . . 16 80 3.2.3. The "generate-asymmetric-key" RPC . . . . . . . . . . 17 81 3.2.4. Notable Keystore Groupings . . . . . . . . . . . . . 18 82 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 83 4. Security Considerations . . . . . . . . . . . . . . . . . . . 31 84 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32 85 5.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 33 86 5.2. The YANG Module Names Registry . . . . . . . . . . . . . 33 87 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 33 88 6.1. Normative References . . . . . . . . . . . . . . . . . . 33 89 6.2. Informative References . . . . . . . . . . . . . . . . . 34 90 Appendix A. Change Log . . . . . . . . . . . . . . . . . . . . . 35 91 A.1. 00 to 01 . . . . . . . . . . . . . . . . . . . . . . . . 35 92 A.2. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 35 93 A.3. 02 to 03 . . . . . . . . . . . . . . . . . . . . . . . . 35 94 A.4. 03 to 04 . . . . . . . . . . . . . . . . . . . . . . . . 35 95 A.5. 04 to 05 . . . . . . . . . . . . . . . . . . . . . . . . 36 96 A.6. 05 to 06 . . . . . . . . . . . . . . . . . . . . . . . . 36 97 A.7. 06 to 07 . . . . . . . . . . . . . . . . . . . . . . . . 36 98 A.8. 07 to 08 . . . . . . . . . . . . . . . . . . . . . . . . 36 99 A.9. 08 to 09 . . . . . . . . . . . . . . . . . . . . . . . . 36 100 A.10. 09 to 10 . . . . . . . . . . . . . . . . . . . . . . . . 37 101 A.11. 10 to 11 . . . . . . . . . . . . . . . . . . . . . . . . 37 102 A.12. 11 to 12 . . . . . . . . . . . . . . . . . . . . . . . . 37 103 A.13. 12 to 13 . . . . . . . . . . . . . . . . . . . . . . . . 38 104 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 38 105 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 38 107 1. Introduction 109 This document defines a YANG 1.1 [RFC7950] module called "ietf- 110 keystore" that enables centralized configuration of both symmetric 111 and asymmetric keys. The secret value for both key types may be 112 encrypted. Asymmetric keys may be associated with certificates. 113 Notifications are sent when certificates are about to expire. 115 The "ietf-keystore" module defines many "grouping" statements 116 intended for use by other modules that may import it. For instance, 117 there are groupings that defined enabling a key to be either 118 configured locally (within the defining data model) or be a reference 119 to a key in the keystore. 121 Special consideration has been given for systems that have 122 cryptographic hardware, such as a Trusted Protection Module (TPM). 123 These systems are unique in that the cryptographic hardware hides the 124 secret key values. To support such hardware, symmetric keys may have 125 the value "hidden-key" and asymmetric keys may have the value 126 "hidden-private-key". While how such keys are created or destroyed 127 is outside the scope of this document, the keystore can contain 128 entries for such keys, enabling them to be reference by other 129 configuration elements. 131 This document in compliant with Network Management Datastore 132 Architecture (NMDA) [RFC8342]. For instance, keys and associated 133 certificates installed during manufacturing (e.g., for a IDevID 134 [Std-802.1AR-2009] certificate), it is expected that such data may 135 appear only in . 137 It is not required that a system has an operating system level 138 keystore utility to implement this module. 140 2. Requirements Language 142 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 143 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 144 "OPTIONAL" in this document are to be interpreted as described in BCP 145 14 [RFC2119] [RFC8174] when, and only when, they appear in all 146 capitals, as shown here. 148 3. The Keystore Model 150 3.1. Tree Diagram 152 This section provides a tree diagrams [RFC8340] for the "ietf- 153 keystore" module that presents both the protocol-accessible 154 "keystore" as well the all the groupings intended for external usage. 156 module: ietf-keystore 157 +--rw keystore 158 +--rw asymmetric-keys 159 | +--rw asymmetric-key* [name] 160 | | +--rw name string 161 | | +--rw algorithm 162 | | | asymmetric-key-algorithm-t 163 | | +--rw public-key-format? identityref 164 | | +--rw public-key binary 165 | | +--rw private-key-format? identityref 166 | | +--rw (private-key-type) 167 | | | +--:(private-key) 168 | | | | +--rw private-key? binary 169 | | | +--:(hidden-private-key) 170 | | | | +--rw hidden-private-key? empty 171 | | | +--:(encrypted-private-key) 172 | | | +--rw encrypted-private-key 173 | | | +--rw (key-type) 174 | | | | +--:(symmetric-key-ref) 175 | | | | | +--rw symmetric-key-ref? leafref 176 | | | | | {keystore-supported}? 177 | | | | +--:(asymmetric-key-ref) 178 | | | | +--rw asymmetric-key-ref? leafref 179 | | | | {keystore-supported}? 180 | | | +--rw value? binary 181 | | +--rw certificates 182 | | | +--rw certificate* [name] 183 | | | +--rw name string 184 | | | +--rw cert? end-entity-cert-cms 185 | | | +---n certificate-expiration 186 | | | +-- expiration-date yang:date-and-time 187 | | +---x generate-certificate-signing-request 188 | | +---w input 189 | | | +---w subject binary 190 | | | +---w attributes? binary 191 | | +--ro output 192 | | +--ro certificate-signing-request binary 193 | +---x generate-asymmetric-key 194 | +---w input 195 | | +---w algorithm ct:asymmetric-key-algorithm-t 196 | | +---w encrypt-with! 197 | | +---w (key-type) 198 | | +--:(symmetric-key-ref) 199 | | | +---w symmetric-key-ref? leafref 200 | | | {keystore-supported}? 201 | | +--:(asymmetric-key-ref) 202 | | +---w asymmetric-key-ref? leafref 203 | | {keystore-supported}? 204 | +--ro output 205 | +--ro algorithm 206 | | asymmetric-key-algorithm-t 207 | +--ro public-key-format? identityref 208 | +--ro public-key binary 209 | +--ro private-key-format? identityref 210 | +--ro (private-key-type) 211 | +--:(private-key) 212 | | +--ro private-key? binary 213 | +--:(hidden-private-key) 214 | | +--ro hidden-private-key? empty 215 | +--:(encrypted-private-key) 216 | +--ro encrypted-private-key 217 | +--ro (key-type) 218 | | +--:(symmetric-key-ref) 219 | | | +--ro symmetric-key-ref? leafref 220 | | | {keystore-supported}? 