[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03

N/A                                                               J. Sun
Internet-Draft                                                  M. Irani
Intended status: Informational                                 T. Nguyen
Expires: January 9, 2020        Naval Information Warfare Center Pacific
                                                               R. Purvis
                                                   The MITRE Corporation
                                                               S. Turner
                                                                   sn3rd
                                                            July 8, 2019


                    Common Cryptographic MIB (CCMIB)
                         draft-turner-ccmib-03

Abstract

   This document defines a portion of the Management Information Base
   (MIB) for use with network management protocols in the Internet
   community.  In particular, it describes managed objects used to
   manage key management implementations including asymmetric keys,
   symmetric keys, trust anchors, and cryptographic-related firmware.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 9, 2020.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Sun, et al.              Expires January 9, 2020                [Page 1]


Internet-Draft                    CCMIB                        July 2019


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  The Internet-Standard Management Framework  . . . . . . . . .   3
   4.  Structure of the MIB module . . . . . . . . . . . . . . . . .   3
   5.  Definition of the CC MIB module . . . . . . . . . . . . . . .   3
     5.1.  Assignments . . . . . . . . . . . . . . . . . . . . . . .   3
     5.2.  Feature Hierarchy . . . . . . . . . . . . . . . . . . . .   4
     5.3.  Device Info . . . . . . . . . . . . . . . . . . . . . . .   6
     5.4.  Key Management Information  . . . . . . . . . . . . . . .  24
     5.5.  Key Transfer Pull . . . . . . . . . . . . . . . . . . . .  81
     5.6.  Key Transfer Push . . . . . . . . . . . . . . . . . . . .  96
     5.7.  Security Policy Information . . . . . . . . . . . . . . . 109
     5.8.  Secure Connection Information . . . . . . . . . . . . . . 115
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . 123
   7.  Security Considerations . . . . . . . . . . . . . . . . . . . 123
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . . 124
     8.1.  Normative References  . . . . . . . . . . . . . . . . . . 124
     8.2.  Informative References  . . . . . . . . . . . . . . . . . 125
   Appendix A.  Contributors . . . . . . . . . . . . . . . . . . . . 126
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . 126

1.  Introduction

   RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH PRIOR TO
   PUBLICATION

   The source for this draft is maintained in GitHub.  Suggested changes
   should be submitted as pull requests at
   https://github.com/seanturner/draft-turner-ccmib.  Instructions are
   on that page as well.  Editorial changes can be managed in GitHub.

   This document defines a portion of the Management Information Base
   (MIB) for use with network management protocols in the Internet
   community.  In particular, it describes managed objects used to
   manage key management implementations including asymmetric keys,
   symmetric keys, trust anchors, and cryptographic-related firmware.







Sun, et al.              Expires January 9, 2020                [Page 2]


Internet-Draft                    CCMIB                        July 2019


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   [RFC2119].

3.  The Internet-Standard Management Framework

   For a detailed overview of the documents that describe the current
   Internet-Standard Management Framework, please refer to section 7 of
   [RFC3410].

   Managed objects are accessed via a virtual information store, termed
   the Management Information Base or MIB.  MIB objects are generally
   accessed through the Simple Network Management Protocol (SNMP).
   Objects in the MIB are defined using the mechanisms defined in the
   Structure of Management Information (SMI).  This memo specifies a MIB
   module that is compliant to the SMIv2, which is described in RFC 2578
   [RFC2578], STD 58, RFC 2579 [RFC2579], and STD 58, RFC 2580
   [RFC2580].

4.  Structure of the MIB module

5.  Definition of the CC MIB module

5.1.  Assignments

   This MIB module makes reference to the following document: [RFC2578].






















Sun, et al.              Expires January 9, 2020                [Page 3]


Internet-Draft                    CCMIB                        July 2019


    CC-ASSIGNMENTS-MIB  DEFINITIONS  ::= BEGIN

    IMPORTS
        MODULE-IDENTITY, enterprises
            FROM SNMPv2-SMI;                                 -- RFC 2578

    ccAssignmentsMIB MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
           "CC MIB Configuration Control Board
            Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB tree hierarchical assignments
            below it and acts as a reservation mechanism.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.

            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documennts
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
        REVISION      "201609302154Z"
    -- RFC EDITOR: Please update XXXX with the assigned RFC number.
        DESCRIPTION   "CC MIB 1.0.5 FINAL. Published as RFC xxxx."
        ::= { ccmib 3 }

    ccmib    OBJECT IDENTIFIER ::= { enterprise 34493 }

    --
    -- Note: Current top-level OID assignments within the CC MIB tree:
    --    ccmib.3   : CC-ASSIGNMENTS-MIB (this MIB)
    --    ccmib.3.1 : CC-FEATURE-HIERARCHY-MIB

    END

5.2.  Feature Hierarchy

   This MIB module makes reference to the following document: [RFC2578].

       CC-FEATURE-HIERARCHY-MIB  DEFINITIONS  ::= BEGIN




Sun, et al.              Expires January 9, 2020                [Page 4]


Internet-Draft                    CCMIB                        July 2019


       IMPORTS
           ccAssignmentsMIB
               FROM CC-ASSIGNMENTS-MIB               -- FROM Section 5.1
           MODULE-IDENTITY
               FROM SNMPv2-SMI;                      -- FROM RFC 2578

       ccFeatureHierarchyMIB MODULE-IDENTITY
           LAST-UPDATED  "201609302154Z"
           ORGANIZATION  "CCMIB CCB"
           CONTACT-INFO
               "CC MIB Configuration Control Board
                Email: CCMIB.CCB@us.af.mil"
           DESCRIPTION
               "This MIB defines the CC MIB features in hierarchical MIB
               tree assignments.  It acts as a reservation mechanism for
               other MIB sets to be anchored below it.

               Copyright (c) 2019 IETF Trust and the persons
               identified as authors of the code.  All rights reserved.

               Redistribution and use in source and binary forms, with
               or without modification, is permitted pursuant to, and
               subject to the license terms contained in, the Simplified
               BSD License set forth in Section 4.c of the IETF Trust's
               Legal Provisions Relating to IETF Documents
               (http://trustee.ietf.org/license-info).

               This version of this MIB module is part of RFC xxxx;
               see the RFC itself for full legal notices."
       -- RFC Ed.: RFC-editor please fill in xxxx.
           REVISION      "201609302154Z"
           DESCRIPTION   "CC MIB 1.0.5 FINAL. Published as RFC xxxx."
       -- RFC Ed.: RFC-editor please fill in xxxx.
           ::= { ccAssignmentsMIB 1 }

       ccDeviceInfo  OBJECT IDENTIFIER
           ::= { ccFeatureHierarchyMIB 2 }
       ccKeyManagement  OBJECT IDENTIFIER
           ::= { ccFeatureHierarchyMIB 3 }
       ccKeyTransferPull  OBJECT IDENTIFIER
           ::= { ccFeatureHierarchyMIB 4 }
       ccKeyTransferPush  OBJECT IDENTIFIER
           ::= { ccFeatureHierarchyMIB 5 }
       ccSecurePolicyInfo  OBJECT IDENTIFIER
           ::= { ccFeatureHierarchyMIB 6 }
       ccSecureConnectionInfo  OBJECT IDENTIFIER
           ::= { ccFeatureHierarchyMIB 7 }




Sun, et al.              Expires January 9, 2020                [Page 5]


Internet-Draft                    CCMIB                        July 2019


       END

5.3.  Device Info

   This MIB module makes reference to the following documents:
   [RFC1213], [RFC2578], [RFC2579], [RFC2580], [RFC3411], and [RFC3418].

    CC-DEVICE-INFO-MIB  DEFINITIONS  ::=  BEGIN

    IMPORTS
        ccDeviceInfo
            FROM CC-FEATURE-HIERARCHY-MIB              -- FROM Sec 5.2
        MODULE-COMPLIANCE, OBJECT-GROUP,
        NOTIFICATION-GROUP
            FROM SNMPv2-CONF                           -- FROM RFC 2580
        OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
        MODULE-IDENTITY, TimeTicks
            FROM SNMPv2-SMI                            -- FROM RFC 2578
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB                    -- FROM RFC 3411
        DateAndTime, TruthValue, TimeStamp
            FROM SNMPv2-TC;                            -- FROM RFC 2579

    ccDeviceInfoMIB  MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
            "CC MIB Configuration Control Board
             Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB Device Information objects.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.

            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documents
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        REVISION      "201609302154Z"
        DESCRIPTION   ""CC MIB 1.0.5 FINAL. Published as RFC xxxx."
    -- RFC Ed.: RFC-editor please fill in xxxx.



Sun, et al.              Expires January 9, 2020                [Page 6]


Internet-Draft                    CCMIB                        July 2019


        ::= { ccDeviceInfo 1 }

    -- *****************************************************************
    -- Device Information Segments
    -- *****************************************************************

    cDeviceInfoConformance  OBJECT IDENTIFIER
        ::= { ccDeviceInfoMIB 1 }
    cDeviceComponentVersInfo  OBJECT IDENTIFIER
        ::= { ccDeviceInfoMIB 2 }
    cBatteryInfo  OBJECT IDENTIFIER
        ::= { ccDeviceInfoMIB 3 }
    cFirmwareInfo  OBJECT IDENTIFIER
        ::= { ccDeviceInfoMIB 4 }
    cDeviceInfoScalars  OBJECT IDENTIFIER
        ::= { ccDeviceInfoMIB 5 }
    cDeviceInfoNotify  OBJECT IDENTIFIER
        ::= { ccDeviceInfoMIB 6 }

    -- *****************************************************************
    -- General Device Information Scalars
    -- *****************************************************************

    cSystemDate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The host's notion of the local date and time of day. Note,
            some implementations will not allow changing of this object
            and will send an inconsistentValue error."
        ::= { cDeviceInfoScalars 1 }

    cSystemUpTime  OBJECT-TYPE
        SYNTAX      TimeTicks
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The amount of time since this host was last initialized.
            Note that this is different from sysUpTime in the SNMPv2-MIB
            RFC 3418 because sysUpTime is the uptime of the network
            management portion of the system."
        ::= { cDeviceInfoScalars 2 }

    cSystemInitialLoadParameters  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(0..128))
        MAX-ACCESS  read-write
        STATUS      current



Sun, et al.              Expires January 9, 2020                [Page 7]


Internet-Draft                    CCMIB                        July 2019


        DESCRIPTION
            "This object contains the parameters (e.g., a pathname and
            parameter) supplied to the load device when requesting the
            initial operating system configuration from that device.

            Note that writing to this object just changes the
            configuration that will be used the next time the operating
            system is loaded and does not actually cause the reload to
            occur."
        ::= { cDeviceInfoScalars 3 }

    cSecurityLevel  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(0..255))
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The security level that this object is working at.
            Different communities of interest may have different
            conventions. The following values are defined and when used
            by agents have specific meaning: UNCLASSIFIED, RESTRICTED,
            CONFIDENTIAL, SECRET, TOP_SECRET."
        ::= { cDeviceInfoScalars 4 }

    cElectronicSerialNumber  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The Electronic Serial Number of the device. This may be the
            chassis serial number or an internal serial number."
        ::= { cDeviceInfoScalars 5 }

    cLastChanged  OBJECT-TYPE
        SYNTAX      TimeTicks
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The value of cSystemUpTime the last time any configurable
            object within the MIBs supported by the device has been
            modified, created, or deleted by either SNMP, agent, or
            other management method (e.g., via an HMI). Managers can
            use this object to ensure that no changes to any
            configuration within the device have happened since the last
            time it examined the device. A value of 0 indicates that no
            objects have been changed since the agent initialized."
        ::= { cDeviceInfoScalars 6 }

    cResetDevice  OBJECT-TYPE



Sun, et al.              Expires January 9, 2020                [Page 8]


Internet-Draft                    CCMIB                        July 2019


        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The indication of whether a device should be reset. Setting
            this object to 'true' will perform a reset operation of the
            device. This must not affect the state of any persistent
            configuration data, zeroize any of the key material or erase
            the audit log. When read this object should return false.
            When set to false this object must not perform any operation
            but should accept this as a valid SET operation."
        ::= { cDeviceInfoScalars 7 }

    cSanitizeDevice  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The indication of whether persistent data should be erased.
            Setting this object to 'true' will erase all persistent data
            and return the box to an uninitialized state. It will
            zeroize all keying data, erase all persistent storage and
            auditing information. Setting this object will certainly
            render the device unreachable from distant managers since it
            will be unconfigured. When read this object should return
            false. When set to false this object must not perform any
            operation but should accept this as a valid SET operation."
        ::= { cDeviceInfoScalars 8 }

    cRenderInoperable  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The indication of whether persistent data should be erased.
            Setting this object to 'true' will erase all persistent data
            and return the box to an uninitialized state. It will
            zeroize all keying data, erase all persistent storage and
            auditing information. In addition, when supported, the
            device is expected to perform some internal function that
            will make the box unusable without returning to the factory
            or some equivalent. Setting this object will certainly
            render the device unreachable from distant managers since it
            will be unconfigured. When read this object should return
            false. When set to false this object must not perform any
            operation but should accept this as a valid SET operation."
        ::= { cDeviceInfoScalars 9 }




Sun, et al.              Expires January 9, 2020                [Page 9]


Internet-Draft                    CCMIB                        July 2019


    cVendorName OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "This object stores the device's vendor name and is intended
            to be displayed and meaningful to the human operator (e.g.
            Flinstones Inc). In other words, this object is not intended
            to store the vendor's authoritative identification value
            (i.e., sysObjectID RFC 1213)."
        ::= { cDeviceInfoScalars 10 }

    cModelIdentifier OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "This object stores the device's model identifier. In
            general, this would include the model name and model
            number."
        ::= { cDeviceInfoScalars 11 }

    cHardwareVersionNumber OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "This object stores the device's hardware version."
        ::= { cDeviceInfoScalars 12 }

    -- *****************************************************************
    -- Device Information Notifications
    -- *****************************************************************

    cFirmwareInstallFailed  NOTIFICATION-TYPE
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating a firmware install failed."
        ::= { cDeviceInfoNotify 1 }

    cFirmwareInstallSuccess  NOTIFICATION-TYPE
         OBJECTS     {
                         cFirmwareName,
                         cFirmwareVersion,
                         cFirmwareSource
                     }
         STATUS      current



Sun, et al.              Expires January 9, 2020               [Page 10]


Internet-Draft                    CCMIB                        July 2019


         DESCRIPTION
             "A notification from the device to the management station
             indicating a firmware intsall succeeded."
         ::= {cDeviceInfoNotify 2}

    cResetDeviceInitialized  NOTIFICATION-TYPE
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating that the device is being reset due to a change in
            the value of cResetDevice. This notification should be sent
            before the device performs any other reset operations (such
            as shutting down interfaces, etc.)"
        ::= { cDeviceInfoNotify 3 }

    cSanitizeDeviceInitialized  NOTIFICATION-TYPE
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating that the device is being sanitized due to a
            change in the value of cSanitizeDevice. This notification
            should be sent before the device performs any other sanitize
            operations (such as shutting down interfaces, etc.)"
        ::= { cDeviceInfoNotify 4 }

    cTamperEventIndicated  NOTIFICATION-TYPE
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating that the device has detected a tamper event. This
            notification should be sent before the device performs any
            operations (such as shutting down interfaces, etc.)"
        ::= { cDeviceInfoNotify 5 }

    cBatteryLow  NOTIFICATION-TYPE
        OBJECTS     {
                        cBatteryType,
                        cBatteryOpStatus,
                        cBatteryLowThreshold
                    }
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating a battery has reached the threshold at which a
            battery warning is indicated."
        ::= { cDeviceInfoNotify 6 }

     cBatteryRequiresReplacement  NOTIFICATION-TYPE



Sun, et al.              Expires January 9, 2020               [Page 11]


Internet-Draft                    CCMIB                        July 2019


         OBJECTS     { cBatteryType, cBatteryOpStatus }
         STATUS      current
         DESCRIPTION
             "A notification from the device to the management station
             indicating a battery should be charged or changed
             immediately."
         ::= { cDeviceInfoNotify 7 }

     cDeviceOnBattery  NOTIFICATION-TYPE
         OBJECTS     { cBatteryType, cBatteryOpStatus }
         STATUS      current
         DESCRIPTION
             "A notificiation from the device to the management station
             indicating the device is on battery power. This
             notification is sent when the device is no longer
             connected to an external power source and is operating
             using a battery for main power."
         ::= { cDeviceInfoNotify 8 }

    cDeviceComponentDisabled  NOTIFICATION-TYPE
        OBJECTS     {
                        cDeviceComponentName,
                        cDeviceComponentVersion,
                        cDeviceComponentOpStatus
                    }
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating a component described in the
            cDeviceComponentVersTable has been disabled."
        ::= { cDeviceInfoNotify 9 }

    cDeviceComponentEnabled  NOTIFICATION-TYPE
        OBJECTS     {
                        cDeviceComponentName,
                        cDeviceComponentVersion
                    }
        STATUS      current
        DESCRIPTION
            "A notification from the device to the management station
            indicating a component described in the
            cDeviceComponentVersTable has been enabled."
        ::= { cDeviceInfoNotify 10 }

    -- *****************************************************************
    -- CC MIB cDeviceComponentVersTable
    -- *****************************************************************




Sun, et al.              Expires January 9, 2020               [Page 12]


Internet-Draft                    CCMIB                        July 2019


    cDeviceComponentVersTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cDeviceComponentVersTable."
        ::= { cDeviceComponentVersInfo 1 }

    cDeviceComponentVersTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cDeviceComponentVersInfo 2 }

    cDeviceComponentVersTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CDeviceComponentVersEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing a description of the specification
            versions of components or specifications supported by the
            ECU. Note that it is possible for multiple versions of a
            given specification to be registered within the table."
        ::= { cDeviceComponentVersInfo 3 }

    cDeviceComponentVersEntry  OBJECT-TYPE
        SYNTAX      CDeviceComponentVersEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing a module descriptive name and its version
            that is supported by this device."
        INDEX      { cDeviceComponentName, cDeviceComponentVersion }
        ::= { cDeviceComponentVersTable 1 }

    cDeviceComponentVersEntry  ::= SEQUENCE
        {
          cDeviceComponentName        SnmpAdminString,
          cDeviceComponentVersion     SnmpAdminString,



Sun, et al.              Expires January 9, 2020               [Page 13]


Internet-Draft                    CCMIB                        July 2019


          cDeviceComponentOpStatus    INTEGER,
          cDeviceComponentDescription OCTET STRING
        }

    cDeviceComponentName  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..32))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The module name or specification name. The string value to
            be used in this field should be documented in the text of
            the specification a given row is reporting information on.

            Specification names beginning with a prefix of 'vendor-' are
            reserved for private use by the vendor of the device.

            The string 'device' (exact) is reserved for vendors to
            register a software revision version of the device.

            The string 'hardware' (exact) is reserved for vendors to
            register a model number of the hardware of the device."
        ::= { cDeviceComponentVersEntry 1 }

    cDeviceComponentVersion  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..32))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The version of the specification or module name listed in
            the cDeviceComponentName object field in this row. The
            string value to be used in this field should be documented
            in the text of a specification, of the device, or elsewhere.
            If the cDeviceComponentName begins with a 'vendor-' prefix,
            the format of this field is vendor specific."
        ::= { cDeviceComponentVersEntry 2 }

    cDeviceComponentOpStatus  OBJECT-TYPE
        SYNTAX      INTEGER { up(1), notReady(2),
                              administrativelyDown(3) }
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The current operational state of the interface feature.

