-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathietf-voucher-request.yang
166 lines (139 loc) · 5.64 KB
/
ietf-voucher-request.yang
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
module ietf-voucher-request {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-voucher-request";
prefix "vcr";
import ietf-restconf {
prefix rc;
description "This import statement is only present to access
the yang-data extension defined in RFC 8040.";
reference "RFC 8040: RESTCONF Protocol";
}
import ietf-voucher {
prefix vch;
description "This module defines the format for a voucher,
which is produced by a pledge's manufacturer or
delegate (MASA) to securely assign a pledge to
an 'owner', so that the pledge may establish a secure
connection to the owner's network infrastructure";
reference "RFC 8366: Voucher Artifact for
Bootstrapping Protocols";
}
organization
"IETF ANIMA Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/anima/>
WG List: <mailto:[email protected]>
Author: Kent Watsen
<mailto:[email protected]>
Author: Michael H. Behringer
<mailto:[email protected]>
Author: Toerless Eckert
<mailto:[email protected]>
Author: Max Pritikin
<mailto:[email protected]>
Author: Michael Richardson
<mailto:[email protected]>";
description
"This module defines the format for a voucher request.
It is a superset of the voucher itself.
It provides content to the MASA for consideration
during a voucher request.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL
NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED',
'MAY', and 'OPTIONAL' in this document are to be interpreted as
described in BCP 14 (RFC 2119) (RFC 8174) when, and only when,
they appear in all capitals, as shown here.
Copyright (c) 2019 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices.";
revision "YYYY-MM-DD" {
description
"Initial version";
reference
"RFC XXXX: Bootstrapping Remote Secure Key Infrastructure";
}
// Top-level statement
rc:yang-data voucher-request-artifact {
uses voucher-request-grouping;
}
// Grouping defined for future usage
grouping voucher-request-grouping {
description
"Grouping to allow reuse/extensions in future work.";
uses vch:voucher-artifact-grouping {
refine "voucher/created-on" {
mandatory false;
}
refine "voucher/pinned-domain-cert" {
mandatory false;
description "A pinned-domain-cert field
is not valid in a voucher request, and
any occurrence MUST be ignored";
}
refine "voucher/last-renewal-date" {
description "A last-renewal-date field
is not valid in a voucher request, and
any occurrence MUST be ignored";
}
refine "voucher/domain-cert-revocation-checks" {
description "The domain-cert-revocation-checks field
is not valid in a voucher request, and
any occurrence MUST be ignored";
}
refine "voucher/assertion" {
mandatory false;
description "Any assertion included in registrar voucher
requests SHOULD be ignored by the MASA.";
}
augment "voucher" {
description
"Adds leaf nodes appropriate for requesting vouchers.";
leaf prior-signed-voucher-request {
type binary;
description
"If it is necessary to change a voucher, or re-sign and
forward a voucher that was previously provided along a
protocol path, then the previously signed voucher SHOULD
be included in this field.
For example, a pledge might sign a voucher request
with a proximity-registrar-cert, and the registrar
then includes it as the prior-signed-voucher-request
field. This is a simple mechanism for a chain of
trusted parties to change a voucher request, while
maintaining the prior signature information.
The Registrar and MASA MAY examine the prior signed
voucher information for the
purposes of policy decisions. For example this
information could be useful to a MASA to determine
that both pledge and registrar agree on proximity
assertions. The MASA SHOULD remove all
prior-signed-voucher-request information when
signing a voucher for imprinting so as to minimize
the final voucher size.";
}
leaf proximity-registrar-cert {
type binary;
description
"An X.509 v3 certificate structure as specified by
RFC 5280, Section 4 encoded using the ASN.1
distinguished encoding rules (DER), as specified
in [ITU.X690.1994].
The first certificate in the Registrar TLS server
certificate_list sequence (the end-entity TLS
certificate, see [RFC8446]) presented by the Registrar
to the Pledge.
This MUST be populated in a Pledge's voucher request
when a proximity assertion is requested.";
}
}
}
}
}