221 | | +--:(asymmetric-key-ref) 222 | | +--ro asymmetric-key-ref? leafref 223 | | {keystore-supported}? 224 | +--ro value? binary 225 +--rw symmetric-keys 226 +--rw symmetric-key* [name] 227 | +--rw name string 228 | +--rw algorithm encryption-algorithm-t 229 | +--rw key-format? identityref 230 | +--rw (key-type) 231 | +--:(key) 232 | | +--rw key? binary 233 | +--:(hidden-key) 234 | | +--rw hidden-key? empty 235 | +--:(encrypted-key) 236 | +--rw encrypted-key 237 | +--rw (key-type) 238 | | +--:(symmetric-key-ref) 239 | | | +--rw symmetric-key-ref? leafref 240 | | | {keystore-supported}? 241 | | +--:(asymmetric-key-ref) 242 | | +--rw asymmetric-key-ref? leafref 243 | | {keystore-supported}? 244 | +--rw value? binary 245 +---x generate-symmetric-key 246 +---w input 247 | +---w algorithm ct:encryption-algorithm-t 248 | +---w encrypt-with! 249 | +---w (key-type) 250 | +--:(symmetric-key-ref) 251 | | +---w symmetric-key-ref? leafref 252 | | {keystore-supported}? 253 | +--:(asymmetric-key-ref) 254 | +---w asymmetric-key-ref? leafref 255 | {keystore-supported}? 256 +--ro output 257 +--ro algorithm encryption-algorithm-t 258 +--ro key-format? identityref 259 +--ro (key-type) 260 +--:(key) 261 | +--ro key? binary 262 +--:(hidden-key) 263 | +--ro hidden-key? empty 264 +--:(encrypted-key) 265 +--ro encrypted-key 266 +--ro (key-type) 267 | +--:(symmetric-key-ref) 268 | | +--ro symmetric-key-ref? leafref 269 | | {keystore-supported}? 270 | +--:(asymmetric-key-ref) 271 | +--ro asymmetric-key-ref? leafref 272 | {keystore-supported}? 273 +--ro value? binary 275 grouping key-reference-type-grouping 276 +-- (key-type) 277 +--:(symmetric-key-ref) 278 | +-- symmetric-key-ref? 279 | -> /keystore/symmetric-keys/symmetric-key/name 280 | {keystore-supported}? 281 +--:(asymmetric-key-ref) 282 +-- asymmetric-key-ref? 283 -> /keystore/asymmetric-keys/asymmetric-key/name 284 {keystore-supported}? 285 grouping encrypted-value-grouping 286 +-- (key-type) 287 | +--:(symmetric-key-ref) 288 | | +-- symmetric-key-ref? 289 | | -> /keystore/symmetric-keys/symmetric-key/name 290 | | {keystore-supported}? 291 | +--:(asymmetric-key-ref) 292 | +-- asymmetric-key-ref? 293 | -> /keystore/asymmetric-keys/asymmetric-key/name 294 | {keystore-supported}? 295 +-- value? binary 296 grouping symmetric-key-grouping 297 +-- algorithm encryption-algorithm-t 298 +-- key-format? identityref 299 +-- (key-type) 300 +--:(key) 301 | +-- key? binary 302 +--:(hidden-key) 303 | +-- hidden-key? empty 304 +--:(encrypted-key) 305 +-- encrypted-key 306 +-- (key-type) 307 | +--:(symmetric-key-ref) 308 | | +-- symmetric-key-ref? leafref 309 | | {keystore-supported}? 310 | +--:(asymmetric-key-ref) 311 | +-- asymmetric-key-ref? leafref 312 | {keystore-supported}? 313 +-- value? binary 314 grouping asymmetric-key-pair-grouping 315 +-- algorithm asymmetric-key-algorithm-t 316 +-- public-key-format? identityref 317 +-- public-key binary 318 +-- private-key-format? identityref 319 +-- (private-key-type) 320 +--:(private-key) 321 | +-- private-key? binary 322 +--:(hidden-private-key) 323 | +-- hidden-private-key? empty 324 +--:(encrypted-private-key) 325 +-- encrypted-private-key 326 +-- (key-type) 327 | +--:(symmetric-key-ref) 328 | | +-- symmetric-key-ref? leafref 329 | | {keystore-supported}? 330 | +--:(asymmetric-key-ref) 331 | +-- asymmetric-key-ref? leafref 332 | {keystore-supported}? 333 +-- value? binary 334 grouping asymmetric-key-pair-with-cert-grouping 335 +-- algorithm 336 | asymmetric-key-algorithm-t 337 +-- public-key-format? identityref 338 +-- public-key binary 339 +-- private-key-format? identityref 340 +-- (private-key-type) 341 | +--:(private-key) 342 | | +-- private-key? binary 343 | +--:(hidden-private-key) 344 | | +-- hidden-private-key? empty 345 | +--:(encrypted-private-key) 346 | +-- encrypted-private-key 347 | +-- (key-type) 348 | | +--:(symmetric-key-ref) 349 | | | +-- symmetric-key-ref? leafref 350 | | | {keystore-supported}? 351 | | +--:(asymmetric-key-ref) 352 | | +-- asymmetric-key-ref? leafref 353 | | {keystore-supported}? 354 | +-- value? binary 355 +-- cert? end-entity-cert-cms 356 +---n certificate-expiration 357 | +-- expiration-date yang:date-and-time 358 +---x generate-certificate-signing-request 359 +---w input 360 | +---w subject binary 361 | +---w attributes? binary 362 +--ro output 363 +--ro certificate-signing-request binary 364 grouping asymmetric-key-pair-with-certs-grouping 365 +-- algorithm 366 | asymmetric-key-algorithm-t 367 +-- public-key-format? identityref 368 +-- public-key binary 369 +-- private-key-format? identityref 370 +-- (private-key-type) 371 | +--:(private-key) 372 | | +-- private-key? binary 373 | +--:(hidden-private-key) 374 | | +-- hidden-private-key? empty 375 | +--:(encrypted-private-key) 376 | +-- encrypted-private-key 377 | +-- (key-type) 378 | | +--:(symmetric-key-ref) 379 | | | +-- symmetric-key-ref? leafref 380 | | | {keystore-supported}? 381 | | +--:(asymmetric-key-ref) 382 | | +-- asymmetric-key-ref? leafref 383 | | {keystore-supported}? 384 | +-- value? binary 385 +-- certificates 386 | +-- certificate* [name] 387 | +-- name? string 388 | +-- cert? end-entity-cert-cms 389 | +---n certificate-expiration 390 | +-- expiration-date yang:date-and-time 391 +---x generate-certificate-signing-request 392 +---w input 393 | +---w subject binary 394 | +---w attributes? binary 395 +--ro output 396 +--ro certificate-signing-request binary 397 grouping asymmetric-key-certificate-ref-grouping 398 +-- asymmetric-key? ks:asymmetric-key-ref 399 +-- certificate? leafref 400 grouping local-or-keystore-asymmetric-key-grouping 401 +-- (local-or-keystore) 402 +--:(local) {local-definitions-supported}? 403 | +-- local-definition 404 | +-- algorithm 405 | | asymmetric-key-algorithm-t 406 | +-- public-key-format? identityref 407 | +-- public-key binary 408 | +-- private-key-format? identityref 409 | +-- (private-key-type) 410 | +--:(private-key) 411 | | +-- private-key? binary 412 | +--:(hidden-private-key) 413 | | +-- hidden-private-key? empty 414 | +--:(encrypted-private-key) 415 | +-- encrypted-private-key 416 | +-- (key-type) 417 | | +--:(symmetric-key-ref) 418 | | | +-- symmetric-key-ref? leafref 419 | | | {keystore-supported}? 