            This row may be used to enable/disable components or modules
            in the device, and some implementations may allow for
            various versions of a component to be activated. Devices may
            use this construct to roll back versions of a device



Sun, et al.              Expires January 9, 2020               [Page 14]


Internet-Draft                    CCMIB                        July 2019


            software, or to allow various software feature versions to
            be installed.

            Agents may reject the changing this object for certain rows.
            An example of this is changing the operational status of a
            row that describes the software the device and not a
            particular feature. In this event, the agent should return
            an inconsistentValue error."
        ::= { cDeviceComponentVersEntry 3 }

    cDeviceComponentDescription OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS read-write
        STATUS      current
        DESCRIPTION
            "A description of the component. Agents may reject the
            changing this object certain rows. In this event, the agent
            should return an inconsistentValue error."
        ::= { cDeviceComponentVersEntry 4 }

    -- *****************************************************************
    -- CC MIB cBatteryInfoTable
    -- *****************************************************************

    cBatteryInfoTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cBatteryInfoTable."
        ::= { cBatteryInfo 1 }

    cBatteryInfoTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management
            method (e.g., via an HMI). Managers can use this object to
            ensure that no changes to configuration of this table have
            happened since the last time it examined the table. A
            value of 0 indicates that no entry has been changed since
            the agent initialized.  The value in CC-DEVICE-INFO-MIB
            cSystemUpTime should be used to populate this column."
        ::= { cBatteryInfo 2 }

    cBatteryInfoTable  OBJECT-TYPE



Sun, et al.              Expires January 9, 2020               [Page 15]


Internet-Draft                    CCMIB                        July 2019


        SYNTAX      SEQUENCE OF CBatteryInfoEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing information on each of the batteries
            installed in the device."
        ::= { cBatteryInfo 3 }

    cBatteryInfoEntry  OBJECT-TYPE
        SYNTAX      CBatteryInfoEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
           "A row contining information on a specific battery. If a
           device cannot return status of a battery it should not
           create a row in this table for that battery."
        INDEX      { cBatteryIndex }
        ::= { cBatteryInfoTable 1 }

    CBatteryInfoEntry  ::= SEQUENCE
        {
            cBatteryIndex            Unsigned32,
            cBatteryType             INTEGER,
            cBatteryOpStatus         INTEGER,
            cBatteryLowThreshold     Integer32
        }

    cBatteryIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A numerical index used to identify the battery. This value
            uniquely identifies a battery on this device. The value
            should be persistent for a given battery, but management
            stations should not depend on it as it may not be possible
            for some devices to retain identical indexes (especially
            across reboots)."
        ::= { cBatteryInfoEntry 1 }

    cBatteryType  OBJECT-TYPE
        SYNTAX      INTEGER { other(1), main(2), clock(3), security(4) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The type of battery. Main(2) batteries are used for
            operation of the device when not connected to a power
            source. Clock(3) is used to describe batteries which cannot



Sun, et al.              Expires January 9, 2020               [Page 16]


Internet-Draft                    CCMIB                        July 2019


            provide main power to the device but maintain clock or
            other persistent data. Security(4) is used for batteries
            which perform specific security functions or which may
            render the device inoperable when the battery is depleted.
            If a battery is used for both clock and security, Security
            should be returned. Other(1) describes a battery which is
            not otherwise defined here."
        ::= { cBatteryInfoEntry 2 }

    cBatteryOpStatus  OBJECT-TYPE
        SYNTAX      INTEGER { unknown(1), batteryNormal(2),
                              batteryLow(3), batteryDepleted(4),
                              batteryMissing(5) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indication of the status of the battery."
        ::= { cBatteryInfoEntry 3 }

    cBatteryLowThreshold  OBJECT-TYPE
        SYNTAX      Integer32 (0..100)
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The percentage of capacity at which the cBatteryLow
            notification will be generated. A value of zero indicates
            that the notification should never be sent for this
            battery. This object should not be implemented if the
            device will detect a low battery, but the actual percentage
            is not measurable. This object only needs be writable for
            implementations that support modification of the warning
            level percentage."
        ::= { cBatteryInfoEntry 4 }

    -- *****************************************************************
    -- CC MIB cFirmwareInformationTable
    -- *****************************************************************

    cFirmwareInformationTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cFirmwareInformationTable."
        ::= { cFirmwareInfo 1 }

    cFirmwareInformationTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp



Sun, et al.              Expires January 9, 2020               [Page 17]


Internet-Draft                    CCMIB                        July 2019


        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management
            method (e.g., via an HMI). Managers can use this object to
            ensure that no changes to configuration of this table have
            happened since the last time it examined the table. A value
            of 0 indicates that no entry has been changed since the
            agent initialized. The value in CC-DEVICE-INFO-MIB
            cSystemUpTime should be used to populate this column."
        ::= { cFirmwareInfo 2 }

    cFirmwareInformationTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CFirmwareInformationEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A table that lists firmware versions available in the device, along
            with their versions and type. This is used to list currently loaded
            firmware versions of running firmware and other available firmware
            versions in support of returning to a previous version of the
            firmware."
        ::= { cFirmwareInfo 3 }

    cFirmwareInformationEntry  OBJECT-TYPE
        SYNTAX      CFirmwareInformationEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing a firmware package name, version, and source."
        INDEX      { cFirmwareName }
        ::= { cFirmwareInformationTable 1 }

    CFirmwareInformationEntry  ::= SEQUENCE
        {
           cFirmwareName                    OCTET STRING,
           cFirmwareVersion                 SnmpAdminString,
           cFirmwareSource                  SnmpAdminString,
           cFirmwareRunning                 TruthValue,
           cFirmwareRowStatus               RowStatus
        }

    cFirmwareName  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020               [Page 18]


Internet-Draft                    CCMIB                        July 2019


           "Unique identifier provided in the firmware package."
        ::= { cFirmwareInformationEntry 1 }

    cFirmwareVersion  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Version of firmware (provided in the package); for legacy
            firmware packages, this column would be the empty string,
            ''."
        ::= { cFirmwareInformationEntry 2 }

    cFirmwareSource  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
           "This column is used by the implementation to describe how
           the firmware was received. Agents may use any string which
           adequately describes the interface such as 'USB.' Agents may
           also reference entries in the ifTable when appropriate. If
           received using a Cryptographic Device Material server, the
           exact URI that was used to retrieve the firmware package
           would be configured in this column."
        ::= { cFirmwareInformationEntry 3 }

    cFirmwareRunning  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Indicates if the firmware is currently running. Only one
            row in the table should have this object set to True at
            any given time. If this object is set from False to True,
            the agent must install the firmware, uninstall the previous
            running firmware and change the cFirmwareRunning object for
            the previous running firmware from True to False."
        ::= { cFirmwareInformationEntry 4 }

    cFirmwareRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The status of the row, by which old entries may be deleted
            from this table.




Sun, et al.              Expires January 9, 2020               [Page 19]


Internet-Draft                    CCMIB                        July 2019


            At a minimum, implementations must support destroy
            management functions.  Support for active, notInService,
            and notReady management functions is optional."
        ::= {cFirmwareInformationEntry 5}

    -- *****************************************************************
    -- Module Conformance Information
    -- *****************************************************************

    cDeviceInfoCompliances  OBJECT IDENTIFIER
        ::= { cDeviceInfoConformance 1}

    cDeviceInfoGroups  OBJECT IDENTIFIER
        ::= { cDeviceInfoConformance 2}

    cDeviceInfoSystemCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for system information."
        MODULE
        MANDATORY-GROUPS { cDeviceInfoSystemGroup }

        GROUP cDeviceInfoSystemNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        OBJECT cSystemInitialLoadParameters
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."

        OBJECT cSecurityLevel
        MIN-ACCESS not-accessible
        DESCRIPTION
        "Implementation of this object is optional."

        cSanitizeDevice
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."

        OBJECT cRenderInoperable
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."
        ::= { cDeviceInfoCompliances 1 }

    cDeviceInfoComponentCompliance MODULE-COMPLIANCE



Sun, et al.              Expires January 9, 2020               [Page 20]


Internet-Draft                    CCMIB                        July 2019


        STATUS    current
        DESCRIPTION
            "Compliance levels for component information."
        MODULE
        MANDATORY-GROUPS { cDeviceInfoComponentGroup }

        GROUP cDeviceInfoComponentNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cDeviceInfoCompliances 2 }

    cDeviceInfoBatteryCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
           "Compliance levels for battery information."
        MODULE
        MANDATORY-GROUPS { cDeviceInfoBatteryGroup }

        GROUP cDeviceInfoBatteryNotifyGroup
        DESCRIPTION
           "This notification group is optional for implementation."

        OBJECT cBatteryLowThreshold
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."
     ::= { cDeviceInfoCompliances 3 }

    cDeviceInfoFirmwareCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for firmware information."
        MODULE
        MANDATORY-GROUPS { cDeviceInfoFirmwareGroup }

        GROUP cDeviceInfoFirmwareNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cDeviceInfoCompliances 4 }

    cDeviceInfoSystemGroup OBJECT-GROUP
        OBJECTS {
                    cSystemDate,
                    cSystemUpTime,
                    cSystemInitialLoadParameters,
                    cSecurityLevel,
                    cElectronicSerialNumber,
                    cLastChanged,



Sun, et al.              Expires January 9, 2020               [Page 21]


Internet-Draft                    CCMIB                        July 2019


                    cResetDevice,
                    cSanitizeDevice,
                    cRenderInoperable,
                    cVendorName,
                    cModelIdentifier,
                    cHardwareVersionNumber
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to system
            information."
        ::= { cDeviceInfoGroups 1 }

    cDeviceInfoComponentGroup OBJECT-GROUP
        OBJECTS {
                    cDeviceComponentVersTableCount,
                    cDeviceComponentVersTableLastChanged,
                    cDeviceComponentName,
                    cDeviceComponentVersion,
                    cDeviceComponentOpStatus,
                    cDeviceComponentDescription
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to component
            information."
        ::= { cDeviceInfoGroups 2 }

    cDeviceInfoBatteryGroup OBJECT-GROUP
        OBJECTS {
                     cBatteryInfoTableCount,
                     cBatteryInfoTableLastChanged,
                     cBatteryType,
                     cBatteryOpStatus,
                     cBatteryLowThreshold
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to battery
            information."
        ::= { cDeviceInfoGroups 3 }

    cDeviceInfoFirmwareGroup OBJECT-GROUP
         OBJECTS {
                     cFirmwareInformationTableCount,
                     cFirmwareInformationTableLastChanged,
                     cFirmwareName,
                     cFirmwareVersion,



Sun, et al.              Expires January 9, 2020               [Page 22]


Internet-Draft                    CCMIB                        July 2019


                     cFirmwareSource,
                     cFirmwareRunning,
                     cFirmwareRowStatus
                }
         STATUS current
         DESCRIPTION
             "This group is composed of objects related to firmware
             information."
         ::= { cDeviceInfoGroups 4 }

    cDeviceInfoSystemNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cResetDeviceInitialized,
                        cSanitizeDeviceInitialized,
                        cTamperEventIndicated,
                        cSanitizeDeviceInitialized
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to system
            information."
        ::= { cDeviceInfoGroups 5 }

    cDeviceInfoComponentNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cDeviceComponentDisabled,
                        cDeviceComponentEnabled
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to
            component information."
        ::= { cDeviceInfoGroups 6 }

    cDeviceInfoBatteryNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cBatteryLow,
                        cBatteryRequiresReplacement,
                        cDeviceOnBattery
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to battery
            information."
        ::= { cDeviceInfoGroups 7 }

    cDeviceInfoFirmwareNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {



Sun, et al.              Expires January 9, 2020               [Page 23]


Internet-Draft                    CCMIB                        July 2019


                        cFirmwareInstallFailed,
                        cFirmwareInstallSuccess
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to firmware
            information."
        ::= { cDeviceInfoGroups 8 }

    END

5.4.  Key Management Information

   This MIB module makes references to the following documents:
   [RFC2578], [RFC2579], [RFC2580], [RFC3411], [RFC5280], [RFC5914],
   [RFC6030], and [RFC6353].

    CC-KEY-MANAGEMENT-MIB DEFINITIONS ::=  BEGIN

    IMPORTS
        ccKeyManagement
            FROM CC-FEATURE-HIERARCHY-MIB              -- FROM Sec 5.2
        OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
        MODULE-IDENTITY
            FROM SNMPv2-SMI                            -- FROM RFC 2578
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB                    -- FROM RFC 3411
        RowPointer, RowStatus, DateAndTime,
        TruthValue, TimeStamp
            FROM SNMPv2-TC                             -- FROM RFC 2579
        MODULE-COMPLIANCE, OBJECT-GROUP,
        NOTIFICATION-GROUP
            FROM SNMPv2-CONF                           -- FROM RFC 2580
        SnmpTLSFingerprint
            FROM SNMP-TLS-TM-MIB;                      -- FROM RFC 6353

    ccKeyManagementMIB  MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
            "CC MIB Configuration Control Board
             Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB Key Managment objects.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.




Sun, et al.              Expires January 9, 2020               [Page 24]


Internet-Draft                    CCMIB                        July 2019


            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documents
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        REVISION      "201609302154Z"
        DESCRIPTION   ""CC MIB 1.0.5 FINAL. Published as RFC xxxx."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        ::= { ccKeyManagement 1 }

    -- *****************************************************************
    -- Key Management Information Segments
    -- *****************************************************************

    cSymmetricKeyInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 1 }
    cAsymKeyInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 2 }
    cTrustAnchorInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 3 }
    cCKLInfo OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 4 }
    cCDMStoreInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 5 }
    cCertSubAltNameInfo OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 6 }
    cCertPathCtrlsInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 7 }
    cCertPolicyInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 8 }
    cPolicyMappingInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 9 }
    cNameConstraintInfo  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 10 }
    cKeyManagementScalars  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 11 }
    cKeyManagementNotify  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 12 }
    cKeyManagementConformance  OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 13 }
    cRemoteKeyMaterialInfo OBJECT IDENTIFIER
        ::= { ccKeyManagementMIB 14 }




Sun, et al.              Expires January 9, 2020               [Page 25]


Internet-Draft                    CCMIB                        July 2019


    -- *****************************************************************
    -- Key Management Information Scalars
    -- *****************************************************************

    cZeroizeAllKeys  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Setting this object to 'true' removes all entries in key
            material tables and zeroizes key materials. It is applicable
            to symmetric keys, asymmetric keys, and Trust Anchors (TA).
            It must not modify any other information in the device such
            as the persistent storage or the audit log. When read this
            object should return false. If this object is set to the
            same value as the current value, the device must not perform
            any operation but should accept this as a valid SET
            operation. Note after being set to true, an agent should
            reset this object to false once it has zeroized all the keys
            stored in the device."
        ::= { cKeyManagementScalars 1 }

    cZeroizeSymmetricKeyTable  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Setting this object to 'true' removes all entries in the
            cSymmetricKeyTablekey and zeroizes the associated key
            materials. This operation must not modify any other
            information in the device such as the persistent storage or
            the audit log. When read this object should return false. If
            this object is set to the same value as the current value,
            the device must not perform any operation but should accept
            this as a valid SET operation. Note after being set to true,
            an agent should reset this object to false once it has
            zeroized the specific key materials stored in the device."
        ::= { cKeyManagementScalars 2 }

    cZeroizeAsymKeyTable  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Setting this object to 'true' removes all entries in the
            cAsymKeyTable, cCertSubAltNameTable, and zeroizes the
            associated key materials. This operation must not modify any
            other information in the device such as the persistent



Sun, et al.              Expires January 9, 2020               [Page 26]


Internet-Draft                    CCMIB                        July 2019


            storage or the audit log. When read this object should
            return false. If this object is set to the same value as the
            current value, the device must not perform any operation but
            should accept this as a valid SET operation. Note after
            being set to true, an agent should reset this object to
            false once it has zeroized the specific key materials stored
            in the device."
        ::= { cKeyManagementScalars 3 }

    cZeroizeTrustAnchorTable  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Setting this object to 'true' removes all entries in the
            cTrustAnchorTable. This operation must not modify any other
            information in the device such as the persistent storage or
            the audit log. When read this object should return false. If
            this object is set to the same value as the current value,
            the device must not perform any operation but should accept
            this as a valid SET operation. Note after being set to true,
            an agent should reset this object to false once it has
            zeroized the specific key materials stored in the device.

            Some implementations may restrict the deletion of Trust
            Anchors to specific protocols (e.g., TAMP)."
        ::= { cKeyManagementScalars 4 }

    cZeroizeCDMStoreTable  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Setting this object to 'true' removes all entries in the
            cCDMStoreTable that are of type symkey, asymkey, and
            trustAnchor. This operation must not modify any other
            information in the device such as the persistent storage or
            the audit log. When read this object should return false. If
            this object is set to the same value as the current value,
            the device must not perform any operation but should accept
            this as a valid SET operation. Note after being set to true,
            an agent should reset this object to false once it has
            zeroized the specific key materials stored in the device."
        ::= { cKeyManagementScalars 5 }

    cKeyMaterialTableOID  OBJECT-TYPE
        SYNTAX      OBJECT IDENTIFIER
        MAX-ACCESS  read-write



Sun, et al.              Expires January 9, 2020               [Page 27]


Internet-Draft                    CCMIB                        July 2019


        STATUS      current
        DESCRIPTION
            "The OID of the table for which (1) a successful or failed
            configuration occurred upon a key material load or (2) a key
            material has expired, will expire, or had its expiration
            date changed (3) a key material has been zeroized."
        ::= { cKeyManagementScalars 6 }

    cKeyMaterialFingerprint  OBJECT-TYPE
        SYNTAX      SnmpTLSFingerprint
        MAX-ACCESS  accessible-for-notify
        STATUS      current
        DESCRIPTION
            "The fingerprint of the key material to be transmitted in a
            notification."
        ::= { cKeyManagementScalars 7 }

    cSymKeyGlobalExpiryWarning  OBJECT-TYPE
        SYNTAX      Unsigned32
        UNITS       "days"
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "A global setting, indicating the number of days prior to
            the expiration date of a symmetric key (value of
            cSymKeyExpirationDate in the associated cSymmetricKeyTable
            entry) for which the cKeyMaterialExpiring notification will
            be transmitted.

            The value in this object is only used if no value exists for
            the associated cSymmetricKeyTable entry's
            cSymKeyExpiryWarning object."
        ::= { cKeyManagementScalars 8 }

    cAsymKeyGlobalExpiryWarning  OBJECT-TYPE
        SYNTAX      Unsigned32
        UNITS       "days"
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "A global setting, indicating the number of days prior to
            the expiration date of an asymmetric key (value of
            cAsymKeyExpirationDate in the associated cAsymKeyTable
            entry) for which the cKeyMaterialExpiring notification will
            be transmitted.

            The value in this object is only used if no value exists for
            the associated cAsymKeyTable entry's cAsymKeyExpiryWarning



Sun, et al.              Expires January 9, 2020               [Page 28]


Internet-Draft                    CCMIB                        July 2019


            object."
        ::= { cKeyManagementScalars 9 }

    cGenerateKeyType  OBJECT-TYPE
        SYNTAX      INTEGER { x509v3(1), psk(2) }
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The type of key material to be generated

            [1] x509v3: X.509v3 certificate per RFC 5280.
            [2] Symmetric Pre-Shared Key."
        ::= { cKeyManagementScalars 10 }

    cGenerateKey OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Setting this object to 'true' will force the generation of
            key material, based on the type of key material described in
            cGenerateKeyType. Post-generation, the agent must create an
            entry in the appropriate key material table that captures
            information on this key.

            Note after being set to true, an agent should reset this
            object to false once the key material has been generated and
            an entry created in the appropriate table."
        ::= { cKeyManagementScalars 11 }

    -- *****************************************************************
    -- Key Management Notifications
    -- *****************************************************************

    cKeyMaterialLoadSuccess  NOTIFICATION-TYPE
        OBJECTS     { cKeyMaterialTableOID }
        STATUS      current
        DESCRIPTION
            "An attempt to load the device with key material, identified
            by the table identifier (e.g., cSymmetricKeyTable), has
            succeeded. This notification may be sent upon a single
            successful key material load or may be sent upon a series of
            successful single key material loads."
        ::= { cKeyManagementNotify 1 }

    cKeyMaterialLoadFail  NOTIFICATION-TYPE
        OBJECTS     { cKeyMaterialTableOID }
        STATUS      current



Sun, et al.              Expires January 9, 2020               [Page 29]


Internet-Draft                    CCMIB                        July 2019


        DESCRIPTION
            "An attempt to load the device with key material, identified
            by the table identifier (e.g., cSymmetricKeyTable), has
            failed."
        ::= { cKeyManagementNotify 2 }

    cKeyMaterialExpiring  NOTIFICATION-TYPE
        OBJECTS     {
                        cKeyMaterialFingerprint,
                        cKeyMaterialTableOID
                    }
        STATUS      current
        DESCRIPTION
            "Key Material, identified by Key Fingerprint and OID of the
            associated key material table, is about to expire. This
            notification is transmitted prior to the key material's
            configured expiration date
            (cSymKeyExpirationDate/cAsymKeyExpirationDate) as indicated
            by a global setting
            (cSymKeyGlobalExpiryWarning/cAsymKeyGlobalExpiryWarning) or
            the granular setting per key material table entry
            (cSymKeyExpiryWarning/cAsymKeyExpiryWarning) if configured."
        ::= { cKeyManagementNotify 3 }

    cKeyMaterialExpired  NOTIFICATION-TYPE
        OBJECTS     {
                        cKeyMaterialFingerprint,
                        cKeyMaterialTableOID
                    }
        STATUS      current
        DESCRIPTION
            "Key Material, identified by Key Fingerprint and OID of the
            associated key material table, has expired."
        ::= { cKeyManagementNotify 4 }

    cKeyMaterialExpirationChanged  NOTIFICATION-TYPE
        OBJECTS     {
                        cKeyMaterialFingerprint,
                        cKeyMaterialTableOID
                    }
        STATUS      current
        DESCRIPTION
            "The expiration date of Key Material, identified by Key
            Fingerprint and the OID of the associated key material
            table, has changed. This can happen by either the
            'Expiration' object in the table changing or by the device
            making a change due to some other automated security policy
            change such as automatically extending a key when no new key



Sun, et al.              Expires January 9, 2020               [Page 30]


Internet-Draft                    CCMIB                        July 2019


            is available."
        ::= { cKeyManagementNotify 5 }

    cKeyMaterialZeroized  NOTIFICATION-TYPE
        OBJECTS     {
                        cKeyMaterialFingerprint,
                        cKeyMaterialTableOID
                    }
        STATUS      current
        DESCRIPTION
            "A key material, identified by fingerprint and OID of the
            associated key material table, has been securely deleted and
            zeroized. This notification is transmitted upon setting the
            Row Status object of the associated key material table entry
            to 'destroy', setting the cZeroizeAllKeys object to 'true',
            setting the cZeroizeSymmetricKeyTable object to 'true',
            setting the cZeroizeAsymKeyTable object to 'true', setting
            the cZeroizeTrustAnchorTable object to 'true', or setting
            the cZeroizeCDMStoreTable object to 'true'."
        ::= { cKeyManagementNotify 6 }

    cCKLLoadSuccess  NOTIFICATION-TYPE
        OBJECTS     {
                        cCKLIndex,
                        cCKLIssuer
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to load the device with CKL, identified by
            cCKLIndex and cCKLIssuer (indexes to the cCKLTable), has
            succeeded."
        ::= { cKeyManagementNotify 7 }

    cCKLLoadFail  NOTIFICATION-TYPE
        STATUS      current
        DESCRIPTION
            "An attempt to load the device with CKL has failed."
        ::= { cKeyManagementNotify 8 }

    cCDMAdded  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMStoreIndex,
                        cCDMStoreType
                    }
        STATUS      current
        DESCRIPTION
            "A new cryptographic device material (CDM) entry has been
            added to the cCDMStoreTable, as identified cCDMStoreIndex



Sun, et al.              Expires January 9, 2020               [Page 31]


Internet-Draft                    CCMIB                        July 2019


            and cCDMStoreType."
        ::= { cKeyManagementNotify 9 }

    cCDMDeleted  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMStoreIndex,
                        cCDMStoreType,
                        cCDMStoreFriendlyName
                    }
        STATUS      current
        DESCRIPTION
            "A cryptographic device material (CDM) entry has been
            deleted from the cCDMStoreTable, as identified
            cCDMStoreIndex, cCDMStoreType and cCDMStoreFriendlyName."
        ::= { cKeyManagementNotify 10 }

    cTrustAnchorAdded  NOTIFICATION-TYPE
        OBJECTS     {
                        cTrustAnchorFingerprint,
                        cTrustAnchorFormatType,
                        cTrustAnchorUsageType
                    }
        STATUS      current
        DESCRIPTION
            "A trust anchor has been added to the cTrustAnchorTable, as
            identified by cTrustAnchorFingerprint,
            cTrustAnchorFormatType, and cTrustAnchorUsageType."
        ::= { cKeyManagementNotify 11 }

    cTrustAnchorUpdated  NOTIFICATION-TYPE
        OBJECTS     {
                        cTrustAnchorFingerprint,
                        cTrustAnchorFormatType,
                        cTrustAnchorUsageType
                    }
        STATUS      current
        DESCRIPTION
            "A trust anchor has been updated in the cTrustAnchorTable,
            as identified by cTrustAnchorFingerprint,
            cTrustAnchorFormatType, and cTrustAnchorUsageType."
        ::= { cKeyManagementNotify 12 }

    cTrustAnchorRemoved  NOTIFICATION-TYPE
        OBJECTS     {
                        cTrustAnchorFingerprint,
                        cTrustAnchorFormatType,
                        cTrustAnchorUsageType
                    }



Sun, et al.              Expires January 9, 2020               [Page 32]


Internet-Draft                    CCMIB                        July 2019


        STATUS      current
        DESCRIPTION
            "A trust anchor has been removed from the cTrustAnchorTable,
            as identified by cTrustAnchorFingerprint,
            cTrustAnchorFormatType, and cTrustAnchorUsageType."
        ::= { cKeyManagementNotify 13 }

    -- *****************************************************************
    -- CC MIB cSymmetricKeyTable
    -- *****************************************************************

    cSymmetricKeyTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cSymmetricKeyTable."
        ::= { cSymmetricKeyInfo 1 }

    cSymmetricKeyTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cSymmetricKeyInfo 2 }

    cSymmetricKeyTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CSymmetricKeyEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing the various types of symmetric keys
            used by the device."
        ::= { cSymmetricKeyInfo 3 }

    cSymmetricKeyEntry  OBJECT-TYPE
        SYNTAX      CSymmetricKeyEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020               [Page 33]


Internet-Draft                    CCMIB                        July 2019


            "A row containing information about a Symmetric Key."
        INDEX      { cSymKeyFingerprint }
        ::= { cSymmetricKeyTable 1 }

    CSymmetricKeyEntry  ::= SEQUENCE {
        cSymKeyFingerprint          SnmpTLSFingerprint,
        cSymKeyUsage                BITS,
        cSymKeyID                   OCTET STRING,
        cSymKeyIssuer               OCTET STRING,
        cSymKeyEffectiveDate        DateAndTime,
        cSymKeyExpirationDate       DateAndTime,
        cSymKeyExpiryWarning        Unsigned32,
        cSymKeyNumberOfTransactions Unsigned32,
        cSymKeyFriendlyName         SnmpAdminString,
        cSymKeyClassification       BITS,
        cSymKeySource               OCTET STRING,
        cSymKeyRowStatus            RowStatus
    }

    cSymKeyFingerprint  OBJECT-TYPE
        SYNTAX      SnmpTLSFingerprint
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "An inherent identification of the symmetric key and the
            primary index to the cSymmetricKeyTable.

            This MIB does not provide any additional requirements on
            developing the fingerprint. Implementations are cautioned to
            develop the hash in a manner that does not compromise the
            security of the key material."
        ::= { cSymmetricKeyEntry 1 }

    cSymKeyUsage  OBJECT-TYPE
        SYNTAX      BITS { oneTimePassword(0), challengeResponse(1),
                           unlock(2), encrypt(3), decrypt(4),
                           integrity(5), verify(6), keyWrap(7),
                           unwrap(8), derive(9), generate(10),
                           sharedSecret(11) }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The intended usage for the key:  One Time Password (OTP),
            Challenge/Response (CR), Unlock, Encrypt, Decrypt,
            Integrity, Verify, KeyWrap, Unwrap, Derive, Generate,
            Shared Secret. From RFC 6030 section 5.

            OTP: The key is used for One Time Password (OTP) generation.



Sun, et al.              Expires January 9, 2020               [Page 34]


Internet-Draft                    CCMIB                        July 2019


            CR: The key is used for Challenge/Response purposes.

            Unlock: The key is used for an inverse challenge response in
            the case where a user has locked the device by entering a
            wrong password too many times (for devices with password
            input capability).

            Encrypt: The key is used for data encryption purposes.

            Integrity: The key is used to generate a keyed message
            digest for data integrity or authentication purposes.

            Verify: The key is used to verify a keyed message digest for
            data integrity or authentication purposes (this is the
            opposite key usage of 'Integrity').

            Decrypt: The key is used for data decryption purposes.

            KeyWrap: The key is used for key wrap purposes.

            Unwrap: The key is used for key unwrap purposes.

            Derive: The key is used with a key derivation function to
            derive a new key.

            Generate: The key is used to generate a new key based on a
            random number and the previous value of the key.

            Shared Secret: The key is used as a shared secret between
            entities.

            Bit value translation:
            1000 0000 0000 0000 = OneTimePassword
            0100 0000 0000 0000 = ChallengeResponse
            0010 0000 0000 0000 = Unlock
            0001 0000 0000 0000 = Encrypt
            0000 1000 0000 0000 = Decrypt
            0000 0100 0000 0000 = Integrity
            0000 0010 0000 0000 = Verify
            0000 0001 0000 0000 = KeyWrap
            0000 0000 1000 0000 = Unwrap
            0000 0000 0100 0000 = Derive
            0000 0000 0010 0000 = Generate
            0000 0000 0001 0000 = SharedSecret"
        ::= { cSymmetricKeyEntry 2 }

    cSymKeyID  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))



Sun, et al.              Expires January 9, 2020               [Page 35]


Internet-Draft                    CCMIB                        July 2019


        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Represents a unique identifier assigned to this symmetric
            key. This would typically be an identifier inherent to the
            key material, such as a serial number or other form of
            identifier derived from a tag or other key wrapper. This
            object differs from cSymKeyFriendlyName which is a
            user-defined ID."
        ::= { cSymmetricKeyEntry 3 }

    cSymKeyIssuer  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Represents the name of the entity which issued the key. Use
            a distinguished name (DN) when one is available."
        ::= { cSymmetricKeyEntry 4 }

    cSymKeyEffectiveDate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The effective date of the key."
        ::= { cSymmetricKeyEntry 5 }

    cSymKeyExpirationDate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The expiration date of the key."
        ::= { cSymmetricKeyEntry 6 }

    cSymKeyExpiryWarning  OBJECT-TYPE
        SYNTAX      Unsigned32
        UNITS       "days"
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The number of days prior to the expiration date of this key
            (cSymKeyExpirationDate) for which the cKeyMaterialExpiring
            notification will be transmitted.

            If configured, the scalar value of
            cSymKeyGlobalExpiryWarning will be ignored. The value of



Sun, et al.              Expires January 9, 2020               [Page 36]


Internet-Draft                    CCMIB                        July 2019


            cSymKeyGlobalExpiryWarning will only be used if this column
            is not populated, populated with 0, or not implemented."
        ::= { cSymmetricKeyEntry 7 }

    cSymKeyNumberOfTransactions  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Indicates the maximum number of times a key can be used
            after having received it. If this column is not implemented,
            then there is no restriction regarding the number of times a
            key can be used.

            When this number is reached, implementations supporting this
            object should stop using this key and send a
            cKeyMaterialExpired notification."
        ::= { cSymmetricKeyEntry 8 }

    cSymKeyFriendlyName  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "A human readable label of the key for easier reference. It
            is used only for helpful or informational purposes."
        ::= { cSymmetricKeyEntry 9 }

    cSymKeyClassification  OBJECT-TYPE
        SYNTAX      BITS { unclassified(0), restricted(1),
                           confidential(2), secret(3), topSecret(4) }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The classification of the key.
            Bit value translation:
            1000 0000 = unclassified
            0100 0000 = restricted
            0010 0000 = confidential
            0001 0000 = secret
            0000 1000 = topSecret
            This column does not exist for devices that do not have the
            concept of classification."
        ::= { cSymmetricKeyEntry 10 }

    cSymKeySource  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-create



Sun, et al.              Expires January 9, 2020               [Page 37]


Internet-Draft                    CCMIB                        July 2019


        STATUS      current
        DESCRIPTION
            "The source of the key material. This can be the URI of a
            key source entity. If the key was derived from a user-input
            password, the string should say PASSWORD.

            Keys developed by the device should contain the string
            DEVICE-GENERATED. If the key was filled locally then this
            column should begin with the word FILL followed by the fill
            protocol. If the source is unknown, this column should not
            be populated or be set to an empty string, ''."
        ::= { cSymmetricKeyEntry 11 }

    cSymKeyRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of this row by which existing entries may be
            deleted from this table. Setting this column to destroy is
            synonymous with zeroizing the key. Any reference(s) to this
            object, upon setting this RowStatus to destroy, should be
            destroyed as well.

            Upon populating this row, this column should automatically
            be set to notReady. Only after valid information has been
            entered by the manager, can the manager set this column to
            active.

            At a minimum, implementations must support active and
            destroy management functions. Implementations must support
            createAndWait and createAndGo management functions for this
            object if the symmetric key material can be manually entered
            by the manager."
        ::= { cSymmetricKeyEntry 12 }

    -- *****************************************************************
    -- CC MIB cAsymKeyTable
    -- *****************************************************************

    cAsymKeyTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cAsymKeyTable."
        ::= { cAsymKeyInfo 1 }




Sun, et al.              Expires January 9, 2020               [Page 38]


Internet-Draft                    CCMIB                        July 2019


    cAsymKeyTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cAsymKeyInfo 2 }

    cAsymKeyTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CAsymKeyEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing the Asymmetric Key Material and
            Certificates used by the device. Enumeration values, when
            applicable follow the conventions in RFC 5280."
        ::= { cAsymKeyInfo 3 }

    cAsymKeyEntry  OBJECT-TYPE
        SYNTAX      CAsymKeyEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
             "A row containing information about an Asymmetric Key or
             Certificate."
        INDEX      { cAsymKeyFingerprint }
        ::= { cAsymKeyTable 1 }

    CAsymKeyEntry  ::= SEQUENCE {
        cAsymKeyFingerprint         SnmpTLSFingerprint,
        cAsymKeyFriendlyName        SnmpAdminString,
        cAsymKeySerialNumber        OCTET STRING,
        cAsymKeyIssuer              OCTET STRING,
        cAsymKeySignatureAlgorithm  OCTET STRING,
        cAsymKeyPublicKeyAlgorithm  OCTET STRING,
        cAsymKeyEffectiveDate       DateAndTime,
        cAsymKeyExpirationDate      DateAndTime,
        cAsymKeyExpiryWarning       Unsigned32,
        cAsymKeySubject             OCTET STRING,
        cAsymKeySubjectType         BITS,
        cAsymKeySubjectAltName      SnmpAdminString,



Sun, et al.              Expires January 9, 2020               [Page 39]


Internet-Draft                    CCMIB                        July 2019


        cAsymKeyUsage               BITS,
        cAsymKeyClassification      BITS,
        cAsymKeySource              OCTET STRING,
        cAsymKeyRowStatus           RowStatus,
        cAsymKeyVersion             INTEGER,
        cAsymKeyRekey               TruthValue,
        cAsymKeyType                OCTET STRING,
        cAsymKeyAutoRekeyEnable     TruthValue
    }

    cAsymKeyFingerprint  OBJECT-TYPE
        SYNTAX      SnmpTLSFingerprint
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "An inherent identification of the asymmetric key and the
             primary index to the cAsymKeyTable."
        ::= { cAsymKeyEntry 1 }

    cAsymKeyFriendlyName  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "A human readable label of the key for easier reference. It
             is used only for helpful or informational purposes."
        ::= { cAsymKeyEntry 2 }

    cAsymKeySerialNumber  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The unique positive integer assigned to the Asymmetric
             Key. For Public Key Certificate (PKC) this serial number is
             assigned by the Certification Authority (CA). The value is
             this column can be up to 20 bytes long per Section
             '4.1.2.2. Serial Number' of RFC 5280. Other types of Key
             Material may have different serial number format as defined
             by the issuer (e.g., a Key Material ID)."
        ::= { cAsymKeyEntry 3 }

    cAsymKeyIssuer  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The issuer of this key material. For Public Key



Sun, et al.              Expires January 9, 2020               [Page 40]


Internet-Draft                    CCMIB                        July 2019


             Certificates, this is the distinguished name (DN) of the
             entity that has signed and issued the Public Key
             Certificate (PKC). Other issuers shall be defined by the
             class of device and will reference the Key Management
             System that delivers the key material for that device."
        ::= { cAsymKeyEntry 4 }

    cAsymKeySignatureAlgorithm  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "Signature algorithm used by a Certification Authority to
             sign this asymmetric key material (e.g., X.509
             Certificate). If no signature/signature algorithm is
             provided/used, this column would not exist.

             Note, this is a free form OCTET STRING column, meaning
             implementations may utilize a standardized definition of
             string values or use a proprietary definition of string
             values for supported signature algorithms."
        ::= { cAsymKeyEntry 5 }

    cAsymKeyPublicKeyAlgorithm  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "Public key algorithm with which the public key is used (as
             associated with the asymmetric key material (e.g., X.509
             Certificate)).

             Note, this is a free form OCTET STRING column, meaning
             implementations may utilize a standardized definition of
             string values or use a proprietary definition of string
             values for supported public key algorithms."
        ::= { cAsymKeyEntry 6 }

    cAsymKeyEffectiveDate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "The date on which the validity period of the Asymmetric
             Key begins. This column must not exist when the key
             material does not have an inherent and associated effective
             date."
        ::= { cAsymKeyEntry 7 }



Sun, et al.              Expires January 9, 2020               [Page 41]


Internet-Draft                    CCMIB                        July 2019


    cAsymKeyExpirationDate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "The date on which the validity period of the Asymmetric
             Key ends. This column must not exist when the key material
             does not have an inherent and associated expiration date."
        ::= { cAsymKeyEntry 8 }

    cAsymKeyExpiryWarning  OBJECT-TYPE
        SYNTAX      Unsigned32
        UNITS       "days"
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "The number of days prior to the expiration date of this
             key (cAsymKeyExpirationDate) for which the
             cKeyMaterialExpiring notification will be transmitted.

             If configured, the scalar value of
             cAsymKeyGlobalExpiryWarning will be ignored. The value of
             cAsymKeyGlobalExpiryWarning will only be used if this
             column is not populated, populated with 0, or not
             implemented."
        ::= { cAsymKeyEntry 9 }

    cAsymKeySubject  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The entity associated with this Asymmetric Key.