420 | | +--:(asymmetric-key-ref) 421 | | +-- asymmetric-key-ref? leafref 422 | | {keystore-supported}? 423 | +-- value? binary 424 +--:(keystore) {keystore-supported}? 425 +-- keystore-reference? ks:asymmetric-key-ref 426 grouping local-or-keystore-asymmetric-key-with-certs-grouping 427 +-- (local-or-keystore) 428 +--:(local) {local-definitions-supported}? 429 | +-- local-definition 430 | +-- algorithm 431 | | asymmetric-key-algorithm-t 432 | +-- public-key-format? identityref 433 | +-- public-key binary 434 | +-- private-key-format? identityref 435 | +-- (private-key-type) 436 | | +--:(private-key) 437 | | | +-- private-key? binary 438 | | +--:(hidden-private-key) 439 | | | +-- hidden-private-key? empty 440 | | +--:(encrypted-private-key) 441 | | +-- encrypted-private-key 442 | | +-- (key-type) 443 | | | +--:(symmetric-key-ref) 444 | | | | +-- symmetric-key-ref? leafref 445 | | | | {keystore-supported}? 446 | | | +--:(asymmetric-key-ref) 447 | | | +-- asymmetric-key-ref? leafref 448 | | | {keystore-supported}? 449 | | +-- value? binary 450 | +-- certificates 451 | | +-- certificate* [name] 452 | | +-- name? string 453 | | +-- cert? end-entity-cert-cms 454 | | +---n certificate-expiration 455 | | +-- expiration-date yang:date-and-time 456 | +---x generate-certificate-signing-request 457 | +---w input 458 | | +---w subject binary 459 | | +---w attributes? binary 460 | +--ro output 461 | +--ro certificate-signing-request binary 462 +--:(keystore) {keystore-supported}? 463 +-- keystore-reference? ks:asymmetric-key-ref 464 grouping local-or-keystore-end-entity-cert-with-key-grouping 465 +-- (local-or-keystore) 466 +--:(local) {local-definitions-supported}? 467 | +-- local-definition 468 | +-- algorithm 469 | | asymmetric-key-algorithm-t 470 | +-- public-key-format? identityref 471 | +-- public-key binary 472 | +-- private-key-format? identityref 473 | +-- (private-key-type) 474 | | +--:(private-key) 475 | | | +-- private-key? binary 476 | | +--:(hidden-private-key) 477 | | | +-- hidden-private-key? empty 478 | | +--:(encrypted-private-key) 479 | | +-- encrypted-private-key 480 | | +-- (key-type) 481 | | | +--:(symmetric-key-ref) 482 | | | | +-- symmetric-key-ref? leafref 483 | | | | {keystore-supported}? 484 | | | +--:(asymmetric-key-ref) 485 | | | +-- asymmetric-key-ref? leafref 486 | | | {keystore-supported}? 487 | | +-- value? binary 488 | +-- cert? 489 | | end-entity-cert-cms 490 | +---n certificate-expiration 491 | | +-- expiration-date yang:date-and-time 492 | +---x generate-certificate-signing-request 493 | +---w input 494 | | +---w subject binary 495 | | +---w attributes? binary 496 | +--ro output 497 | +--ro certificate-signing-request binary 498 +--:(keystore) {keystore-supported}? 499 +-- keystore-reference 500 +-- asymmetric-key? ks:asymmetric-key-ref 501 +-- certificate? leafref 502 grouping keystore-grouping 503 +-- asymmetric-keys 504 | +-- asymmetric-key* [name] 505 | | +-- name? string 506 | | +-- algorithm 507 | | | asymmetric-key-algorithm-t 508 | | +-- public-key-format? identityref 509 | | +-- public-key binary 510 | | +-- private-key-format? identityref 511 | | +-- (private-key-type) 512 | | | +--:(private-key) 513 | | | | +-- private-key? binary 514 | | | +--:(hidden-private-key) 515 | | | | +-- hidden-private-key? empty 516 | | | +--:(encrypted-private-key) 517 | | | +-- encrypted-private-key 518 | | | +-- (key-type) 519 | | | | +--:(symmetric-key-ref) 520 | | | | | +-- symmetric-key-ref? leafref 521 | | | | | {keystore-supported}? 522 | | | | +--:(asymmetric-key-ref) 523 | | | | +-- asymmetric-key-ref? leafref 524 | | | | {keystore-supported}? 525 | | | +-- value? binary 526 | | +-- certificates 527 | | | +-- certificate* [name] 528 | | | +-- name? string 529 | | | +-- cert? end-entity-cert-cms 530 | | | +---n certificate-expiration 531 | | | +-- expiration-date yang:date-and-time 532 | | +---x generate-certificate-signing-request 533 | | +---w input 534 | | | +---w subject binary 535 | | | +---w attributes? binary 536 | | +--ro output 537 | | +--ro certificate-signing-request binary 538 | +---x generate-asymmetric-key 539 | +---w input 540 | | +---w algorithm ct:asymmetric-key-algorithm-t 541 | | +---w encrypt-with! 542 | | +---w (key-type) 543 | | +--:(symmetric-key-ref) 544 | | | +---w symmetric-key-ref? leafref 545 | | | {keystore-supported}? 546 | | +--:(asymmetric-key-ref) 547 | | +---w asymmetric-key-ref? leafref 548 | | {keystore-supported}? 549 | +--ro output 550 | +--ro algorithm 551 | | asymmetric-key-algorithm-t 552 | +--ro public-key-format? identityref 553 | +--ro public-key binary 554 | +--ro private-key-format? identityref 555 | +--ro (private-key-type) 556 | +--:(private-key) 557 | | +--ro private-key? binary 558 | +--:(hidden-private-key) 559 | | +--ro hidden-private-key? empty 560 | +--:(encrypted-private-key) 561 | +--ro encrypted-private-key 562 | +--ro (key-type) 563 | | +--:(symmetric-key-ref) 564 | | | +--ro symmetric-key-ref? leafref 565 | | | {keystore-supported}? 566 | | +--:(asymmetric-key-ref) 567 | | +--ro asymmetric-key-ref? leafref 568 | | {keystore-supported}? 569 | +--ro value? binary 570 +-- symmetric-keys 571 +-- symmetric-key* [name] 572 | +-- name? string 573 | +-- algorithm encryption-algorithm-t 574 | +-- key-format? identityref 575 | +-- (key-type) 576 | +--:(key) 577 | | +-- key? binary 578 | +--:(hidden-key) 579 | | +-- hidden-key? empty 580 | +--:(encrypted-key) 581 | +-- encrypted-key 582 | +-- (key-type) 583 | | +--:(symmetric-key-ref) 584 | | | +-- symmetric-key-ref? leafref 585 | | | {keystore-supported}? 586 | | +--:(asymmetric-key-ref) 587 | | +-- asymmetric-key-ref? leafref 588 | | {keystore-supported}? 589 | +-- value? binary 590 +---x generate-symmetric-key 591 +---w input 592 | +---w algorithm ct:encryption-algorithm-t 593 | +---w encrypt-with! 594 | +---w (key-type) 595 | +--:(symmetric-key-ref) 596 | | +---w symmetric-key-ref? leafref 597 | | {keystore-supported}? 598 | +--:(asymmetric-key-ref) 599 | +---w asymmetric-key-ref? leafref 600 | {keystore-supported}? 601 +--ro output 602 +--ro algorithm encryption-algorithm-t 603 +--ro key-format? identityref 604 +--ro (key-type) 605 +--:(key) 606 | +--ro key? binary 607 +--:(hidden-key) 608 | +--ro hidden-key? empty 609 +--:(encrypted-key) 610 +--ro encrypted-key 611 +--ro (key-type) 612 | +--:(symmetric-key-ref) 613 | | +--ro symmetric-key-ref? leafref 614 | | {keystore-supported}? 615 | +--:(asymmetric-key-ref) 616 | +--ro asymmetric-key-ref? leafref 617 | {keystore-supported}? 618 +--ro value? binary 620 3.2. Example Usage 621 3.2.1. A Keystore Instance 623 The following example illustrates what a fully configured keystore 624 might look like in , as described by Section 5.3 in 625 [RFC8342]. This datastore view illustrates data set by the 626 manufacturing process alongside conventional configuration. This 627 keystore instance has four keys, two having one associated 628 certificate, one having two associated certificates, and one empty 629 key. 631 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 633 635 637 638 cleartext-symmetric-key 639 aes-256-cbc 640 ct:octet-string-key-format 641 base64encodedvalue== 642 644 645 hidden-symmetric-key 646 aes-256-cbc 647 648 650 651 encrypted-symmetric-key 652 aes-256-cbc 653 654 hidden-asymmetric-key 656 base64encodedvalue== 657 658 660 661 663 664 rsa-asymmetric-key 665 rsa2048 666 ct:subject-public-key-info-format 668 base64encodedvalue== 669 ct:rsa-private-key-format 671 base64encodedvalue== 672 673 674 ex-rsa-cert 675 base64encodedvalue== 676 677 678 680 681 ec-asymmetric-key 682 secp256r1 683 ct:subject-public-key-info-format 685 base64encodedvalue== 686 ct:ec-private-key-format 688 base64encodedvalue== 689 690 691 ex-ec-cert 692 base64encodedvalue== 693 694 695 697 698 hidden-asymmetric-key 699 rsa2048 700 ct:subject-public-key-info-format 702 base64encodedvalue== 703 704 705 706 builtin-idevid-cert 707 708 709 my-ldevid-cert 710 base64encodedvalue== 711 712 713 715 716 encrypted-asymmetric-key 717 secp256r1 718 ct:subject-public-key-info-format 720 base64encodedvalue== 721 722 encrypted-symmetric-key 724 base64encodedvalue== 725 726 728 729 731 3.2.2. The "generate-symmetric-key" RPC 733 The following example illustrates the "generate-symmetric-key" RPC. 734 The key being referenced is defined in the keystore example above. 736 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 738 740 741 742 743 744 aes-256-cbc 745 746 hidden-asymmetric-key 748 749 750 751 752 753 755 Following is the complimentary RPC-reply. 757 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 759 762 763 aes-256-cbc 764 765 hidden-asymmetric-key 767 base64encodedvalue== 768 769 770 772 3.2.3. The "generate-asymmetric-key" RPC 774 The following example illustrates the "generate-asymmetric-key" RPC. 775 The key being referenced is defined in the keystore example above. 777 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 779 781 782 783 784 785 secp256r1 786 787 encrypted-symmetric-key 789 790 791 792 793 794 796 Following is the complimentary RPC-reply. 798 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 800 804 805 secp256r1 806 ct:subject-public-key-info-format 808 base64encodedvalue== 809 810 encrypted-symmetric-key 812 base64encodedvalue== 813 814 815 817 3.2.4. Notable Keystore Groupings 819 The following non-normative module is used by subsequent examples to 820 illustrate groupings defined in the ietf-crypto-types module. 822 module ex-keystore-usage { 823 yang-version 1.1; 825 namespace "http://example.com/ns/example-keystore-usage"; 826 prefix "eku"; 828 import ietf-keystore { 829 prefix ks; 830 reference 831 "RFC VVVV: YANG Data Model for a 'Keystore' Mechanism"; 832 } 834 organization 835 "Example Corporation"; 837 contact 838 "Author: YANG Designer "; 840 description 841 "This module illustrates the grouping in the keystore draft called 842 'local-or-keystore-asymmetric-key-with-certs-grouping'."; 844 revision "YYYY-MM-DD" { 845 description 846 "Initial version"; 847 reference 848 "RFC XXXX: YANG Data Model for a 'Keystore' Mechanism"; 849 } 851 container keystore-usage { 852 description 853 "An illustration of the various keystore groupings."; 855 list just-a-key { 856 key name; 857 leaf name { 858 type string; 859 description 860 "An arbitrary name for this key."; 861 } 862 uses ks:local-or-keystore-asymmetric-key-grouping; 863 description 864 "An asymmetric key, with no certs, that may be configured 865 locally or be a reference to an asymmetric key in the 866 keystore. The intent is to reference just the asymmetric 867 key, not any certificates that may also be associated 868 with the asymmetric key."; 869 } 871 list key-with-certs { 872 key name; 873 leaf name { 874 type string; 875 description 876 "An arbitrary name for this key."; 877 } 878 uses ks:local-or-keystore-asymmetric-key-with-certs-grouping; 879 description 880 "An asymmetric key and its associated certs, that may be 881 configured locally or be a reference to an asymmetric key 882 (and its associated certs) in the keystore."; 883 } 885 list end-entity-cert-with-key { 886 key name; 887 leaf name { 888 type string; 889 description 890 "An arbitrary name for this key."; 891 } 892 uses ks:local-or-keystore-end-entity-cert-with-key-grouping; 893 description 894 "An end-entity certificate, and its associated private key, 895 that may be configured locally or be a reference to a 896 specific certificate (and its associated private key) in 897 the keystore."; 898 } 899 } 901 } 903 The following example illustrates what two configured keys, one local 904 and the other remote, might look like. This example consistent with 905 other examples above (i.e., the referenced key is in an example 906 above). 908 ========== NOTE: '\' line wrapping per BCP XXX (RFC XXXX) =========== 910 913 915 916 a locally-defined key 917 918 rsa2048 919 ct:subject-public-key-info-format 921 base64encodedvalue== 922 ct:rsa-private-key-format 924 base64encodedvalue== 925 926 928 929 a keystore-defined key (and its associated certs) 930 rsa-asymmetric-key 931 933 935 936 a locally-defined key with certs 937 938 rsa2048 939 ct:subject-public-key-info-format 941 base64encodedvalue== 942 ct:rsa-private-key-format 944 base64encodedvalue== 945 946 947 a locally-defined cert 948 base64encodedvalue== 949 950 951 952 954 955 a keystore-defined key (and its associated certs) 956 rsa-asymmetric-key 957 959 961 962 a locally-defined end-entity cert with key 963 964 rsa2048 965 ct:subject-public-key-info-format 967 base64encodedvalue== 968 ct:rsa-private-key-format 970 base64encodedvalue== 971 base64encodedvalue== 972 973 975 976 a keystore-defined certificate (and its associated key) 978 979 rsa-asymmetric-key 980 ex-rsa-cert 981 982 984 986 3.3. YANG Module 988 This YANG module has normative references to [RFC8341] and 989 [I-D.ietf-netconf-crypto-types], and an informative reference to 990 [RFC8342]. 