             For non-X.509 based key material, or when this object does
             not apply for the key material, this column will not
             exist."
        ::= { cAsymKeyEntry 10 }

    cAsymKeySubjectType  OBJECT-TYPE
        SYNTAX      BITS { other(0), certificationAuthority(1),
                           crlIssuer(2) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "Defines the type of subject based on the following
             choices. certificationAuthority(1) - When set to 1
             indicates that the subject (cAsymKeySubject) of the Public



Sun, et al.              Expires January 9, 2020               [Page 42]


Internet-Draft                    CCMIB                        July 2019


             Key Certificate (PKC) is a Certification Authority (CA).
             crlIssuer(2) - When set to 1 indicates that the subject
             (cCertificateSubject) of the Public Key Certificate (PKC)
             is a Certificate Revocation List (CRL) issuer.
             Bit value translation:
             1000 0000 = other
             0100 0000 = certificationAuthority
             0010 0000 = crlIssuer
             For non-X.509 based key material, or when this object does
             not apply for the key material, this column will not
             exist."
        ::= { cAsymKeyEntry 11 }

    cAsymKeySubjectAltName OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..32))
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "A reference string that points to a set of Certificate
             Subject Alternative Subject Names in the
             cCertSubAltNameTable.

             This column should contain an empty string if the
             Certificate has no associating Subject Alternative Names.

             For non-X.509 based key material, or when this object does
             not apply for the key material, this column will not
             exist."
        ::= { cAsymKeyEntry 12 }

    cAsymKeyUsage  OBJECT-TYPE
        SYNTAX      BITS { other(0), digitalSignature(1),
                           nonRepudiation(2), keyEncipherment(3),
                           dataEncipherment(4), keyAgreement(5),
                           keyCertSign(6), cRLSign(7), encipherOnly(8),
                           decipherOnly(9) }
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "Provides the intended type of usage for the Asymmetric
             Key. The following types are supported (defined in Section
             4.2.1.3 Key Usage of RFC 5280 for PKC):
             other(0), digitalSignature(1), nonRepudiation(2),
             keyEncipherment(3), dataEncipherment(4), keyAgreement(5),
             keyCertSign(6), cRLSign(7), encipherOnly(8), and
             decipherOnly(9)
             Bit value translation:
             1000 0000 0000 0000 = other



Sun, et al.              Expires January 9, 2020               [Page 43]


Internet-Draft                    CCMIB                        July 2019


             0100 0000 0000 0000 = digitalSignature
             0010 0000 0000 0000 = nonRepudiation
             0001 0000 0000 0000 = keyEncipherment
             0000 1000 0000 0000 = dataEncipherment
             0000 0100 0000 0000 = keyAgreement
             0000 0010 0000 0000 = keyCertSign
             0000 0001 0000 0000 = cRLSign
             0000 0000 1000 0000 = encipherOnly
             0000 0000 0100 0000 = decipherOnly
             Devices using asymmetric key material not adhering to RFC
             5280 (X.509 format) may still use an applicable value for
             the Usage, or may use 'other'."
        ::= { cAsymKeyEntry 13 }

    cAsymKeyClassification  OBJECT-TYPE
        SYNTAX      BITS { unclassified(0), restricted(1),
                           confidential(2), secret(3), topSecret(4) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The supported classification level supported by the
             cAsymKeySubject used by this key material
             Bit value translation:
             1000 0000 = unclassified,
             0100 0000 = restricted,
             0010 0000 = confidential,
             0001 0000 = secret,
             0000 1000 = topSecret.

             This column does not exist for devices that do not have the
             concept of classification."
        ::= { cAsymKeyEntry 14 }

    cAsymKeySource  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "The source of the key material. This can be the URI of a
             key source entity. Keys developed by the device should
             contain the string DEVICE-GENERATED. If the key was filled
             locally then this column should begin with the word FILL
             followed by the fill protocol. If the source is unknown,
             this column should be blank."
        ::= { cAsymKeyEntry 15 }

    cAsymKeyRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus



Sun, et al.              Expires January 9, 2020               [Page 44]


Internet-Draft                    CCMIB                        July 2019


        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "The status of this row by which existing entries may be
             deleted from this table. Deleting a row in this table will
             also delete analogous rows in the cCertSubAltNameTable that
             are referenced by the cAsymKeySubjectAltName.

             Setting this column to destroy is synonymous with zeroizing
             the key material. Any reference(s) to this object, upon
             setting this RowStatus to destroy, should be destroyed as
             well. At a minimum, implementations must support active and
             destroy management functions. Support for notInService and
             notReady management functions is optional. Implementations
             must not support createAndWait and createAndGo management
             functions for this object."
        ::= { cAsymKeyEntry 16 }

    cAsymKeyVersion  OBJECT-TYPE
        SYNTAX     INTEGER
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "The version of the asymmetric key material. For example,
            X.509 Version 3 certificates would have a value of '2', as
            defined in RFC 5280 - Section 4.1.2.1.

            When this object does not apply for the key material, this
            column will not exist."
        ::= { cAsymKeyEntry 17 }

    cAsymKeyRekey  OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
            "Setting this object to 'true' initates a rekey operation
            for the asymmetric key material. Note, additional
            configurations will likely be required based on the
            supported key management protocol.

            Note after being set to true, an agent should reset this
            object to false once the rekey operation has completed."
        ::= { cAsymKeyEntry 18 }

    cAsymKeyType  OBJECT-TYPE
        SYNTAX     OCTET STRING (SIZE(1..255))
        MAX-ACCESS read-only



Sun, et al.              Expires January 9, 2020               [Page 45]


Internet-Draft                    CCMIB                        July 2019


        STATUS     current
        DESCRIPTION
            "This column describes the type of asymmetric key material.

            Note, this is a free form OCTET STRING column.
            Implementations are expected to utilize definition of string
            values that apply to their specific nomenclature supported.
            If no such nomenclature exists, this column should not be
            populated or be set to an empty string (i.e., '')."
        ::= { cAsymKeyEntry 19 }

    cAsymKeyAutoRekeyEnable OBJECT-TYPE
        SYNTAX     TruthValue
        MAX-ACCESS read-write
        STATUS     current
        DESCRIPTION
            "Controls the automatic rekey settings  for this PKC.

            [true]  Enables automatic rekey.
            [false] Disables automatic rekey.

            This column is optional to support."
        DEFVAL     { false }
    ::= { cAsymKeyEntry 20 }


    -- *****************************************************************
    -- CC MIB cTrustAnchorTable
    -- *****************************************************************

    cTrustAnchorTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cTrustAnchorTable."
        ::= { cTrustAnchorInfo 1 }

    cTrustAnchorTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0



Sun, et al.              Expires January 9, 2020               [Page 46]


Internet-Draft                    CCMIB                        July 2019


            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cTrustAnchorInfo 2 }

    cTrustAnchorTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CTrustAnchorEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing the Trust Anchors (TAs) in this
            device."
        ::= { cTrustAnchorInfo 3 }

    cTrustAnchorEntry  OBJECT-TYPE
        SYNTAX      CTrustAnchorEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about a Trust Anchor (TA) that
            has been loaded into the device."
        INDEX      { cTrustAnchorFingerprint }
        ::= { cTrustAnchorTable 1 }

    CTrustAnchorEntry  ::= SEQUENCE {
        cTrustAnchorFingerprint         SnmpTLSFingerprint,
        cTrustAnchorFormatType          INTEGER,
        cTrustAnchorName                OCTET STRING,
        cTrustAnchorUsageType           INTEGER,
        cTrustAnchorKeyIdentifier       OCTET STRING,
        cTrustAnchorPublicKeyAlgorithm  OCTET STRING,
        cTrustAnchorContingencyAvail    TruthValue,
        cTrustAnchorRowStatus           RowStatus,
        cTrustAnchorVersion             OCTET STRING
    }

    cTrustAnchorFingerprint  OBJECT-TYPE
        SYNTAX      SnmpTLSFingerprint
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "An inherent identification of the trust anchor and the
            primary index to the cTrustAnchorTable."
        ::= { cTrustAnchorEntry 1 }

    cTrustAnchorFormatType  OBJECT-TYPE
        SYNTAX      INTEGER { x509v3(1), trustAnchorFormat(2),
                              tbsCertificate(3) }



Sun, et al.              Expires January 9, 2020               [Page 47]


Internet-Draft                    CCMIB                        July 2019


        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The type/format of the trust anchor.

            [1] x509v3: X.509v3 certificate per RFC 5280.
            [2] trustAnchorFormat: Trust Anchor Format per RFC 5914.
            [3] tbsCertificate: To Be Signed Certificate per RFC 5280."
        ::= { cTrustAnchorEntry 2 }

    cTrustAnchorName  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(0..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The name of the Trust Anchor. When available, this is the
            X.500 distinguished name (DN) associated with the Trust
            Anchor (TA) used to construct and validate an X.509
            certification path. When the value of cTrustAnchorFormatType
            is 'trustAnchorFormat', this column is populated with the
            value from the taTitle field of the TrustAnchorInfo
            structure defined in RFC 5914, which is a human-readable
            name for the trust anchor. Otherwise, this column should be
            blank."
        ::= { cTrustAnchorEntry 3 }

    cTrustAnchorUsageType  OBJECT-TYPE
        SYNTAX      INTEGER { other(1), apex(2), management(3),
                              identity(4), firmware(5), crl(6) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The usage type for the Trust Anchor (TA). Note, crl(6) also
            applies to compromised key lists."
        ::= { cTrustAnchorEntry 4 }

    cTrustAnchorKeyIdentifier  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The identifier of the Trust Anchor's (TA's) public key."
        ::= { cTrustAnchorEntry 5 }

    cTrustAnchorPublicKeyAlgorithm  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current



Sun, et al.              Expires January 9, 2020               [Page 48]


Internet-Draft                    CCMIB                        July 2019


        DESCRIPTION
            "Public key algorithm with which the public key is used (as
            associated with the trust anchor).

            Note, this is a free form OCTET STRING column, meaning
            implementations may utilize a standardized definition of
            string values or use a proprietary definition of string
            values for supported public key algorithms."
        ::= { cTrustAnchorEntry 6 }

    cTrustAnchorContingencyAvail  OBJECT-TYPE
        SYNTAX      TruthValue
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "An indication of the availability of a contingency key for
            an Apex Trust Anchor. When set to 'True', a contingency key
            is available."
        ::= { cTrustAnchorEntry 7 }

    cTrustAnchorRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The status of this row by which existing entries may be
            deleted from this table. Setting this column to destroy is
            synonymous with zeroizing the Trust Anchor (TA). Any
            reference(s) to this object, upon setting this RowStatus to
            destroy, should be destroyed as well.

            At a minimum, implementations must support active and
            destroy management functions. Support for notInService and
            notReady management functions is optional. Implementations
            must not support createAndWait and createAndGo management
            functions for this object.

            Some implementations may restrict the deletion of Trust
            Anchors to specific protocols (e.g., TAMP)."
        ::= { cTrustAnchorEntry 8 }

    cTrustAnchorVersion OBJECT-TYPE
        SYNTAX     OCTET STRING
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "The version of the Trust Anchor."
        ::= { cTrustAnchorEntry 9 }



Sun, et al.              Expires January 9, 2020               [Page 49]


Internet-Draft                    CCMIB                        July 2019


    -- *****************************************************************
    -- CC MIB cCKLTable
    -- *****************************************************************

    cCKLTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cCKLTable."
        ::= { cCKLInfo 1 }

    cCKLLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCKLInfo 2 }

    cCKLTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCKLEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing the Compromised Key Lists and
            Certificate Revocation Lists (CRLS) used by the device. This
            table is used both for CRLs as defined in RFC 5280 and for
            other formats of revocation lists (such as Compromised Key
            Lists.)"
        ::= { cCKLInfo 3 }

    cCKLEntry  OBJECT-TYPE
        SYNTAX      CCKLEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about a Compromised Key List
            or Certificate Revocation List (CRL) used by the device."
        INDEX      { cCKLIndex, cCKLIssuer }
        ::= { cCKLTable 1 }



Sun, et al.              Expires January 9, 2020               [Page 50]


Internet-Draft                    CCMIB                        July 2019


    CCKLEntry  ::= SEQUENCE {
        cCKLIndex           Unsigned32,
        cCKLIssuer          OCTET STRING,
        cCKLSerialNumber    OCTET STRING,
        cCKLIssueDate       DateAndTime,
        cCKLNextUpdate      DateAndTime,
        cCKLRowStatus       RowStatus,
        cCKLVersion         INTEGER,
        cCKLLastUpdate      DateAndTime
    }

    cCKLIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "An ID that uniquely identifies the Compromised Key List
            (CKL) in this table."
        ::= { cCKLEntry 1 }

    cCKLIssuer  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(0..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "For devices adhering to RFC 5280 this is the X.500
            distinguished name (DN) of the entity that has signed and
            issued the Certificate Revocation List (CRL).

            Other CRL/CKL issuers may use proprietary naming conventions
            or formats.

            If the source is unknown, this column should not be
            populated or be set to an empty string, ''."
        ::= { cCKLEntry 2 }

    cCKLSerialNumber  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(0..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "A Serial Number for this CRL or CKL.

            For CRLs adhering to RFC 5280, this will be a monotonically
            increasing sequence number for a given Certificate
            Revocation List (CRL) scope and CRL issuer. The CRL Number
            allows users to easily determine when a particular CKL/CRL
            supersedes another CKL/CRL."



Sun, et al.              Expires January 9, 2020               [Page 51]


Internet-Draft                    CCMIB                        July 2019


        ::= { cCKLEntry 3 }

    cCKLIssueDate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The issue date of this CRL/CKL."
        ::= { cCKLEntry 4 }

    cCKLNextUpdate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The date by which the next CKL/CRL issued. The next CRL
            could be issued before the indicated date, but it will not
            be issued any later than the indicated date.

            If this value is unknown, this column should not be
            populated or be set to an empty string, ''."
        ::= { cCKLEntry 5 }

    cCKLRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The status of this row by which existing entries may be
            deleted from this table.

            At a minimum, implementations must support active and
            destroy management functions. Support for notInService and
            notReady management functions is optional. Implementations
            must not support createAndWait and createAndGo management
            functions for this object."
        ::= { cCKLEntry 6 }

    cCKLVersion  OBJECT-TYPE
        SYNTAX      INTEGER
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The version of the CKL/CRL. For example, X.509 Version 2
            CRLs would have a value of '1', as defined in RFC 5280 -
            Section 5.1.2.1.

            When this object does not apply for the CKL/CRL, this column



Sun, et al.              Expires January 9, 2020               [Page 52]


Internet-Draft                    CCMIB                        July 2019


            will not exist."
        ::= { cCKLEntry 7 }

    cCKLLastUpdate  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The date this CKL/CRL was last updated."
        ::= { cCKLEntry 8 }

    -- *****************************************************************
    -- CC MIB cCDMStoreTable
    -- *****************************************************************

    cCDMStoreTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cCDMStoreTable."
        ::= { cCDMStoreInfo 1 }

    cCDMStoreTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCDMStoreInfo 2 }

    cCDMStoreTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCDMStoreEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing various types of stored Crypto Device
            Material (CDM) that are destined for this device and/or
            destined for another device. When sending CDM to a destined
            device, the cCDMTransferPkgLocatorRowPtr from the
            CC-KEY-TRANSFER-PUSH-MIB can be used to point to the rows in



Sun, et al.              Expires January 9, 2020               [Page 53]


Internet-Draft                    CCMIB                        July 2019


            this table."
        ::= { cCDMStoreInfo 3 }

    cCDMStoreEntry  OBJECT-TYPE
        SYNTAX      CCDMStoreEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about stored Crypto Device
            Material (CDM)."
        INDEX      { cCDMStoreIndex }
        ::= { cCDMStoreTable 1 }

    CCDMStoreEntry  ::= SEQUENCE {
        cCDMStoreIndex          Unsigned32,
        cCDMStoreType           INTEGER,
        cCDMStoreSource         SnmpAdminString,
        cCDMStoreID             OCTET STRING,
        cCDMStoreFriendlyName   SnmpAdminString,
        cCDMStoreControl        INTEGER,
        cCDMStoreRowStatus      RowStatus
    }

    cCDMStoreIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "A numeric index that identifies a unique location in this
            table."
        ::= { cCDMStoreEntry 1 }

    cCDMStoreType OBJECT-TYPE
        SYNTAX      INTEGER { symKey(1), asymKey(2), trustAnchor(3),
                              crl(4), ckl(5), firmware(6),
                              storeAndForwardWrappedPkg(7),
                              storeAndForwardPkg(8) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The type of Crypto Device Material (CDM) populated in this
            row.

            (1) symKey - This row contains information about a stored
                symmetric key.
            (2) asymKey - This row contains information about a stored
                asymmetric key.
            (3) trustAnchor  - This row contains information about a



Sun, et al.              Expires January 9, 2020               [Page 54]


Internet-Draft                    CCMIB                        July 2019


                stored Trust Anchor (TA).
            (4) crl - This row contains information about a stored
                Certificate Revocation List (CRL).
            (5) ckl - This row contains information about a stored
                Compromised Key List (CKL).
            (6) firmware - This row contains information about stored
                firmware.
            (7) storeAndForwardWrappedPkg - This row contains
                information about a stored encrypted wrapped package,
                typically meant to be forwarded to another device.
            (8) storeAndForwardPkg - This row contains information
                about a stored unencrypted, typically meant to be
               forwarded to another device."
        ::= { cCDMStoreEntry 2 }

    cCDMStoreSource  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "An administrative name that identifies the source of this
            Crypto Device Material (CDM). This could be the URI used
            when downloaded from the Secure Object Management System
            (SOMS) server or a physical port designator for CDM
            downloaded via HMI."
        ::= { cCDMStoreEntry 3 }

    cCDMStoreID  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "Represents a unique identifier assigned to this Crypto
            Device Material (CDM). This would typically be an identifier
            inherent to the CDM, such as a serial number or other form
            of identifier derived from a tag or other CDM wrapper. This
            object differs from cCDMStoreFriendlyName which is a
            user-defined ID."
        ::= { cCDMStoreEntry 4 }

    cCDMStoreFriendlyName  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "A human readable label of this Crypto Device Material (CDM)
            for easier reference. It is used only for helpful or
            informational purposes."



Sun, et al.              Expires January 9, 2020               [Page 55]


Internet-Draft                    CCMIB                        July 2019


        ::= { cCDMStoreEntry 5 }

    cCDMStoreControl OBJECT-TYPE
        SYNTAX      INTEGER { readyForInstall(1), install(2),
                              installAndDiscard(3), other (4) }
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
             "A means to control what happens to the Crypto Device
             Material (CDM) stored in this table.
            (1) readyForInstall - The CDM is ready for installation.
            (2) install - The CDM will be installed in the appropriate
                table based on the cCDMStoreType.
            (3) installAndDiscard - The CDM will be installed in the
                appropriate table based on the cCDMStoreType and
                discarded from this table after the install operation is
                complete.
            (4) other - The CDM will be processed based on family
                extension specific action.

            Note, setting the cCDMStoreRowStatus object to 'destroy'
            will discard the CDM."
        ::= { cCDMStoreEntry 6 }

    cCDMStoreRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The status of this row by which existing entries may be
            deleted from this table.