992 file "ietf-keystore@2019-10-18.yang" 994 module ietf-keystore { 995 yang-version 1.1; 996 namespace "urn:ietf:params:xml:ns:yang:ietf-keystore"; 997 prefix ks; 999 import ietf-crypto-types { 1000 prefix ct; 1001 reference 1002 "RFC CCCC: Common YANG Data Types for Cryptography"; 1003 } 1005 import ietf-netconf-acm { 1006 prefix nacm; 1007 reference 1008 "RFC 8341: Network Configuration Access Control Model"; 1009 } 1011 organization 1012 "IETF NETCONF (Network Configuration) Working Group"; 1014 contact 1015 "WG Web: 1016 WG List: 1017 Author: Kent Watsen "; 1019 description 1020 "This module defines a keystore to centralize management 1021 of security credentials. 1023 Copyright (c) 2019 IETF Trust and the persons identified 1024 as authors of the code. All rights reserved. 1026 Redistribution and use in source and binary forms, with 1027 or without modification, is permitted pursuant to, and 1028 subject to the license terms contained in, the Simplified 1029 BSD License set forth in Section 4.c of the IETF Trust's 1030 Legal Provisions Relating to IETF Documents 1031 (https://trustee.ietf.org/license-info). 1033 This version of this YANG module is part of RFC XXXX 1034 (https://www.rfc-editor.org/info/rfcXXXX); see the RFC 1035 itself for full legal notices.; 1037 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 1038 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 1039 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document 1040 are to be interpreted as described in BCP 14 (RFC 2119) 1041 (RFC 8174) when, and only when, they appear in all 1042 capitals, as shown here."; 1044 revision 2019-10-18 { 1045 description 1046 "Initial version"; 1047 reference 1048 "RFC VVVV: A YANG Data Model for a Keystore"; 1049 } 1051 /****************/ 1052 /* Features */ 1053 /****************/ 1055 feature keystore-supported { 1056 description 1057 "The 'keystore-supported' feature indicates that the server 1058 supports the keystore."; 1059 } 1061 feature local-definitions-supported { 1062 description 1063 "The 'local-definitions-supported' feature indicates that the 1064 server supports locally-defined keys."; 1065 } 1067 feature key-generation { 1068 description 1069 "Indicates that the server supports the actions related to 1070 the life cycling keys in . To be used by 1071 configuration, keys in must be copied to 1072 ."; 1073 } 1075 /****************/ 1076 /* Typedefs */ 1077 /****************/ 1079 typedef asymmetric-key-ref { 1080 type leafref { 1081 path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key" 1082 + "/ks:name"; 1083 } 1084 description 1085 "This typedef enables modules to easily define a reference 1086 to an asymmetric key stored in the keystore."; 1087 } 1089 /*****************/ 1090 /* Groupings */ 1091 /*****************/ 1093 grouping key-reference-type-grouping { 1094 description 1095 "A reusable grouping for a choice for the type of key 1096 referenced in the keystore."; 1097 choice key-type { 1098 mandatory true; 1099 description 1100 "A choice between a reference to a symmetric or asymmetric 1101 key in the keystore."; 1102 leaf symmetric-key-ref { 1103 if-feature "keystore-supported"; 1104 type leafref { 1105 path "/ks:keystore/ks:symmetric-keys/ks:symmetric-key/" 1106 + "ks:name"; 1107 } 1108 description 1109 "Identifies a symmetric key used to encrypt this key."; 1110 } 1111 leaf asymmetric-key-ref { 1112 if-feature "keystore-supported"; 1113 type leafref { 1114 path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/" 1115 + "ks:name"; 1116 } 1117 description 1118 "Identifies an asymmetric key used to encrypt this key."; 1119 } 1120 } 1121 } 1123 grouping encrypted-value-grouping { 1124 description 1125 "A reusable grouping for a value that has been encrypted by 1126 a symmetric or asymmetric key in the keystore."; 1127 uses "key-reference-type-grouping"; 1128 leaf value { 1129 type binary; 1130 description 1131 "The private key, encrypted using the specified symmetric 1132 or asymmetric key."; 1133 } 1134 } 1136 grouping symmetric-key-grouping { 1137 description 1138 "This grouping is identical to the one in ietf-crypt-types 1139 except that it adds a couple case statements enabling the 1140 key value to be encrypted by a symmetric or an asymmetric 1141 key known to the keystore."; 1142 uses ct:symmetric-key-grouping { 1143 augment "key-type" { 1144 description 1145 "Augments a new 'case' statement into the 'choice' 1146 statement defined by the ietf-crypto-types module."; 1147 container encrypted-key { 1148 description 1149 "A container for the encrypted symmetric key value."; 1150 uses encrypted-value-grouping; 1151 } 1152 } 1153 } 1154 } 1156 grouping asymmetric-key-pair-grouping { 1157 description 1158 "This grouping is identical to the one in ietf-crypt-types 1159 except that it adds a couple case statements enabling the 1160 key value to be encrypted by a symmetric or an asymmetric 1161 key known to the keystore."; 1162 uses ct:asymmetric-key-pair-grouping { 1163 augment "private-key-type" { 1164 description 1165 "Augments a new 'case' statement into the 'choice' 1166 statement defined by the ietf-crypto-types module."; 1167 container encrypted-private-key { 1168 description 1169 "A container for the encrypted asymmetric private 1170 key value."; 1171 uses encrypted-value-grouping; 1172 } 1173 } 1174 } 1175 } 1176 grouping asymmetric-key-pair-with-cert-grouping { 1177 description 1178 "This grouping is identical to the one in ietf-crypt-types 1179 except that it adds a couple case statements enabling the 1180 key value to be encrypted by a symmetric or an asymmetric 1181 key known to the keystore."; 1182 uses ct:asymmetric-key-pair-with-cert-grouping { 1183 augment "private-key-type" { 1184 description 