            At a minimum, implementations must support active and
            destroy management functions. Support for notInService and
            notReady management functions is optional. Implementations
            must not support createAndWait and createAndGo management
            functions for this object."
        ::= { cCDMStoreEntry 7 }

    -- *****************************************************************
    -- CC MIB cCertSubAltNameTable
    -- *****************************************************************

    cCertSubAltNameTableCount OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020               [Page 56]


Internet-Draft                    CCMIB                        July 2019


            "The number of rows in the cCertSubAltNameTable."
        ::= { cCertSubAltNameInfo 1 }

    cCertSubAltNameTableLastChanged OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCertSubAltNameInfo 2 }

    cCertSubAltNameTable OBJECT-TYPE
        SYNTAX     SEQUENCE OF CCertSubAltNameTableEntry
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "The table containing a list of Subject Alternative Names
            associated with the certificate."
        ::= { cCertSubAltNameInfo 3 }

    cCertSubAltNameTableEntry OBJECT-TYPE
        SYNTAX     CCertSubAltNameTableEntry
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "A row containing information about a Subject Alternative
            Name and its type."
        INDEX  { cCertSubAltNameList, cCertSubAltNameListIndex }
        ::= { cCertSubAltNameTable 1 }

    CCertSubAltNameTableEntry ::= SEQUENCE {
        cCertSubAltNameList         SnmpAdminString,
        cCertSubAltNameListIndex    Unsigned32,
        cCertSubAltNameType         INTEGER,
        cCertSubAltNameValue1       OCTET STRING,
        cCertSubAltNameValue2       OCTET STRING,
        cCertSubAltNameRowStatus    RowStatus
    }

    cCertSubAltNameList OBJECT-TYPE
        SYNTAX     SnmpAdminString (SIZE(1..32))



Sun, et al.              Expires January 9, 2020               [Page 57]


Internet-Draft                    CCMIB                        July 2019


        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "The administrative name defining the set of Subject
            Alternative Names that are associated with the certificate.
            Multiple Subject Alternative Names may use the same
            administrative name, implying a group. It is the combination
            of cCertSubAltNameList and cCertSubAltNameListIndex that
            uniquely identifies each row or set of Subject Alternative
            Names."
        ::= { cCertSubAltNameTableEntry 1 }

    cCertSubAltNameListIndex OBJECT-TYPE
        SYNTAX     Unsigned32
        MAX-ACCESS not-accessible
        STATUS     current
        DESCRIPTION
            "A unique numeric index for rows, or sets of Subject
            Alternative Names, with the same cCertSubAltNameList value.
            This value, in combination with cCertSubAltNameList,
            uniquely identifies each row, or set of Subject Alternative
            Names."
        ::= { cCertSubAltNameTableEntry 2 }

    cCertSubAltNameType OBJECT-TYPE
        SYNTAX     INTEGER { otherName(0), rfc822Name(1), dNSName(2),
                             x400Address(3), directoryName(4),
                             ediPartyName(5),
                             uniformResourceIdentifier(6), ipAddress(7),
                             registeredID(8) }
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "The type of the Subject Alternative Name as defined in RFC
            5280, Section 4.2.1.6. Specifically, the value of this
            object determines the format of cCertSubAltNameValue1 and
            cCertSubAltNameValue2."
        ::= { cCertSubAltNameTableEntry 3 }

    cCertSubAltNameValue1 OBJECT-TYPE
        SYNTAX     OCTET STRING
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "The main value of the Subject Alternative Name. The format
            of the value must match its Type as defined in RFC 5280,
            Section 4.2.1.6.




Sun, et al.              Expires January 9, 2020               [Page 58]


Internet-Draft                    CCMIB                        July 2019


            This column is the main value and is used for all
            cCertSubAltNameType types. For otherName(0), this column
            provides the value of the 'value' field. For
            ediPartyName(5), this column provides the value of the
            'partyName'. For all other types, this column provides the
            value as defined in RFC 5280, Section 4.2.1.6."
        ::= { cCertSubAltNameTableEntry 4 }

    cCertSubAltNameValue2 OBJECT-TYPE
        SYNTAX     OCTET STRING
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "This column is a supplement to the main value
            cCertSubAltNameValue1 and may only be used when the
            cCertSubAltNameType is either otherName(0) or
            ediPartyName(5). For otherName(0), this column provides the
            value of the 'type-id' as defined in RFC 5280, Section 
            4.2.1.6. For ediPartyName(5), this column provides the value
            of the 'nameAssigner' as defined in RFC 5280, Section 
            4.2.1.6.

            For all other values of cCertSubAltNameType or when the
            'nameAssigner' is not used for ediPartyName(5), this column
            will not exist.

            Note: Support for multiple otherName(0) or ediPartyName(5)
            alternate names is provided by allowing multiple rows of the
            same cCertSubAltNameType and cCertSubAltNameList but with a
            unique cCertSubAltNameListIndex."
        ::= { cCertSubAltNameTableEntry 5 }

    cCertSubAltNameRowStatus OBJECT-TYPE
        SYNTAX     RowStatus
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
            "The status of this row by which existing entries may be
            deleted from this table.

            At a minimum, implementations must support active and
            destroy management functions. Support for notInService and
            notReady management functions is optional. Implementations
            must not support createAndWait and createAndGo management
            functions for this object."
        ::= { cCertSubAltNameTableEntry 6 }

    -- *****************************************************************



Sun, et al.              Expires January 9, 2020               [Page 59]


Internet-Draft                    CCMIB                        July 2019


    -- CC MIB cCertPathCtrlsTable
    -- *****************************************************************

    cCertPathCtrlsTableCount OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cCertPathCtrlsTable."
        ::= { cCertPathCtrlsInfo 1 }

    cCertPathCtrlsTableLastChanged OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCertPathCtrlsInfo 2 }

    cCertPathCtrlsTable OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCertPathCtrlsEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing the controls and constraints applied
            to a certificate in order to process certificate trust
            paths."
        ::= { cCertPathCtrlsInfo 3 }

    cCertPathCtrlsEntry OBJECT-TYPE
        SYNTAX      CCertPathCtrlsEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about certificate path
            controls and constraints."
        INDEX  { cCertPathCtrlsKeyFingerprint }
        ::= { cCertPathCtrlsTable 1 }

    CCertPathCtrlsEntry ::= SEQUENCE {
        cCertPathCtrlsKeyFingerprint    SnmpTLSFingerprint,



Sun, et al.              Expires January 9, 2020               [Page 60]


Internet-Draft                    CCMIB                        July 2019


        cCertPathCtrlsCertificate       RowPointer,
        cCertPathCtrlsCertPolicies      OCTET STRING,
        cCertPathCtrlsPolicyMappings    OCTET STRING,
        cCertPathCtrlsPolicyFlags       BITS,
        cCertPathCtrlsNamesPermitted    OCTET STRING,
        cCertPathCtrlsNamesExcluded     OCTET STRING,
        cCertPathCtrlsMaxPathLength     Unsigned32
    }

    cCertPathCtrlsKeyFingerprint  OBJECT-TYPE
        SYNTAX      SnmpTLSFingerprint
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
             "Identifies a trust anchor in the cTrustAnchorTable or a
             certificate in the cAsymKeyTable. This column is the
             primary index to the cCertPathCtrlsTable."
        ::= {cCertPathCtrlsEntry 1}

    cCertPathCtrlsCertificate  OBJECT-TYPE
        SYNTAX      RowPointer
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Optional reference to an X.509 certificate defined in the
            cAsymKeyTable to assist with certification path development
            and validation."
        ::= { cCertPathCtrlsEntry 2 }

    cCertPathCtrlsCertPolicies  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indicates a grouping of one or more policies for this
            certificate. The value of this column corresponds to the
            cCertPolicyInformation column in the cCertPolicyTable.

            When this object does not apply for the key material, this
            column will not exist."
        ::= { cCertPathCtrlsEntry 3 }

    cCertPathCtrlsPolicyMappings  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "For a Certification Authority (CA) certificate, this



Sun, et al.              Expires January 9, 2020               [Page 61]


Internet-Draft                    CCMIB                        July 2019


            indicates a grouping of policy mappings between a
            certificate issuer CA domain policy and a domain policy of
            the subject certificate CA. The value of this column
            corresponds to the cPolicyMappingGroup column of the
            cPolicyMappingTable.

            For non-X.509 based key material, or when this object does
            not apply for the key material, this column will not exist."
        ::= { cCertPathCtrlsEntry 4 }

    cCertPathCtrlsPolicyFlags  OBJECT-TYPE
        SYNTAX      BITS { inhibitPolicyMapping(0),
                           requireExplicitPolicy(1),
                           inhibitAnyPolicy(2) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Optional certificate path policy flags consisting of the
            following: inhibitPolicyMapping, requireExplicitPolicy, and
            inhibitAnyPolicy.

            inhibitPolicyMapping: Indicates if policy mapping is allowed
            in the certification path.

            requireExplicitPolicy: Indicates if the certification path
            must be valid for at least one of the certificate policies
            in cCertPathCtrlsCertPolicies.

            inhibitAnyPolicy: Indicates whether the special anyPolicy
            policy identifier is considered an explicit match for other
            certificate policies.

            Bit value translation:
            1000 = inhibitPolicyMapping
            0100 = requireExplicitPolicy
            0010 = inhibitAnyPolicy"
        ::= { cCertPathCtrlsEntry 5 }

    cCertPathCtrlsNamesPermitted  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indicates a subtree of names that are permitted for
            certificate path validation. The value of this column
            corresponds to the cNameConstraintGenSubtree column in the
            cNameConstraintTable.




Sun, et al.              Expires January 9, 2020               [Page 62]


Internet-Draft                    CCMIB                        July 2019


            When this object does not apply for the key material, this
            column will not exist."
        ::= { cCertPathCtrlsEntry 6 }

    cCertPathCtrlsNamesExcluded  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indicates a subtree of names that are excluded from
            certificate path validation, regardless of information
            appearing in the cCertPathCtrlsNamesPermitted subtree. The
            value of this column corresponds to the
            cNameConstraintGenSubtree column in the
            cNameConstraintTable.

            When this object does not apply for the key material, this
            column will not exist."
        ::= { cCertPathCtrlsEntry 7 }

    cCertPathCtrlsMaxPathLength  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Optional indication of the maximum number of
            non-self-issued intermediate certificates that may follow
            this certificate in a valid certification path."
        ::= { cCertPathCtrlsEntry 8 }

    -- *****************************************************************
    -- CC MIB cCertPolicyTable
    -- *****************************************************************

    cCertPolicyTableCount OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cCertPolicyTable."
        ::= { cCertPolicyInfo 1 }

    cCertPolicyTableLastChanged OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,



Sun, et al.              Expires January 9, 2020               [Page 63]


Internet-Draft                    CCMIB                        July 2019


            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCertPolicyInfo 2 }

    cCertPolicyTable OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCertPolicyEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing certificate policy information to be
            provided as input to the certificate path validation
            algorithm. For an end entity certificate, this information
            indicates under which policy this certificate has been
            issued and the purposes for which the certificate may be
            used. For a Certification Authority (CA) certificate, this
            information limits the set of policies for certification
            paths that include this certificate."
        ::= { cCertPolicyInfo 3 }

    cCertPolicyEntry OBJECT-TYPE
        SYNTAX      CCertPolicyEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about a certificate policy."
        INDEX  { cCertPolicyInformation, cCertPolicyInformationIndex }
        ::= { cCertPolicyTable 1 }

    CCertPolicyEntry ::= SEQUENCE {
        cCertPolicyInformation      OCTET STRING,
        cCertPolicyInformationIndex Unsigned32,
        cCertPolicyIdentifier       OBJECT IDENTIFIER,
        cCertPolicyQualifierID      INTEGER,
        cCertPolicyQualifier        OCTET STRING
    }

    cCertPolicyInformation  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "Identifies a grouping of policies that are applicable to a
            certificate. When used in conjunction with



Sun, et al.              Expires January 9, 2020               [Page 64]


Internet-Draft                    CCMIB                        July 2019


            cCertPolicyInformationIndex, a unique policy and qualifier
            set is defined."
        ::= { cCertPolicyEntry 1 }

    cCertPolicyInformationIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A numerical index that is unique for a specific
            cCertPolicyInformation value. This index allows multiple
            qualifiers to be defined for a particular policy. When used
            in conjunction with cCertPolicyInformation, a unique policy
            and qualifier set is defined."
        ::= { cCertPolicyEntry 2 }

    cCertPolicyIdentifier  OBJECT-TYPE
        SYNTAX      OBJECT IDENTIFIER
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "For end entity certificates, this is an identifier for the
            policy under which the certificate has been issued. For
            Certification Authority (CA) certificates, this is an
            identifier for a certification path policy that includes
            this certificate."
        ::= { cCertPolicyEntry 3 }

    cCertPolicyQualifierID  OBJECT-TYPE
        SYNTAX      INTEGER { cpsPointer(0), userNotice(1) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indicates the type of qualifier per RFC 5280,
            Section 4.2.1.4."
        ::= { cCertPolicyEntry 4 }

    cCertPolicyQualifier  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Qualifier information with type based on
            cCertPolicyQualifierID."
        ::= { cCertPolicyEntry 5 }

    -- *****************************************************************
    -- CC MIB cPolicyMappingTable



Sun, et al.              Expires January 9, 2020               [Page 65]


Internet-Draft                    CCMIB                        July 2019


    -- *****************************************************************

    cPolicyMappingTableCount OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The number of rows in the cPolicyMappingTable."
        ::= { cPolicyMappingInfo 1 }

    cPolicyMappingTableLastChanged OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cPolicyMappingInfo 2 }

    cPolicyMappingTable OBJECT-TYPE
        SYNTAX      SEQUENCE OF CPolicyMappingEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table listing mappings between policies that a
            certificate issuing Certification Authority (CA) considers
            as equivalent or comparable to the domain policies of the
            subject certificate's CA."
        ::= { cPolicyMappingInfo 3 }

    cPolicyMappingEntry OBJECT-TYPE
        SYNTAX      CPolicyMappingEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing a mapping between the domain policy of an
            issuing Certification Authority (CA) and an equivalent
            domain policy of the subject certificate's CA."
        INDEX  { cPolicyMappingGroup, cPolicyMappingIndex }
        ::= { cPolicyMappingTable 1 }

    CPolicyMappingEntry ::= SEQUENCE {



Sun, et al.              Expires January 9, 2020               [Page 66]


Internet-Draft                    CCMIB                        July 2019


        cPolicyMappingGroup         OCTET STRING,
        cPolicyMappingIndex         Unsigned32,
        cPolicyMappingSubjectPolicy OBJECT IDENTIFIER,
        cPolicyMappingIssuerPolicy  OBJECT IDENTIFIER
    }

    cPolicyMappingGroup  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "Identifies a grouping of policy mappings that are
            applicable to a certificate. When used in conjunction with
            cPolicyMappingIndex, a unique policy mapping is defined."
        ::= { cPolicyMappingEntry 1 }

    cPolicyMappingIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A numerical index that is unique for a specific
            cPolicyMappingGroup value. When used in conjunction with
            cPolicyMappingGroup, a unique policy mapping is defined."
        ::= { cPolicyMappingEntry 2 }

    cPolicyMappingSubjectPolicy  OBJECT-TYPE
        SYNTAX      OBJECT IDENTIFIER
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indicates the subject Certification Authority's domain
            policy."
        ::= { cPolicyMappingEntry 3 }

    cPolicyMappingIssuerPolicy  OBJECT-TYPE
        SYNTAX      OBJECT IDENTIFIER
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Indicates the issuer domain policy that the issuer
            Certification Authority (CA) considers equivalent to the
            subject CA domain policy."
        ::= { cPolicyMappingEntry 4 }

    -- *****************************************************************
    -- CC MIB cNameConstraintTable
    -- *****************************************************************



Sun, et al.              Expires January 9, 2020               [Page 67]


Internet-Draft                    CCMIB                        July 2019


    cNameConstraintTableCount OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cNameConstraintTable."
        ::= { cNameConstraintInfo 1 }

    cNameConstraintTableLastChanged OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cNameConstraintInfo 2 }

    cNameConstraintTable OBJECT-TYPE
        SYNTAX      SEQUENCE OF CNameConstraintEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table listing designated name spaces within which
            subject names in subsequent certificates in a certification
            path can be stored."
        ::= { cNameConstraintInfo 3 }

    cNameConstraintEntry OBJECT-TYPE
        SYNTAX      CNameConstraintEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row designating an entity's distinguished name to a name
            space."
        INDEX  { cNameConstraintGenSubtree,
                 cNameConstraintSubtreeIndex }
        ::= { cNameConstraintTable 1 }

    CNameConstraintEntry ::= SEQUENCE {
        cNameConstraintGenSubtree   OCTET STRING,
        cNameConstraintSubtreeIndex Unsigned32,
        cNameConstraintBaseName     SnmpAdminString



Sun, et al.              Expires January 9, 2020               [Page 68]


Internet-Draft                    CCMIB                        July 2019


    }

    cNameConstraintGenSubtree  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "Identifies a permitted or excluded name constraint subtree.
            When used with cNameConstraintSubtreeIndex, a unique subject
            name constraint entry is defined."
        ::= { cNameConstraintEntry 1 }

    cNameConstraintSubtreeIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A numerical index used to specify a name constraint within
            a permitted or excluded name constraint subtree. When used
            with a specific value of cNameConstraintGenSubtree, a unique
            subject name constraint entry is defined."
        ::= { cNameConstraintEntry 2 }

    cNameConstraintBaseName  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The distinguished name of the subject that is permitted or
            excluded."
        ::= { cNameConstraintEntry 3 }

    -- *****************************************************************
    -- CC MIB cRemoteKeyMaterialTable
    -- *****************************************************************

    cRemoteKeyMaterialTableCount OBJECT-TYPE
        SYNTAX       Unsigned32
        MAX-ACCESS   read-only
        STATUS       current
        DESCRIPTION
            "The number of rows in the cRemoteKeyMaterialTable."
        ::= { cRemoteKeyMaterialInfo 1 }

    cRemoteKeyMaterialTableLastChanged OBJECT-TYPE
        SYNTAX       TimeStamp
        MAX-ACCESS   read-only
        STATUS       current



Sun, et al.              Expires January 9, 2020               [Page 69]


Internet-Draft                    CCMIB                        July 2019


        DESCRIPTION
            "The last time any entry in the table was modified,
            created, or deleted by either SNMP, agent, or other
            management method (e.g., via an HMI) Managers can use this
            object to ensure that no changes to configuration of this
            table have happened since the last time it examined the
            table. A value of 0 indicates that no entry has been
            changed since the agent initialized.  The value in
            CC-DEVICE-INFO-MIB cSystemUpTime should be used to populate
            this column."
        ::= { cRemoteKeyMaterialInfo 2 }

    cRemoteKeyMaterialTable OBJECT-TYPE
        SYNTAX       SEQUENCE OF CRemoteKeyMaterialTableEntry
        MAX-ACCESS   not-accessible
        STATUS       current
        DESCRIPTION
            "The table containing remote key material information -
             namely, key material used to help establish the secure
             connection."
        ::= { cRemoteKeyMaterialInfo 3 }

    cRemoteKeyMaterialTableEntry OBJECT-TYPE
        SYNTAX       CRemoteKeyMaterialTableEntry
        MAX-ACCESS   not-accessible
        STATUS       current
        DESCRIPTION
            "A row describing the remote key material information used
            to establish the secure connection."
        INDEX  { cRemoteKeyMaterialID }
        ::= { cRemoteKeyMaterialTable 1 }

    CRemoteKeyMaterialTableEntry ::= SEQUENCE {
            cRemoteKeyMaterialID             OCTET STRING,
            cRemoteKeyMatFriendlyName        SnmpAdminString,
            cRemoteKeyMatSerialNumber        OCTET STRING,
            cRemoteKeyMaterialKeyType        OCTET STRING,
            cRemoteKeyMatExpirationDate      DateAndTime,
            cRemoteKeyMatClassification      BITS
        }

    cRemoteKeyMaterialID OBJECT-TYPE
        SYNTAX       OCTET STRING (SIZE(1..255))
        MAX-ACCESS   not-accessible
        STATUS       current
        DESCRIPTION
            "Represents a unique identifier assigned to this key
            material. This would typically be an identifier inherent to



Sun, et al.              Expires January 9, 2020               [Page 70]


Internet-Draft                    CCMIB                        July 2019


            the key material, such as a serial number or other form of
            identifier derived from a tag or other key wrapper. This
            object differs from cRemoteKeyMatFriendlyName which is a
            user-defined ID."
        ::= { cRemoteKeyMaterialTableEntry 1 }

    cRemoteKeyMatFriendlyName OBJECT-TYPE
        SYNTAX       SnmpAdminString
        MAX-ACCESS   read-write
        STATUS       current
        DESCRIPTION
            "A human readable label of the key for easier reference. It
            is used only for helpful or informational purposes."
        ::= { cRemoteKeyMaterialTableEntry 2 }

    cRemoteKeyMatSerialNumber OBJECT-TYPE
        SYNTAX       OCTET STRING
        MAX-ACCESS   read-only
        STATUS       current
        DESCRIPTION
            "The unique positive integer assigned to the remote key
            material.  Note, this information may not be available in
            some key material types."
        ::= { cRemoteKeyMaterialTableEntry 3 }

    cRemoteKeyMaterialKeyType OBJECT-TYPE
        SYNTAX       OCTET STRING
        MAX-ACCESS   read-only
        STATUS       current
        DESCRIPTION
            "This column describes the type of remote key material.