1185 "Augments a new 'case' statement into the 'choice' 1186 statement defined by the ietf-crypto-types module."; 1187 container encrypted-private-key { 1188 description 1189 "A container for the encrypted asymmetric private 1190 key value."; 1191 uses encrypted-value-grouping; 1192 } 1193 } 1194 } 1195 } 1197 grouping asymmetric-key-pair-with-certs-grouping { 1198 description 1199 "This grouping is identical to the one in ietf-crypt-types 1200 except that it adds a couple case statements enabling the 1201 key value to be encrypted by a symmetric or an asymmetric 1202 key known to the keystore."; 1203 uses ct:asymmetric-key-pair-with-certs-grouping { 1204 augment "private-key-type" { 1205 description 1206 "Augments a new 'case' statement into the 'choice' 1207 statement defined by the ietf-crypto-types module."; 1208 container encrypted-private-key { 1209 description 1210 "A container for the encrypted asymmetric private 1211 key value."; 1212 uses encrypted-value-grouping; 1213 } 1214 } 1215 } 1216 } 1218 grouping asymmetric-key-certificate-ref-grouping { 1219 leaf asymmetric-key { 1220 type ks:asymmetric-key-ref; 1221 must '../certificate'; 1222 description 1223 "A reference to an asymmetric key in the keystore."; 1225 } 1226 leaf certificate { 1227 type leafref { 1228 path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key[ks:" 1229 + "name = current()/../asymmetric-key]/ks:certificates" 1230 + "/ks:certificate/ks:name"; 1231 } 1232 must '../asymmetric-key'; 1233 description 1234 "A reference to a specific certificate of the 1235 asymmetric key in the keystore."; 1236 } 1237 description 1238 "This grouping defines a reference to a specific certificate 1239 associated with an asymmetric key stored in the keystore."; 1240 } 1242 grouping local-or-keystore-asymmetric-key-grouping { 1243 description 1244 "A grouping that expands to allow the asymmetric key to be 1245 either stored locally, within the using data model, or be 1246 a reference to an asymmetric key stored in the keystore."; 1247 choice local-or-keystore { 1248 mandatory true; 1249 case local { 1250 if-feature "local-definitions-supported"; 1251 container local-definition { 1252 description 1253 "Container to hold the local key definition."; 1254 uses asymmetric-key-pair-grouping; 1255 } 1256 } 1257 case keystore { 1258 if-feature "keystore-supported"; 1259 leaf keystore-reference { 1260 type ks:asymmetric-key-ref; 1261 description 1262 "A reference to an asymmetric key that exists in 1263 the keystore. The intent is to reference just the 1264 asymmetric key, not any certificates that may also 1265 be associated with the asymmetric key."; 1266 } 1267 } 1268 description 1269 "A choice between an inlined definition and a definition 1270 that exists in the keystore."; 1271 } 1272 } 1273 grouping local-or-keystore-asymmetric-key-with-certs-grouping { 1274 description 1275 "A grouping that expands to allow an asymmetric key and its 1276 associated certificates to be either stored locally, within 1277 the using data model, or be a reference to an asymmetric key 1278 (and its associated certificates) stored in the keystore."; 1279 choice local-or-keystore { 1280 mandatory true; 1281 case local { 1282 if-feature "local-definitions-supported"; 1283 container local-definition { 1284 description 1285 "Container to hold the local key definition."; 1286 uses asymmetric-key-pair-with-certs-grouping; 1287 } 1288 } 1289 case keystore { 1290 if-feature "keystore-supported"; 1291 leaf keystore-reference { 1292 type ks:asymmetric-key-ref; 1293 description 1294 "A reference to an asymmetric-key (and all of its 1295 associated certificates) in the keystore."; 1296 } 1297 } 1298 description 1299 "A choice between an inlined definition and a definition 1300 that exists in the keystore."; 1301 } 1302 } 1304 grouping local-or-keystore-end-entity-cert-with-key-grouping { 1305 description 1306 "A grouping that expands to allow an end-entity certificate 1307 (and its associated private key) to be either stored locally, 1308 within the using data model, or be a reference to a specific 1309 certificate in the keystore."; 1310 choice local-or-keystore { 1311 mandatory true; 1312 case local { 1313 if-feature "local-definitions-supported"; 1314 container local-definition { 1315 description 1316 "Container to hold the local key definition."; 1317 uses asymmetric-key-pair-with-cert-grouping; 1318 } 1319 } 1320 case keystore { 1321 if-feature "keystore-supported"; 1322 container keystore-reference { 1323 uses asymmetric-key-certificate-ref-grouping; 1324 description 1325 "A reference to a specific certificate (and its 1326 associated private key) in the keystore."; 1327 } 1328 } 1329 description 1330 "A choice between an inlined definition and a definition 1331 that exists in the keystore."; 1332 } 1333 } 1335 grouping keystore-grouping { 1336 description 1337 "Grouping definition enables use in other contexts. If ever 1338 done, implementations SHOULD augment new 'case' statements 1339 into local-or-keystore 'choice' statements to supply leafrefs 1340 to the new location."; 1341 container asymmetric-keys { 1342 description 1343 "A list of asymmetric keys."; 1344 list asymmetric-key { 1345 key "name"; 1346 description 1347 "An asymmetric key."; 1348 leaf name { 1349 type string; 1350 description 1351 "An arbitrary name for the asymmetric key."; 1352 } 1353 uses ks:asymmetric-key-pair-with-certs-grouping; 1354 } 1355 action generate-asymmetric-key { 1356 //nacm:default-deny-all; 1357 description 1358 "Requests the device to generate an asymmetric key using 1359 the specified key algorithm, optionally encrypted using 1360 a key in the keystore. The output is this RPC can be 1361 used as input to a subsequent configuration request."; 1362 input { 1363 leaf algorithm { 1364 type ct:asymmetric-key-algorithm-t; 1365 mandatory true; 1366 description 1367 "The algorithm to be used when generating the key."; 1368 reference 1369 "RFC CCCC: Common YANG Data Types for Cryptography"; 1370 } 1371 container encrypt-with { 1372 presence 1373 "Indicates that the key should be encrypted using 1374 the specified symmetric or asymmetric key. If not 1375 specified, then the private key is not