            Note, this is a free form OCTET STRING column.
            Implementations are expected to utilize definition of
            string values that apply to their specific nomenclature
            supported.  If no such nomenclature exists, this column
            should not be populated or be set to an empty string
            (i.e., '')."
        ::= { cRemoteKeyMaterialTableEntry 4 }

    cRemoteKeyMatExpirationDate OBJECT-TYPE
        SYNTAX       DateAndTime
        MAX-ACCESS   read-only
        STATUS       current
        DESCRIPTION
            "The expiration date of the key."
        ::= { cRemoteKeyMaterialTableEntry 5 }




Sun, et al.              Expires January 9, 2020               [Page 71]


Internet-Draft                    CCMIB                        July 2019


    cRemoteKeyMatClassification OBJECT-TYPE
        SYNTAX       BITS { unclassified(0), restricted(1),
                            confidential(2), secret(3), topSecret(4) }
        MAX-ACCESS   read-only
        STATUS       current
        DESCRIPTION
            "The classification of the key.
             Bit value translation:
             1000 0000 = unclassified
             0100 0000 = restricted
             0010 0000 = confidential
             0001 0000 = secret
             0000 1000 = topSecret

             This column does not exist for devices that do not have
             the concept of classification."
        ::= { cRemoteKeyMaterialTableEntry 6 }

    -- *****************************************************************
    -- Module Conformance Information
    -- *****************************************************************

    cKeyManagementCompliances          OBJECT IDENTIFIER
        ::= { cKeyManagementConformance 1}

    cKeyManagementGroups               OBJECT IDENTIFIER
        ::= { cKeyManagementConformance 2}

    cKeyManSymKeyCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for symmetric key information."
        MODULE
        MANDATORY-GROUPS { cKeyManSymKeyGroup, cKeyManRemoteKeyGroup }

        GROUP cKeyManSymKeyNotifyScalars
        DESCRIPTION
            "This symmetric key notification scalar group is optional
            for implementation."

        GROUP cKeyManSymKeyNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cKeyManagementCompliances  1 }

    cKeyManAsymKeyCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020               [Page 72]


Internet-Draft                    CCMIB                        July 2019


            "Compliance levels for asymmetric key information."
        MODULE
        MANDATORY-GROUPS { cKeyManAsymKeyGroup, cKeyManRemoteKeyGroup }

        GROUP cKeyManCertSubAltNameGroup
        DESCRIPTION
            "Certificate Subject Alternative Name group is optional for
            implementation."

        GROUP cKeyManCertPathCtrlsGroup
        DESCRIPTION
            "Certificate Path Controls group is optional for
            implementation."

        GROUP cKeyManCertPolicyGroup
        DESCRIPTION
            "Certificate Policy group is optional for implementation."

        GROUP cKeyManPolicyMappingGroup
        DESCRIPTION
            "Policy Mapping group is optional for implementation."

        GROUP cKeyManNameConstraintGroup
        DESCRIPTION
            "Name Constraint group is optional for implementation."

        GROUP cKeyManTrustAnchorGroup
        DESCRIPTION
            "Trust Anchor group is optional for implementation."

        GROUP cKeyManAsymKeyNotifyScalars
        DESCRIPTION
            "This asymmetric key notification scalar group is optional
            for implementation."

        GROUP cKeyManAsymKeyNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        GROUP cKeyManTrustAnchorNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        OBJECT cCertPathCtrlsCertificate
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."




Sun, et al.              Expires January 9, 2020               [Page 73]


Internet-Draft                    CCMIB                        July 2019


        OBJECT cCertPathCtrlsPolicyFlags
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."

        OBJECT cCertPathCtrlsMaxPathLength
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."
        ::= { cKeyManagementCompliances  2 }

    cKeyManTrustAnchorCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for trust anchor information."
        MODULE
        MANDATORY-GROUPS { cKeyManTrustAnchorGroup }

        GROUP cKeyManCertPathCtrlsGroup
        DESCRIPTION
            "Certificate Path Controls group is optional for
            implementation."

        GROUP cKeyManCertPolicyGroup
        DESCRIPTION
            "Certificate Policy group is optional for implementation."

        GROUP cKeyManPolicyMappingGroup
        DESCRIPTION
            "Policy Mapping group is optional for implementation."

        GROUP cKeyManNameConstraintGroup
        DESCRIPTION
            "Name Constraint group is optional for implementation."

        GROUP cKeyManTrustAnchorNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        OBJECT cCertPathCtrlsCertificate
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."

        OBJECT cCertPathCtrlsPolicyFlags
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."



Sun, et al.              Expires January 9, 2020               [Page 74]


Internet-Draft                    CCMIB                        July 2019


        OBJECT cCertPathCtrlsMaxPathLength
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."
        ::= { cKeyManagementCompliances  3 }

    cKeyManCKLCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for CKL information."
        MODULE
        MANDATORY-GROUPS { cKeyManCKLGroup }

        GROUP cKeyManCKLNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cKeyManagementCompliances  4 }

    cKeyManCDMStoreCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for CDM Store information."
        MODULE
        MANDATORY-GROUPS { cKeyManCDMStoreGroup }

        GROUP cKeyManCDMStoreNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cKeyManagementCompliances  5 }

    cKeyManSymKeyGroup OBJECT-GROUP
        OBJECTS {
                  cZeroizeAllKeys,
                  cZeroizeSymmetricKeyTable,
                  cSymmetricKeyTableCount,
                  cSymmetricKeyTableLastChanged,
                  cSymKeyUsage,
                  cSymKeyID,
                  cSymKeyIssuer,
                  cSymKeyEffectiveDate,
                  cSymKeyExpirationDate,
                  cSymKeyExpiryWarning,
                  cSymKeyNumberOfTransactions,
                  cSymKeyFriendlyName,
                  cSymKeyClassification,
                  cSymKeySource,
                  cSymKeyRowStatus
                }



Sun, et al.              Expires January 9, 2020               [Page 75]


Internet-Draft                    CCMIB                        July 2019


        STATUS current
        DESCRIPTION
            "This group is composed of objects related to symmetric key
            information."
        ::= { cKeyManagementGroups 1 }

    cKeyManAsymKeyGroup OBJECT-GROUP
        OBJECTS {
                  cZeroizeAllKeys,
                  cZeroizeAsymKeyTable,
                  cAsymKeyTableCount,
                  cAsymKeyTableLastChanged,
                  cAsymKeyFingerprint,
                  cAsymKeyFriendlyName,
                  cAsymKeySerialNumber,
                  cAsymKeyIssuer,
                  cAsymKeySignatureAlgorithm,
                  cAsymKeyPublicKeyAlgorithm,
                  cAsymKeyEffectiveDate,
                  cAsymKeyExpirationDate,
                  cAsymKeyExpiryWarning,
                  cAsymKeySubject,
                  cAsymKeySubjectType,
                  cAsymKeyUsage,
                  cAsymKeyClassification,
                  cAsymKeySource,
                  cAsymKeyRowStatus,
                  cAsymKeyVersion,
                  cAsymKeyRekey,
                  cAsymKeyType,
                  cAsymKeyAutoRekeyEnable
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to asymmetric key
            information."
        ::= { cKeyManagementGroups 2 }

    cKeyManCertSubAltNameGroup OBJECT-GROUP
        OBJECTS {
                  cAsymKeySubjectAltName,
                  cCertSubAltNameTableCount,
                  cCertSubAltNameTableLastChanged,
                  cCertSubAltNameType,
                  cCertSubAltNameValue1,
                  cCertSubAltNameValue2,
                  cCertSubAltNameRowStatus
                }



Sun, et al.              Expires January 9, 2020               [Page 76]


Internet-Draft                    CCMIB                        July 2019


        STATUS current
        DESCRIPTION
            "This group is composed of objects related to certificate
            subject alternative name information."
        ::= { cKeyManagementGroups 3 }

    cKeyManCertPathCtrlsGroup OBJECT-GROUP
        OBJECTS {
                  cCertPathCtrlsTableCount,
                  cCertPathCtrlsTableLastChanged,
                  cCertPathCtrlsCertificate,
                  cCertPathCtrlsPolicyFlags,
                  cCertPathCtrlsMaxPathLength
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to certificate
            path controls information."
        ::= { cKeyManagementGroups 4 }

    cKeyManCertPolicyGroup OBJECT-GROUP
        OBJECTS {
                  cCertPathCtrlsCertPolicies,
                  cCertPolicyTableCount,
                  cCertPolicyTableLastChanged,
                  cCertPolicyIdentifier,
                  cCertPolicyQualifierID,
                  cCertPolicyQualifier
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to certificate
            policy information."
        ::= { cKeyManagementGroups 5 }

    cKeyManPolicyMappingGroup OBJECT-GROUP
        OBJECTS {
                  cCertPathCtrlsPolicyMappings,
                  cPolicyMappingTableCount,
                  cPolicyMappingTableLastChanged,
                  cPolicyMappingSubjectPolicy,
                  cPolicyMappingIssuerPolicy
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to policy mapping
            information."
        ::= { cKeyManagementGroups 6 }



Sun, et al.              Expires January 9, 2020               [Page 77]


Internet-Draft                    CCMIB                        July 2019


    cKeyManNameConstraintGroup OBJECT-GROUP
        OBJECTS {
                  cCertPathCtrlsNamesPermitted,
                  cCertPathCtrlsNamesExcluded,
                  cNameConstraintTableCount,
                  cNameConstraintTableLastChanged,
                  cNameConstraintBaseName
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to name
            constraint information."
        ::= { cKeyManagementGroups 7 }

    cKeyManTrustAnchorGroup OBJECT-GROUP
        OBJECTS {
                  cZeroizeAllKeys,
                  cZeroizeTrustAnchorTable,
                  cTrustAnchorTableCount,
                  cTrustAnchorTableLastChanged,
                  cTrustAnchorFingerprint,
                  cTrustAnchorFormatType,
                  cTrustAnchorName,
                  cTrustAnchorUsageType,
                  cTrustAnchorKeyIdentifier,
                  cTrustAnchorPublicKeyAlgorithm,
                  cTrustAnchorContingencyAvail,
                  cTrustAnchorRowStatus,
                  cTrustAnchorVersion
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to trust anchor
            information."
        ::= { cKeyManagementGroups 8 }

    cKeyManCKLGroup OBJECT-GROUP
        OBJECTS {
                  cCKLTableCount,
                  cCKLLastChanged,
                  cCKLIndex,
                  cCKLIssuer,
                  cCKLSerialNumber,
                  cCKLIssueDate,
                  cCKLNextUpdate,
                  cCKLRowStatus,
                  cCKLVersion,
                  cCKLLastUpdate



Sun, et al.              Expires January 9, 2020               [Page 78]


Internet-Draft                    CCMIB                        July 2019


                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to compromised
            key list information."
        ::= { cKeyManagementGroups 9 }

    cKeyManCDMStoreGroup OBJECT-GROUP
        OBJECTS {
                  cZeroizeAllKeys,
                  cZeroizeCDMStoreTable,
                  cCDMStoreTableCount,
                  cCDMStoreTableLastChanged,
                  cCDMStoreIndex,
                  cCDMStoreType,
                  cCDMStoreSource,
                  cCDMStoreID,
                  cCDMStoreFriendlyName,
                  cCDMStoreControl,
                  cCDMStoreRowStatus
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to Crypto
            Device Material store information."
        ::= { cKeyManagementGroups 10 }

    cKeyManSymKeyNotifyScalars OBJECT-GROUP
        OBJECTS {
                        cKeyMaterialTableOID,
                        cKeyMaterialFingerprint,
                        cSymKeyGlobalExpiryWarning
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to symmetric key
            notifications."
        ::= { cKeyManagementGroups 11 }

    cKeyManAsymKeyNotifyScalars OBJECT-GROUP
        OBJECTS {
                        cKeyMaterialTableOID,
                        cKeyMaterialFingerprint,
                        cAsymKeyGlobalExpiryWarning
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to asymmetric key



Sun, et al.              Expires January 9, 2020               [Page 79]


Internet-Draft                    CCMIB                        July 2019


            notifications."
        ::= { cKeyManagementGroups 12 }

    cKeyManSymKeyNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cKeyMaterialLoadSuccess,
                        cKeyMaterialLoadFail,
                        cKeyMaterialExpiring,
                        cKeyMaterialExpired,
                        cKeyMaterialExpirationChanged,
                        cKeyMaterialZeroized
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to
            symmetric key information."
        ::= { cKeyManagementGroups 13 }

    cKeyManAsymKeyNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cKeyMaterialLoadSuccess,
                        cKeyMaterialLoadFail,
                        cKeyMaterialExpiring,
                        cKeyMaterialExpired,
                        cKeyMaterialExpirationChanged,
                        cKeyMaterialZeroized
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to
            asymmetric key information."
        ::= { cKeyManagementGroups 14 }

    cKeyManTrustAnchorNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cTrustAnchorAdded,
                        cTrustAnchorUpdated,
                        cTrustAnchorRemoved
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to trust
            anchor information."
        ::= { cKeyManagementGroups 15 }

    cKeyManCKLNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cCKLLoadSuccess,



Sun, et al.              Expires January 9, 2020               [Page 80]


Internet-Draft                    CCMIB                        July 2019


                        cCKLLoadFail
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to
            compromised key list information."
        ::= { cKeyManagementGroups 16 }

    cKeyManCDMStoreNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cCDMAdded,
                        cCDMDeleted
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to Crypto
            Device Material store information."
        ::= { cKeyManagementGroups 17 }

    cKeyManRemoteKeyGroup OBJECT-GROUP
        OBJECTS {
                   cRemoteKeyMaterialTableCount,
                   cRemoteKeyMaterialTableLastChanged,
                   cRemoteKeyMatFriendlyName,
                   cRemoteKeyMatSerialNumber,
                   cRemoteKeyMaterialKeyType,
                   cRemoteKeyMatExpirationDate,
                   cRemoteKeyMatClassification
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to remote key
            information."
        ::= { cKeyManagementGroups 18 }

    END

5.5.  Key Transfer Pull

   This MIB module makes reference to the following documents:
   [RFC2578], [RFC2579], [RFC2580], and [RFC3411].

    CC-KEY-TRANSFER-PULL-MIB  DEFINITIONS  ::=  BEGIN

    IMPORTS
        ccKeyTransferPull
            FROM CC-FEATURE-HIERARCHY-MIB              -- FROM Sec 5.2
        MODULE-COMPLIANCE, OBJECT-GROUP,



Sun, et al.              Expires January 9, 2020               [Page 81]


Internet-Draft                    CCMIB                        July 2019


        NOTIFICATION-GROUP
            FROM SNMPv2-CONF                           -- FROM RFC 2580
        OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
        MODULE-IDENTITY
            FROM SNMPv2-SMI                            -- FROM RFC 2578
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB                    -- FROM RFC 3411
        RowStatus, TimeStamp
            FROM SNMPv2-TC;                            -- FROM RFC 2579

    ccKeyTransferPullMIB  MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
            "CC MIB Configuration Control Board
             Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB Key Transfer Pull objects.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.

            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documents
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        REVISION      "201609302154Z"
        DESCRIPTION   "CC MIB 1.0.5 FINAL. Published as RFC xxxx."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        ::= { ccKeyTransferPull 1 }

    -- *****************************************************************
    -- Key Transfer Pull Information Segments
    -- *****************************************************************

    cKeyTransferPullConformance  OBJECT IDENTIFIER
        ::= { ccKeyTransferPullMIB 1 }
    cKeyTransferPullScalars      OBJECT IDENTIFIER
        ::= { ccKeyTransferPullMIB 2 }
    cKeyTransferPullNotify       OBJECT IDENTIFIER
        ::= { ccKeyTransferPullMIB 3 }
    cCDMServerInfo               OBJECT IDENTIFIER



Sun, et al.              Expires January 9, 2020               [Page 82]


Internet-Draft                    CCMIB                        July 2019


        ::= { ccKeyTransferPullMIB 4 }
    cCDMDeliveryInfo             OBJECT IDENTIFIER
        ::= { ccKeyTransferPullMIB 5 }

    -- *****************************************************************
    -- Key Transfer Pull Scalars
    -- *****************************************************************

    cCDMServerRetryDelay  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The amount of time to wait after a download attempt to the
            Cryptographic Device Material (CDM) server fails before
            attempting to retry the operation. Note, this scalar applies
            to the download of any type of item from the CDM server
            (e.g., CDMs, CDMLs)."
        ::= { cKeyTransferPullScalars 1 }

    cCDMServerRetryMaxAttempts  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The amount of retries attempted before the download attempt
            to the Cryptographic Device Material (CDM) server is
            considered a failure. Note, this scalar applies to the
            download of any type of item from the CDM server (e.g.,
            CDMs, CDMLs)."
        ::= { cKeyTransferPullScalars 2 }

    cCDMPullRetrievalPriorities  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "An indication of which cryptographic device materials
            (CDMs) to retrieve based on this value and a configured
            cCDMDeliveryPriority in a cCDMDeliveryTable entry. This
            value identifies an upper bound. A value of '5' for example,
            implies that only cCDMDeliveryTable entries with a
            cCDMDeliveryPriority value of '5' or less can be acted upon
            (i.e., retrieved).

            Different types of ECUs may have different values for this
            scalar. Bandwidth-limited ECUs, for example, may configure
            lower values for only retrieving high-priority CDMs.



Sun, et al.              Expires January 9, 2020               [Page 83]


Internet-Draft                    CCMIB                        July 2019


            A value of 0, also a default value for this scalar,
            indicates that all cCDMDeliveryTable entries can be acted
            upon regardless of the configured cCDMDeliveryPriority
            value."
        DEFVAL {0}
        ::= { cKeyTransferPullScalars 3 }

    cCDMLDeliveryRequest OBJECT-TYPE
        SYNTAX      INTEGER { readyForDownload(1), downloadAndParse(2),
                              discard(3) }
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "This scalar controls the server's CDML download process -
            server information is stored in the cCDMServerTable. When
            read, it will return 'readyForDownload' if the last action
            succeeded. If the last action is in progress or failed, it
            will return the last requested action.

            The values which may be set depend on the current value of
            this object and the cCDMLDeliveryStatus object.