encrypted 1376 when returned."; 1377 description 1378 "A container for the 'key-type' choice."; 1379 uses key-reference-type-grouping; 1380 } 1381 } 1382 output { 1383 uses ks:asymmetric-key-pair-grouping; 1384 } 1385 } // end generate-asymmetric-key 1386 } 1387 container symmetric-keys { 1388 description 1389 "A list of symmetric keys."; 1390 list symmetric-key { 1391 key "name"; 1392 description 1393 "A symmetric key."; 1394 leaf name { 1395 type string; 1396 description 1397 "An arbitrary name for the symmetric key."; 1398 } 1399 uses ks:symmetric-key-grouping; 1400 } 1401 action generate-symmetric-key { 1402 //nacm:default-deny-all; 1403 description 1404 "Requests the device to generate an symmetric key using 1405 the specified key algorithm, optionally encrypted using 1406 a key in the keystore. The output is this RPC can be 1407 used as input to a subsequent configuration request."; 1408 input { 1409 leaf algorithm { 1410 type ct:encryption-algorithm-t; 1411 mandatory true; 1412 description 1413 "The algorithm to be used when generating the key."; 1414 reference 1415 "RFC CCCC: Common YANG Data Types for Cryptography"; 1416 } 1417 container encrypt-with { 1418 presence 1419 "Indicates that the key should be encrypted using 1420 the specified symmetric or asymmetric key. If not 1421 specified, then the private key is not encrypted 1422 when returned."; 1423 description 1424 "A container for the 'key-type' choice."; 1425 uses key-reference-type-grouping; 1426 } 1427 } 1428 output { 1429 uses ks:symmetric-key-grouping; 1430 } 1431 } // end generate-symmetric-key 1432 } 1433 } // grouping keystore-grouping 1435 /*********************************/ 1436 /* Protocol accessible nodes */ 1437 /*********************************/ 1439 container keystore { 1440 nacm:default-deny-write; 1441 description 1442 "The keystore contains a list of keys."; 1443 uses keystore-grouping; 1444 } 1446 } 1448 1450 4. Security Considerations 1452 The YANG module defined in this document is designed to be accessed 1453 via YANG based management protocols, such as NETCONF [RFC6241] and 1454 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1455 implement secure transport layers (e.g., SSH, TLS) with mutual 1456 authentication. 1458 The NETCONF access control model (NACM) [RFC8341] provides the means 1459 to restrict access for particular users to a pre-configured subset of 1460 all available protocol operations and content. 1462 There are a number of data nodes defined in this YANG module that are 1463 writable/creatable/deletable (i.e., config true, which is the 1464 default). These data nodes may be considered sensitive or vulnerable 1465 in some network environments. Write operations (e.g., edit-config) 1466 to these data nodes without proper protection can have a negative 1467 effect on network operations. These are the subtrees and data nodes 1468 and their sensitivity/vulnerability: 1470 /: The entire data tree defined by this module is sensitive to 1471 write operations. For instance, the addition or removal of 1472 keys, certificates, etc., can dramatically alter the 1473 implemented security policy. For this reason, the NACM 1474 extension "default-deny-write" has been set for the entire data 1475 tree. 1477 /keystore/asymmetric-keys/asymmetric-key/private-key: When 1478 writing this node, implementations MUST ensure that the 1479 strength of the key being configured is not greater than the 1480 strength of the underlying secure transport connection over 1481 which it is communicated. Implementations SHOULD fail the 1482 write-request if ever the strength of the private key is 1483 greater then the strength of the underlying transport, and 1484 alert the client that the strength of the key may have been 1485 compromised. Additionally, when deleting this node, 1486 implementations SHOULD automatically (without explicit request) 1487 zeroize these keys in the most secure manner available, so as 1488 to prevent the remnants of their persisted storage locations 1489 from being analyzed in any meaningful way. 1491 Some of the readable data nodes in this YANG module may be considered 1492 sensitive or vulnerable in some network environments. It is thus 1493 important to control read access (e.g., via get, get-config, or 1494 notification) to these data nodes. These are the subtrees and data 1495 nodes and their sensitivity/vulnerability: 1497 /keystore/asymmetric-keys/asymmetric-key/private-key: This node 1498 is additionally sensitive to read operations such that, in 1499 normal use cases, it should never be returned to a client. The 1500 best reason for returning this node is to support backup/ 1501 restore type workflows. For this reason, the NACM extension 1502 "default-deny-all" has been set for this data node. 1504 5. IANA Considerations 1505 5.1. The IETF XML Registry 1507 This document registers one URI in the "ns" subregistry of the IETF 1508 XML Registry [RFC3688]. Following the format in [RFC3688], the 1509 following registration is requested: 1511 URI: urn:ietf:params:xml:ns:yang:ietf-keystore 1512 Registrant Contact: The NETCONF WG of the IETF. 1513 XML: N/A, the requested URI is an XML namespace. 1515 5.2. The YANG Module Names Registry 1517 This document registers one YANG module in the YANG Module Names 1518 registry [RFC6020]. Following the format in [RFC6020], the the 1519 following registration is requested: 1521 name: ietf-keystore 1522 namespace: urn:ietf:params:xml:ns:yang:ietf-keystore 1523 prefix: ks 1524 reference: RFC VVVV 1526 6. References 1528 6.1. Normative References 1530 [I-D.ietf-netconf-crypto-types] 1531 Watsen, K. and H. Wang, "Common YANG Data Types for 1532 Cryptography", draft-ietf-netconf-crypto-types-10 (work in 1533 progress), July 2019. 1535 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1536 Requirement Levels", BCP 14, RFC 2119, 1537 DOI 10.17487/RFC2119, March 1997, 1538 . 1540 [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for 1541 the Network Configuration Protocol (NETCONF)", RFC 6020, 1542 DOI 10.17487/RFC6020, October 2010, 1543 . 1545 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1546 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1547 . 1549 [RFC8341] Bierman, A. and M. Bjorklund, "Network Configuration 1550 Access Control Model", STD 91, RFC 8341, 1551 DOI 10.17487/RFC8341, March 2018, 1552 . 1554 6.2. Informative References 1556 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1557 DOI 10.17487/RFC3688, January 2004, 1558 . 1560 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1561 and A. Bierman, Ed., "Network Configuration Protocol 1562 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1563 . 1565 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1566 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1567 . 1569 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1570 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1571 May 2017, . 1573 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1574 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1575 . 1577 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1578 and R. Wilton, "Network Management Datastore Architecture 1579 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 1580 . 1582 [Std-802.1AR-2009] 1583 Group, W. -. H. L. L. P. W., "IEEE Standard for Local and 1584 metropolitan area networks - Secure Device Identity", 1585 December 2009, . 1588 Appendix A. Change Log 1590 A.1. 00 to 01 1592 o Replaced the 'certificate-chain' structures with PKCS#7 1593 structures. (Issue #1) 1595 o Added 'private-key' as a configurable data node, and removed the 1596 'generate-private-key' and 'load-private-key' actions. (Issue #2) 1598 o Moved 'user-auth-credentials' to the ietf-ssh-client module. 1599 (Issues #4 and #5) 1601 A.2. 01 to 02 1603 o Added back 'generate-private-key' action. 1605 o Removed 'RESTRICTED' enum from the 'private-key' leaf type. 1607 o Fixed up a few description statements. 1609 A.3. 02 to 03 1611 o Changed draft's title. 1613 o Added missing references. 1615 o Collapsed sections and levels. 1617 o Added RFC 8174 to Requirements Language Section. 1619 o Renamed 'trusted-certificates' to 'pinned-certificates'. 1621 o Changed 'public-key' from config false to config true. 1623 o Switched 'host-key' from OneAsymmetricKey to definition from RFC 1624 4253. 1626 A.4. 03 to 04 1628 o Added typedefs around leafrefs to common keystore paths 1630 o Now tree diagrams reference ietf-netmod-yang-tree-diagrams 1632 o Removed Design Considerations section 1634 o Moved key and certificate definitions from data tree to groupings 1636 A.5. 04 to 05 1638 o Removed trust anchors (now in their own draft) 1640 o Added back global keystore structure 1642 o Added groupings enabling keys to either be locally defined or a 1643 reference to the keystore. 1645 A.6. 05 to 06 1647 o Added feature "local-keys-supported" 1649 o Added nacm:default-deny-all and nacm:default-deny-write 1651 o Renamed generate-asymmetric-key to generate-hidden-key 1653 o Added an install-hidden-key action 1655 o Moved actions inside fo the "asymmetric-key" container 1657 o Moved some groupings to draft-ietf-netconf-crypto-types 1659 A.7. 06 to 07 1661 o Removed a "require-instance false" 1663 o Clarified some description statements 1665 o Improved the keystore-usage examples 1667 A.8. 07 to 08 1669 o Added "local-definition" containers to avoid posibility of the 1670 action/notification statements being under a "case" statement. 1672 o Updated copyright date, boilerplate template, affiliation, folding 1673 algorithm, and reformatted the YANG module. 1675 A.9. 08 to 09 1677 o Added a 'description' statement to the 'must' in the /keystore/ 1678 asymmetric-key node explaining that the descendent values may 1679 exist in only, and that implementation MUST assert 1680 that the values are either configured or that they exist in 1681 . 1683 o Copied above 'must' statement (and description) into the local-or- 1684 keystore-asymmetric-key-grouping, local-or-keystore-asymmetric- 1685 key-with-certs-grouping, and local-or-keystore-end-entity-cert- 1686 with-key-grouping statements. 1688 A.10. 09 to 10 1690 o Updated draft title to match new truststore draft title 1692 o Moved everything under a top-level 'grouping' to enable use in 1693 other contexts. 1695 o Renamed feature from 'local-keys-supported' to 'local-definitions- 1696 supported' (same name used in truststore) 1698 o Removed the either-all-or-none 'must' expressions for the key's 1699 3-tuple values (since the values are now 'mandatory true' in 1700 crypto-types) 1702 o Example updated to reflect 'mandatory true' change in crypto-types 1703 draft 1705 A.11. 10 to 11 1707 o Replaced typedef asymmetric-key-certificate-ref with grouping 1708 asymmetric-key-certificate-ref-grouping. 1710 o Added feature feature 'key-generation'. 1712 o Cloned groupings symmetric-key-grouping, asymmetric-key-pair- 1713 grouping, asymmetric-key-pair-with-cert-grouping, and asymmetric- 1714 key-pair-with-certs-grouping from crypto-keys, augmenting into 1715 each new case statements for values that have been encrypted by 1716 other keys in the keystore. Refactored keystore model to use 1717 these groupings. 1719 o Added new 'symmetric-keys' lists, as a sibling to the existing 1720 'asymmetric-keys' list. 1722 o Added RPCs (not actions) 'generate-symmetric-key' and 'generate- 1723 asymmetric-key' to *return* a (potentially encrypted) key. 1725 A.12. 11 to 12 1727 o Updated to reflect crypto-type's draft using enumerations over 1728 identities. 1730 o Added examples for the 'generate-symmetric-key' and 'generate- 1731 asymmetric-key' RPCs. 1733 o Updated the Introduction section. 1735 A.13. 12 to 13 1737 o Updated examples to incorporate new "key-format" identities. 1739 o Made the two "generate-*-key" RPCs be "action" statements instead. 1741 Acknowledgements 1743 The authors would like to thank for following for lively discussions 1744 on list and in the halls (ordered by first name): Alan Luchuk, Andy 1745 Bierman, Benoit Claise, Bert Wijnen, Balazs Kovacs, David Lamparter, 1746 Eric Voit, Ladislav Lhotka, Liang Xia, Juergen Schoenwaelder, Mahesh 1747 Jethanandani, Martin Bjorklund, Mehmet Ersue, Phil Shafer, Radek 1748 Krejci, Ramkumar Dhanapal, Reshad Rahman, Sean Turner, and Tom Petch. 1750 Author's Address 1752 Kent Watsen 1753 Watsen Networks 1755 EMail: kent+ietf@watsen.net