            In order to initiate a new download, this object must
            contain the value 'readyForDownload', and the
            cCDMLDeliveryStatus must contain the value 'complete'. At
            which point, setting this object to to 'downloadAndParse'
            initiates the CDML download process. Note, the
            cCDMLDeliveryStatus should transition to 'inProgress' at
            the device begins the CDML download process from the
            server(s) and URI(s) listed in the cCDMLServerTable (as
            ordered by the cCDMLServerPriority index).

            If the CDML download fails, the next highest priority URI
            will be tried, and so on.

            While a CDML download is in progress, or if the CDML
            download fails for all possible servers and URIs (indicated
            by a cCDMLDeliveryStatus value of 'downloadFailed'), this
            object will return an inconsistentValue error for any new
            value except 'discard' (which will cancel the current
            download).

            If the CDML download succeeded, the cCMDLDeliveryStatus
            value remains inProgress and the device attempts to parse
            the download immediately. During the parsing of the CDML,
            all new values will return inconsistentValue error (i.e.,
            the parse process can not be aborted). If the parse fails,
            the cCDMLDeliveryStatus will transition to 'parseFailed',



Sun, et al.              Expires January 9, 2020               [Page 84]


Internet-Draft                    CCMIB                        July 2019


            and this object must be set to 'discard' before a new CDML
            download is attempted."
        ::= { cKeyTransferPullScalars 4 }

    cCDMLDeliveryStatus OBJECT-TYPE
        SYNTAX      INTEGER { complete(1), inProgress(2),
                              downloadFailed(3),
                              parseFailed(4) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "This indicates the current state of a CDML download.

            'complete' indicates that the last requested
            cCDMLDeliveryRequest action was successful.

            'inProgress' indicates that a CDML download or CDML parse is
            underway.

            'downloadFailed' indicates that the last attempted CDML
            download failed.

            'parseFailed' indicates that the last attempted CDML parse
            failed.

            The relationship between this object and
            cCDMLDeliveryRequest is detailed in the following table. The
            table indicates values of cCDMLDeliveryRequest that are
            allowed depending on the current value of this object.


 cCDMLDeliveryRequest!                 cCDMLDeliveryStatus
 --------------------+-----------+----------+--------------+------------
 !                   !  complete !inProgress!downloadFailed!parseFailed!
 --------------------+-----------+----------+--------------+------------
 ! readyForDownload  !  allowed  !  error   !    error     !   error   !
 --------------------+-----------+----------+--------------+------------
 ! downloadAndParse  !  allowed  !  error   !    error     !   error   !
 --------------------+-----------+----------+--------------+------------
 ! discard           !   error   ! allowed  !   allowed    !  allowed  !
 --------------------+-----------+----------+--------------+------------

            As described cCDMLDeliveryRequest description, an
            inconsistentValue error is returned."
        DEFVAL { complete }
        ::= { cKeyTransferPullScalars 5 }

    -- *****************************************************************



Sun, et al.              Expires January 9, 2020               [Page 85]


Internet-Draft                    CCMIB                        July 2019


    -- Key Transfer Pull Notifications
    -- *****************************************************************

    cCDMLPullReceiveSuccess  NOTIFICATION-TYPE
        OBJECTS     { cCDMServerURI }
        STATUS      current
        DESCRIPTION
            "An attempt to receive a cryptographic device material
            list (CDML) succeeded. The CDM server URI is provided with
            this notification."
        ::= { cKeyTransferPullNotify 1 }

    cCDMLPullReceiveFailed  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMServerURI,
                        cCDMLDeliveryStatus
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to receive a cryptographic device material
            list (CDML) has failed. The CDM server URI and CDML Delivery
            Status are provided with this notification. Note, the
            expected values for the CDML Delivery Status are:
            'downloadFailed' and 'parseFailed'."
        ::= { cKeyTransferPullNotify 2 }

    cCDMPullReceiveSuccess  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMType,
                        cCDMURI
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to receive a cryptographic device material (CDM)
            has succeeded. The CDM Type and CDM URI are provided with
            this notification."
        ::= { cKeyTransferPullNotify 3 }

    cCDMPullReceiveFailed  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMType,
                        cCDMURI
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to receive a cryptographic device material (CDM)
            has failed. The CDM Type and CDM URI are provided with this
            notification."



Sun, et al.              Expires January 9, 2020               [Page 86]


Internet-Draft                    CCMIB                        July 2019


        ::= { cKeyTransferPullNotify 4 }

    -- *****************************************************************
    -- CC MIB cCDMServerTable
    -- *****************************************************************

    cCDMServerTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The number of rows in the cCDMServerTable."
        ::= { cCDMServerInfo 1 }

    cCDMServerTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCDMServerInfo 2 }

    cCDMServerTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCDMServerEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table containing a list of servers that will be queried
            for available cryptographic device materials (CDMs), such as
            keys and firmware packages. This table is also used to
            obtain the cryptographic device material list (CDML), which
            is a list detailing available CDMs and their associated
            location for obtainment."
        ::= { cCDMServerInfo 3 }

    cCDMServerEntry  OBJECT-TYPE
        SYNTAX      CCDMServerEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about a server that has



Sun, et al.              Expires January 9, 2020               [Page 87]


Internet-Draft                    CCMIB                        July 2019


            available CDMLs/CDMs for download."
        INDEX      { cCDMServerPriority }
        ::= { cCDMServerTable 1 }

    CCDMServerEntry  ::= SEQUENCE {
        cCDMServerPriority          Unsigned32,
        cCDMServerURI               OCTET STRING,
        cCDMServerAdditionalInfo    SnmpAdminString,
        cCDMServerRowStatus         RowStatus
    }

    cCDMServerPriority  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A unique numeric index that identifies a server that has
            available CDMLs/CDMs for download. This index also provides
            server prioritization functionality - lower values have a
            higher priority. For example, the server with the lowest
            value will be the first server for CDML/CDM downloads. In
            the event of failure, the next lowest value server will be
            tried, and so on.

            This column is the sole index to the cCDMServerTable."
        ::= { cCDMServerEntry 1 }

    cCDMServerURI  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The location of the server that has available CDMLs/CDMs
            for download. The value in this column is represented as a
            URI.

            Note, download of a CDML will typically result in the
            population of new CDM entries in the cCDMDeliveryTable."
        ::= { cCDMServerEntry 2 }

    cCDMServerAdditionalInfo  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Additional information about the CDM server. This
            information is manually configured by the manager both at or
            after row creation."



Sun, et al.              Expires January 9, 2020               [Page 88]


Internet-Draft                    CCMIB                        July 2019


        ::= { cCDMServerEntry 3 }

    cCDMServerRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this column have valid
            values, as detailed by each individual column's description.

            At a minimum, implementations must support createAndGo,
            active, and destroy management functions. Support for
            createAndWait, notInService, and notReady management
            functions is optional."
        ::= { cCDMServerEntry 4 }

    -- *****************************************************************
    -- CC MIB cCDMDeliveryTable
    -- *****************************************************************

    cCDMDeliveryTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
             "The number of rows in the cCDMDeliveryTable."
        ::= { cCDMDeliveryInfo 1 }

    cCDMDeliveryTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCDMDeliveryInfo 2 }

    cCDMDeliveryTable  OBJECT-TYPE



Sun, et al.              Expires January 9, 2020               [Page 89]


Internet-Draft                    CCMIB                        July 2019


        SYNTAX      SEQUENCE OF CCDMDeliveryEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table storing information about cryptographic device
            materials (CDMs) that are ready/available for retrieval.
            Entries in this table are typically automatically configured
            by the device after a server query. Entries can also be
            manually configured by a manager if the location of the CDM
            is predetermined."
        ::= { cCDMDeliveryInfo 3 }

    cCDMDeliveryEntry  OBJECT-TYPE
        SYNTAX      CCDMDeliveryEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about a specific cryptographic
            device material (CDM) available for download."
        INDEX      { cCDMType, cCDMURI }
        ::= { cCDMDeliveryTable 1 }

    CCDMDeliveryEntry  ::= SEQUENCE {
        cCDMType                INTEGER,
        cCDMURI                 OCTET STRING,
        cCDMPackageSize         Unsigned32,
        cCDMAdditionalInfo      SnmpAdminString,
        cCDMLastDownloadDate    OCTET STRING,
        cCDMDeliveryPriority    Unsigned32,
        cCDMDeliveryRequest     INTEGER,
        cCDMDeliveryStatus      INTEGER,
        cCDMDeliveryRowStatus   RowStatus
    }

    cCDMType  OBJECT-TYPE
        SYNTAX      INTEGER { notification(1), symmetricKey(2),
                              asymmetricKey(3), certificate(4),
                              cklOrCrl(5), firmware(6) }
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The type of the cryptographic device material (CDM) that
            can be retrieved from a CDM server:

            [notification]  = CDM is a notification providing
                              status/information for a particular
                              (other) CDM
            [symmetricKey]  = CDM is a symmetric key



Sun, et al.              Expires January 9, 2020               [Page 90]


Internet-Draft                    CCMIB                        July 2019


            [asymmetricKey] = CDM is a non-certificate asymmetric key
            [certificate]   = CDM is a certificate
            [cklOrCrl]      = CDM is a compromised key list or
                              certificate revocation list
            [firmware]      = CDM is a firmware package"
        ::= { cCDMDeliveryEntry 1 }

    cCDMURI  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(1..255))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The location of the cryptographic device material (CDM),
            represented in a URI format. Because of its type, the
            associated URI of the CDM Server can easily be derived.

            This column is typically populated by an agent upon querying
            a CDM Server (e.g., downloading and parsing a cryptographic
            device material list (CDML) from a CDM Server (entry in the
            cCDMServerTable)). However, a manager can also configure an
            entry in this table with predetermined knowledge of the CDM
            location."
        ::= { cCDMDeliveryEntry 2 }

    cCDMPackageSize  OBJECT-TYPE
        SYNTAX      Unsigned32
        UNITS       "bytes"
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The package size, in bytes, of the cryptographic device
            material (CDM). This information is retrieved from a
            cryptographic device material list (CDML) or a server's
            product availability response following a query. This column
            does not apply to notifications found in CDMLs."
        ::= { cCDMDeliveryEntry 3 }

    cCDMAdditionalInfo  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Additional information about the cryptographic device
            material (CDM). This information can be retrieved from the
            downloaded cryptographic device material list (CDML) or
            manually configured by the manager both at or after row
            creation."
        ::= { cCDMDeliveryEntry 4 }



Sun, et al.              Expires January 9, 2020               [Page 91]


Internet-Draft                    CCMIB                        July 2019


    cCDMLastDownloadDate  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(14))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "This is a 14 character field that will be populated with
            the following values depending on the state of the download
            and the CDM type.

            1. The date and time (expressed as Generalized Time) when
               the device last successfully downloaded the CDM from the
               CDM Server. The format follows:  'yyyymmddhhmmss'  where
                'yyyy' - year
                'mm' - month (first 'mm's from left to right)
                'dd' - day
                'hh' - hour
                'mm' - minutes (second 'mm's from left to right)
                'ss' - seconds

            2. All zero characters for the following cases.
                a. No indication that device has successfully downloaded
                   the CDM.
                b. The cCDMType is a notification."
        ::= { cCDMDeliveryEntry 5 }

    cCDMDeliveryPriority  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "A configurable priority value on the cryptographic device
            material (CDM). This column is a means to allow certain key
            products to be downloaded before others. Lower values have a
            higher priority (e.g., a value of 1 will be processed before
            a value of 2)."
        ::= { cCDMDeliveryEntry 6 }

    cCDMDeliveryRequest  OBJECT-TYPE
        SYNTAX     INTEGER { downloadAndInstall(1), downloadAndStore(2),
                             discard(3) }
        MAX-ACCESS read-create
        STATUS     current
        DESCRIPTION
            "This object signals the local device to perform actions on
            the available cryptographic device materials (CDMs) from a
            CDM server. The following types of actions are supported:

            [downloadAndInstall] = Initiates a download of a CDM. After



Sun, et al.              Expires January 9, 2020               [Page 92]


Internet-Draft                    CCMIB                        July 2019


            a successful download, the CDM will be installed for local
            consumption and an entry is to be configured in the
            appropriate MIB table based on cCDMType:

            cCDMType          |  MIB Table Destination
            -------------------------------------
            (1) notification  |  N/A
            (2) symmetricKey  |  cSymmetricKeyTable
            (3) asymmetricKey |  cAsymKeyTable
            (4) certificate   |  cAsymKeyTable
            (5) cklOrCrl      |  cCKLTable
            (6) firmware      |  cFirmwareInformationTable

            [downloadAndStore] = Initiates a download of the CDM. After
            a successful download, an entry is created in the
            cCDMStoreTable to store the CDM.

            [discard] = Stops the current CDM delivery request and
            discards the CDM if potentially downloaded; this reverts the
            current value of the cCDMDeliveryStatus to 'complete'. If
            entries are created in the aforementioned tables for the
            install and store operations, these newly configured entries
            will be removed.

            The enumeration value of 'downloadAndStore' does not apply
            when cCDMType is set to 'notification'. 'downloadAndInstall'
            is used for a cCDMType of 'notification'.

            If this column is configured to any value except 'discard'
            while the value of cCDMDeliveryStatus is any value except
            'complete', the SNMP set operation must result in an
            inconsistentValue exception. The same applies if 'discard'
            is configured while the value cCDMDeliveryStatus is
            'complete'."
        ::= { cCDMDeliveryEntry 7 }

    cCDMDeliveryStatus  OBJECT-TYPE
        SYNTAX     INTEGER { complete(1), inProgress(2),
                             downloadFailed(3), installFailed(4),
                             storeFailed(5) }
        MAX-ACCESS read-only
        STATUS     current
        DESCRIPTION
            "The status of the cryptographic device material (CDM)
            delivery operation. The following status values are
            supported:

            [complete] = The default state where the local device is



Sun, et al.              Expires January 9, 2020               [Page 93]


Internet-Draft                    CCMIB                        July 2019


            ready to start a delivery request for the CDM. Between
            requests this state can only be reached after successful
            operations or if cCDMDeliveryRequest is set to 'discard'
            during an operation.

            [inProgress] = This state is reached when the device is
            either currently performing a download of the CDM or
            configuring appropriate MIB tables conveying installation or
            storage of key material.

            [downloadFailed] = This state is reached after a failure
            occurs during a download of a CDM when cCDMDeliveryRequest
            was configured to either 'downloadAndStore' or
            'downloadAndInstall'.

            [installFailed] = This state is reached after a failure
            occurs during the install of the downloaded CDM when
            cCDMDeliveryRequest was configured to 'downloadAndInstall'.

            [storeFailed] = This state is reached after a failure
            occurs during the store of the downloaded CDM when
            cCDMDeliveryRequest was configured to 'downloadAndStore'."
        ::= { cCDMDeliveryEntry 8 }

    cCDMDeliveryRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this column have valid
            values, as detailed by each individual column's description.

            At a minimum, implementations must support createAndGo,
            active, and destroy management functions. Support for
            createAndWait, notInService, and notReady management
            functions is optional."
        ::= { cCDMDeliveryEntry 9 }

    -- *****************************************************************
    -- Module Conformance Information
    -- *****************************************************************

    cKeyTransferPullCompliances        OBJECT IDENTIFIER
        ::= { cKeyTransferPullConformance 1}



Sun, et al.              Expires January 9, 2020               [Page 94]


Internet-Draft                    CCMIB                        July 2019


    cKeyTransferPullGroups             OBJECT IDENTIFIER
        ::= { cKeyTransferPullConformance 2}

    cKeyTransferPullCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for key transfer pull information."
        MODULE
        MANDATORY-GROUPS {
                           cKeyTransferPullServerGroup,
                           cKeyTransferPullDeliveryGroup
                         }

        GROUP cKeyTransferPullDeliveryNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        OBJECT cCDMDeliveryRequest
        SYNTAX INTEGER { downloadAndInstall(1), discard(3) }
        DESCRIPTION
            "Implementation of this enumeration value(s) is mandatory -
            enumeration values not listed here are optional."

        OBJECT cCDMDeliveryStatus
        SYNTAX INTEGER { complete(1), inProgress(2), downloadFailed(3),
                         installFailed(4) }
        DESCRIPTION
            "Implementation of this enumeration value(s) is mandatory -
            enumeration values not listed here are optional."
        ::= { cKeyTransferPullCompliances  1 }

    cKeyTransferPullServerGroup OBJECT-GROUP
        OBJECTS {
                  cCDMServerRetryDelay,
                  cCDMServerRetryMaxAttempts,
                  cCDMServerTableCount,
                  cCDMServerTableLastChanged,
                  cCDMServerURI,
                  cCDMServerAdditionalInfo,
                  cCDMServerRowStatus
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to server
            information."
        ::= { cKeyTransferPullGroups 1 }

    cKeyTransferPullDeliveryGroup OBJECT-GROUP



Sun, et al.              Expires January 9, 2020               [Page 95]


Internet-Draft                    CCMIB                        July 2019


        OBJECTS {
                  cCDMPullRetrievalPriorities,
                  cCDMLDeliveryRequest,
                  cCDMLDeliveryStatus,
                  cCDMDeliveryTableCount,
                  cCDMDeliveryTableLastChanged,
                  cCDMDeliveryTableLastChanged,
                  cCDMType,
                  cCDMURI,
                  cCDMPackageSize,
                  cCDMAdditionalInfo,
                  cCDMLastDownloadDate,
                  cCDMDeliveryPriority,
                  cCDMDeliveryRequest,
                  cCDMDeliveryStatus,
                  cCDMDeliveryRowStatus
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to delivery
            information."
        ::= { cKeyTransferPullGroups 2 }

    cKeyTransferPullDeliveryNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cCDMLPullReceiveSuccess,
                        cCDMLPullReceiveFailed,
                        cCDMPullReceiveSuccess,
                        cCDMPullReceiveFailed
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to delivery
            information."
        ::= { cKeyTransferPullGroups 3 }

    END

5.6.  Key Transfer Push

   This MIB module makes reference to following documents: [RFC2578],
   [RFC2579], [RFC2580], and [RFC3411].

    CC-KEY-TRANSFER-PUSH-MIB  DEFINITIONS  ::=  BEGIN

    IMPORTS
        ccKeyTransferPush
            FROM CC-FEATURE-HIERARCHY-MIB              -- FROM Sec 5.2



Sun, et al.              Expires January 9, 2020               [Page 96]


Internet-Draft                    CCMIB                        July 2019


        OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
        MODULE-IDENTITY
            FROM SNMPv2-SMI                            -- FROM RFC 2578
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB                    -- FROM RFC 3411
        RowPointer, RowStatus, DateAndTime,
        TimeStamp
            FROM SNMPv2-TC                             -- FROM RFC 2579
        MODULE-COMPLIANCE, OBJECT-GROUP,
        NOTIFICATION-GROUP
            FROM SNMPv2-CONF;                          -- FROM RFC 2580

    ccKeyTransferPushMIB  MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
            "CC MIB Configuration Control Board
             Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB Key Transfer Push object.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.

            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documents
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        REVISION      "201609302154Z"
        DESCRIPTION   "CC MIB 1.0.5 FINAL. Published as RFC xxxx."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        ::= { ccKeyTransferPush 1 }

    -- *****************************************************************
    -- Key Transfer Push Information Segments
    -- *****************************************************************

    cCDMPushDestInfo  OBJECT IDENTIFIER
        ::= { ccKeyTransferPushMIB 1 }
    cCDMTransferPkgInfo  OBJECT IDENTIFIER
        ::= { ccKeyTransferPushMIB 2 }
    cCDMPushSrcInfo  OBJECT IDENTIFIER



Sun, et al.              Expires January 9, 2020               [Page 97]


Internet-Draft                    CCMIB                        July 2019


        ::= { ccKeyTransferPushMIB 3 }
    cKeyTransferPushScalars  OBJECT IDENTIFIER
        ::= { ccKeyTransferPushMIB 4 }
    cKeyTransferPushNotify  OBJECT IDENTIFIER
        ::= { ccKeyTransferPushMIB 5 }
    cKeyTransferPushConformance  OBJECT IDENTIFIER
        ::= { ccKeyTransferPushMIB 6 }

    -- *****************************************************************
    -- Key Transfer Push Scalars
    -- *****************************************************************

    cCDMTransferDelay  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The number of seconds to wait after a Cryptographic Device
            Material (CDM) transfer attempt initiated by the sender
            fails before attempting to retry the operation."
        ::= { cKeyTransferPushScalars 1 }

    cCDMTransferMaxAttempts  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-write
        STATUS      current
        DESCRIPTION
            "The amount of retries attempted before giving up on a
            device due to consecutive Cryptographic Device Material
            (CDM) transfer failures."
        ::= { cKeyTransferPushScalars 2 }

    -- *****************************************************************
    -- Key Transfer Push Notifications
    -- *****************************************************************

    cCDMPushSendSuccess  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMPushDestAddressLocationType,
                        cCDMPushDestAddressLocation,
                        cCDMPushDestTransferType,
                        cCDMPushDestPackageSelection
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to send CDM, identified by CDM push transfer
            information (cCDMPushDestTable row data), has succeeded."
        ::= { cKeyTransferPushNotify 1 }



Sun, et al.              Expires January 9, 2020               [Page 98]


Internet-Draft                    CCMIB                        July 2019


    cCDMPushReceiveSuccess  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMPushSrcAddrLocationType,
                        cCDMPushSrcAddrLocation,
                        cCDMPushSrcTransferType
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to receive key material, identified by CDM push
            transfer information (cCDMPushSrcTable row data), has
            succeeded."
        ::= { cKeyTransferPushNotify 2 }

    cCDMPushReceiveFail  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMPushSrcAddrLocationType,
                        cCDMPushSrcAddrLocation,
                        cCDMPushSrcTransferType
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to receive key material via a Push operation,
            identified by the Sender Address and Transfer Type has
            failed."
        ::= { cKeyTransferPushNotify 3 }

    cCDMPushSendFail  NOTIFICATION-TYPE
        OBJECTS     {
                        cCDMPushDestAddressLocationType,
                        cCDMPushDestAddressLocation,
                        cCDMPushDestTransferType,
                        cCDMPushDestPackageSelection
                    }
        STATUS      current
        DESCRIPTION
            "An attempt to send key material, identified by the
            Recipient Address and Transfer Type, has failed."
        ::= { cKeyTransferPushNotify 4 }

    -- *****************************************************************
    -- CC MIB cCDMPushDestTable
    -- *****************************************************************

    cCDMPushDestTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020               [Page 99]


Internet-Draft                    CCMIB                        July 2019


            "The number of rows in the cCDMPushDestTable."
        ::= { cCDMPushDestInfo 1 }

    cCDMPushDestTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCDMPushDestInfo 2 }

    cCDMPushDestTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCDMPushDestEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table that provides the necessary information a sender
            needs to initiate a Cryptographic Device Material (CDM) send
            to a receiving device."
        ::= { cCDMPushDestInfo 3 }

    cCDMPushDestEntry  OBJECT-TYPE
        SYNTAX      CCDMPushDestEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information for a Cryptographic Device
            Material (CDM) transfer to a receiving device."
        INDEX      { cCDMPushDestIndex }
        ::= { cCDMPushDestTable 1 }

    CCDMPushDestEntry  ::= SEQUENCE {
        cCDMPushDestIndex               Unsigned32,
        cCDMPushDestTransferType        INTEGER,
        cCDMPushDestAddressLocationType INTEGER,
        cCDMPushDestAddressLocation     OCTET STRING,
        cCDMPushDestTransferTime        DateAndTime,
        cCDMPushDestPackageSelection    SnmpAdminString,
        cCDMPushDestRowStatus           RowStatus
    }




Sun, et al.              Expires January 9, 2020              [Page 100]


Internet-Draft                    CCMIB                        July 2019


    cCDMPushDestIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A numeric index that identifies a unique location in this
            table."
        ::= { cCDMPushDestEntry 1 }

    cCDMPushDestTransferType  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..32))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The transfer mechanism or protocol used by the sender to
            execute the Cryptographic Device Material (CDM) transfer."
        ::= { cCDMPushDestEntry 2 }

    cCDMPushDestAddressLocationType  OBJECT-TYPE
        SYNTAX      INTEGER { ipv4(1), ipv6(2), uri(3), other(4) }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Enumeration indicating the type of address location."
        ::= { cCDMPushDestEntry 3 }

    cCDMPushDestAddressLocation  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Location of the receiver. The syntax allows a URI or an IP
            address to be configured."
        ::= { cCDMPushDestEntry 4 }

    cCDMPushDestTransferTime  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "A valid date and time value populated in this object will
            automatically initiate the transfer at the value specified.

            To initiate an immediate transfer the following
            configuration is used: '0' for the year field, '1' for the
            month field, '1' for the day field, '-' for the direction
            from UTC field, and '0' for all other fields. This
            configuration is displayed as '0-1-1,00:00:00.0,-0:0'. Note



Sun, et al.              Expires January 9, 2020              [Page 101]


Internet-Draft                    CCMIB                        July 2019


            that if the timezone fields are not used then the displayed
            value is as follows: '0-1-1,00:00:00.0'. The timezone
            fields are the direction from UTC, hours from UTC, and
            minutes from UTC."
        ::= { cCDMPushDestEntry 5 }

    cCDMPushDestPackageSelection  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "A reference string that points to the key material(s) to
            transfer. This column may reference one entry (e.g., an
            entry in the cCDMStoreTable) or multiple entries (e.g.,
            multiple entries in the cCDMTransferPkgTable). This object
            defines all the items in the package that will be sent."
        ::= { cCDMPushDestEntry 6 }

    cCDMPushDestRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this column have valid
            values, as detailed by each individual column's description.

            At a minimum, implementations must support createAndGo,
            active, and destroy management functions. Support for
            createAndWait, notInService, and notReady management
            functions is optional."
        ::= { cCDMPushDestEntry 7 }

    -- *****************************************************************
    -- CC MIB cCDMTransferPkgTable
    -- *****************************************************************

    cCDMTransferPkgTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cCDMTransferPkgTable."
        ::= { cCDMTransferPkgInfo 1 }




Sun, et al.              Expires January 9, 2020              [Page 102]


Internet-Draft                    CCMIB                        July 2019


    cCDMTransferPkgTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCDMTransferPkgInfo 2 }

    cCDMTransferPkgTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCDMTransferPkgEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The table for configuring single or multiple Cryptographic
            Device Material (CDM) in a package that can be transferred
            on a send operation. Entries in this table are referenced by
            the cCDMPushDestPackageSelection column."
        ::= { cCDMTransferPkgInfo 3 }

    cCDMTransferPkgEntry  OBJECT-TYPE
        SYNTAX      CCDMTransferPkgEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about a package used on a send
            operation."
        INDEX      { cCDMTransferPkgLabel, cCDMTransferPkgIndex }
        ::= { cCDMTransferPkgTable 1 }

    CCDMTransferPkgEntry  ::= SEQUENCE {
        cCDMTransferPkgLabel            SnmpAdminString,
        cCDMTransferPkgIndex            Unsigned32,
        cCDMTransferPkgLocatorRowPtr    RowPointer,
        cCDMTransferPkgRowStatus        RowStatus
    }

    cCDMTransferPkgLabel  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020              [Page 103]


Internet-Draft                    CCMIB                        July 2019


            "An administrative name that identifies a package within
            this table. cCDMTransferPkgLabel and cCDMTransferPkgIndex
            serve as indexes of this table."
        ::= { cCDMTransferPkgEntry 1 }

    cCDMTransferPkgIndex  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "An administrative way of creating a unique row within this
            table. This value shows the position of a given item within
            this package designated by cCDMTransferPkgLabel.
            cCDMTransferPkgLabel and cCDMTransferPkgIndex serve as
            indexes of this table."
        ::= { cCDMTransferPkgEntry 2 }

    cCDMTransferPkgLocatorRowPtr  OBJECT-TYPE
        SYNTAX      RowPointer
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "A RowPointer that points to a unique entry in the table
            containing the necessary Cryptographic Device Material (CDM)
            for transfer. For example, referencing a key in the
            cSymmetricKeyTable, the value in this column contains the
            pointer to the appropriate row in the cSymmetricKeyTable."
        ::= { cCDMTransferPkgEntry 3 }

    cCDMTransferPkgRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this column have valid
            values, as detailed by each individual column's description.

            At a minimum, implementations must support createAndGo,
            active, and destroy management functions. Support for
            createAndWait, notInService, and notReady management
            functions is optional."
        ::= { cCDMTransferPkgEntry 4 }

    -- *****************************************************************



Sun, et al.              Expires January 9, 2020              [Page 104]


Internet-Draft                    CCMIB                        July 2019


    -- CC MIB cCDMPushSrcTable
    -- *****************************************************************

    cCDMPushSrcTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cCDMPushSrcTable."
        ::= { cCDMPushSrcInfo 1 }

    cCDMPushSrcTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cCDMPushSrcInfo 2 }

    cCDMPushSrcTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CCDMPushSrcEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "This table provides the list of authorized senders that
            this receiving device will accept Cryptographic Device
            Material (CDM) transfers from. Servers for the
            cCDMServerTable are not listed in this table since this
            table is specific for the Push Model."
        ::= { cCDMPushSrcInfo 3 }

    cCDMPushSrcEntry  OBJECT-TYPE
        SYNTAX      CCDMPushSrcEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing information about an authorized sender
            that this receiving device will accept."
        INDEX      { cCDMPushSrcSenderName, cCDMPushSrcTransferType }
        ::= { cCDMPushSrcTable 1 }




Sun, et al.              Expires January 9, 2020              [Page 105]


Internet-Draft                    CCMIB                        July 2019


    CCDMPushSrcEntry  ::= SEQUENCE {
        cCDMPushSrcSenderName       SnmpAdminString,
        cCDMPushSrcTransferType     SnmpAdminString,
        cCDMPushSrcAddrLocationType INTEGER,
        cCDMPushSrcAddrLocation     OCTET STRING,
        cCDMPushSrcRowStatus        RowStatus
    }

    cCDMPushSrcSenderName  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "An administrative string for an authorized sender.
            cCDMPushSrcSenderName and cCDMPushSrcTransferType serve as
            indexes of this table."
        ::= { cCDMPushSrcEntry 1 }

    cCDMPushSrcTransferType  OBJECT-TYPE
        SYNTAX      SnmpAdminString (SIZE(1..32))
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Analogous to cCDMPushDestTransferType. The transfer
            mechanism or protocol used by the receiver to receive the
            Cryptographic Device Material (CDM) transfer.

            cCDMPushSrcSenderName and cCDMPushSrcTransferType serve as
            indexes of this table."
        ::= { cCDMPushSrcEntry 2 }

    cCDMPushSrcAddrLocationType  OBJECT-TYPE
        SYNTAX      INTEGER { ipv4(1), ipv6(2), uri(3), other(4) }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Enumeration indicating the type of address location
            (values: ipv4, ipv6 or uri)."
        ::= { cCDMPushSrcEntry 3 }

    cCDMPushSrcAddrLocation  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Location of the authorized sender."
        ::= { cCDMPushSrcEntry 4 }




Sun, et al.              Expires January 9, 2020              [Page 106]


Internet-Draft                    CCMIB                        July 2019


    cCDMPushSrcRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this column have valid
            values, as detailed by each individual column's description.

            At a minimum, implementations must support createAndGo,
            active, and destroy management functions. Support for
            createAndWait, notInService, and notReady management
            functions is optional."
        ::= { cCDMPushSrcEntry 5 }

    -- *****************************************************************
    -- Module Conformance Information
    -- *****************************************************************

    cKeyTransferPushCompliances  OBJECT IDENTIFIER
        ::= { cKeyTransferPushConformance 1}

    cKeyTransferPushGroups  OBJECT IDENTIFIER
        ::= { cKeyTransferPushConformance 2}

    cKeyTransferPushSenderCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for sender information."
        MODULE
        MANDATORY-GROUPS { cKeyTransferPushSenderGroup }

        GROUP cKeyTransferPushSenderNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        OBJECT cCDMTransferDelay
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."

        OBJECT cCDMTransferMaxAttempts
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."



Sun, et al.              Expires January 9, 2020              [Page 107]


Internet-Draft                    CCMIB                        July 2019


        ::= { cKeyTransferPushCompliances  1 }

    cKeyTransferPushReceiverCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for receiver information."
        MODULE
        MANDATORY-GROUPS { cKeyTransferPushReceiverGroup }

        GROUP cKeyTransferPushReceiverNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cKeyTransferPushCompliances  2 }

    cKeyTransferPushSenderGroup OBJECT-GROUP
        OBJECTS {
                  cCDMTransferDelay,
                  cCDMTransferMaxAttempts,
                  cCDMPushDestTableCount,
                  cCDMPushDestTableLastChanged,
                  cCDMPushDestTransferType,
                  cCDMPushDestAddressLocationType,
                  cCDMPushDestAddressLocation,
                  cCDMPushDestTransferTime,
                  cCDMPushDestPackageSelection,
                  cCDMPushDestRowStatus,
                  cCDMTransferPkgTableCount,
                  cCDMTransferPkgTableLastChanged,
                  cCDMTransferPkgLocatorRowPtr,
                  cCDMTransferPkgRowStatus
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to sender
            information."
        ::= { cKeyTransferPushGroups 1 }

    cKeyTransferPushReceiverGroup OBJECT-GROUP
        OBJECTS {
                  cCDMPushSrcTableCount,
                  cCDMPushSrcTableLastChanged,
                  cCDMPushSrcTransferType,
                  cCDMPushSrcAddrLocationType,
                  cCDMPushSrcAddrLocation,
                  cCDMPushSrcRowStatus
                }
        STATUS current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020              [Page 108]


Internet-Draft                    CCMIB                        July 2019


            "This group is composed of objects related to receiver
            information."
        ::= { cKeyTransferPushGroups 2 }

    cKeyTransferPushSenderNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cCDMPushSendSuccess,
                        cCDMPushSendFail
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to sender
            information."
        ::= { cKeyTransferPushGroups 3 }

    cKeyTransferPushReceiverNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cCDMPushReceiveSuccess,
                        cCDMPushReceiveFail
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to receiver
            information."
        ::= { cKeyTransferPushGroups 4 }

    END

5.7.  Security Policy Information

   This module makes reference to: Section 5.2, [RFC2578], [RFC2579],
   [RFC2580], and {RFC3411}}.

    CC-SECURE-POLICY-INFO-MIB  DEFINITIONS  ::=  BEGIN

    IMPORTS
        ccSecurePolicyInfo
            FROM CC-FEATURE-HIERARCHY-MIB              -- FROM Sec 5.2
        OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
        MODULE-IDENTITY
            FROM SNMPv2-SMI                            -- FROM RFC 2578
        MODULE-COMPLIANCE, OBJECT-GROUP,
        NOTIFICATION-GROUP
            FROM SNMPv2-CONF                           -- FROM RFC 2580
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB                    -- FROM RFC 3411
        RowStatus, TimeStamp
            FROM SNMPv2-TC;                            -- FROM RFC 2579



Sun, et al.              Expires January 9, 2020              [Page 109]


Internet-Draft                    CCMIB                        July 2019


    ccSecurePolicyInfoMIB  MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
            "CC MIB Configuration Control Board
             Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB Security Policy Information
            objects.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.

            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documents
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        REVISION      "201609302154Z"
        DESCRIPTION   "CC MIB 1.0.5 FINAL. Published as RFC xxxx."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        ::= { ccSecurePolicyInfo 1 }

    -- *****************************************************************
    -- Secure Policy Info Information Segments
    -- *****************************************************************

    cSecurePolicyConformance  OBJECT IDENTIFIER
        ::= { ccSecurePolicyInfoMIB 1 }
    cSecPolicyRuleInfo  OBJECT IDENTIFIER
        ::= { ccSecurePolicyInfoMIB 2 }
    cSecurePolicyInfoScalars  OBJECT IDENTIFIER
        ::= { ccSecurePolicyInfoMIB 3 }
    cSecurePolicyInfoNotify OBJECT IDENTIFIER
        ::= { ccSecurePolicyInfoMIB 4 }

    -- *****************************************************************
    -- Secure Policy Info Scalars
    -- *****************************************************************

    -- *****************************************************************
    -- Secure Policy Info Notifications
    -- *****************************************************************



Sun, et al.              Expires January 9, 2020              [Page 110]


Internet-Draft                    CCMIB                        July 2019


    cSecPolicyChanged  NOTIFICATION-TYPE
        OBJECTS     {
                        cSecPolicyRulePriorityID,
                        cSecPolicyRuleDescription
                    }
        STATUS      current
        DESCRIPTION
            "A notification indicating that an existent Security Policy
            entry in the cSecPolicyRuleTable in has changed."
        ::= { cSecurePolicyInfoNotify 1 }

    -- *****************************************************************
    -- CC MIB cSecPolicyRuleTable
    -- *****************************************************************

    cSecPolicyRuleTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cSecPolicyRuleTable."
        ::= { cSecPolicyRuleInfo 1 }

    cSecPolicyRuleTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent
            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cSecPolicyRuleInfo 2 }

    cSecPolicyRuleTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CSecPolicyRuleEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The cSecPolicyRuleTable stores the Security Policy Rules
            that are compared against inbound and outbound data traffic
            flow. These Security Policy Rules define the actions (e.g.,
            protect, bypass, discard) on how the data traffic flow
            should be treated."



Sun, et al.              Expires January 9, 2020              [Page 111]


Internet-Draft                    CCMIB                        July 2019


        ::= { cSecPolicyRuleInfo 3 }

    cSecPolicyRuleEntry  OBJECT-TYPE
        SYNTAX      CSecPolicyRuleEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
             "A row containing general information about a Security
             Policy rule."
        INDEX      { cSecPolicyRulePriorityID }
        ::= { cSecPolicyRuleTable 1 }

    CSecPolicyRuleEntry  ::= SEQUENCE {
        cSecPolicyRulePriorityID        Unsigned32,
        cSecPolicyRuleDescription       OCTET STRING,
        cSecPolicyRuleType              INTEGER,
        cSecPolicyRuleFilterReference   SnmpAdminString,
        cSecPolicyRuleAction            INTEGER,
        cSecPolicyRuleRowStatus         RowStatus
    }

    cSecPolicyRulePriorityID  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Local unique index that identifies the priority at which
            this Security Policy rule is applied. Lower values have a
            higher priority (e.g., a value of 1 will be processed before
            a value of 2). This column is the primary index to the
            cSecPolicyRuleTable."
        ::= { cSecPolicyRuleEntry 1 }

    cSecPolicyRuleDescription  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "An administrative string describing the Security Policy
            rule. Note, this is a free form OCTET STRING that provides
            the user a store for any form of description/documentation
            for the given entry."
        ::= { cSecPolicyRuleEntry 2 }

    cSecPolicyRuleType  OBJECT-TYPE
        SYNTAX      INTEGER { ipsec(1), tls(2), macsec(3) }
        MAX-ACCESS  read-create
        STATUS      current



Sun, et al.              Expires January 9, 2020              [Page 112]


Internet-Draft                    CCMIB                        July 2019


        DESCRIPTION
            "Optional column that defines the related protocol type of
            the Security Policy rule. Depending on this column's set
            value, entries will vary in respect to which other
            columns/tables (if at all) must be populated to fully
            configure the Security Policy rule."
        ::= { cSecPolicyRuleEntry 3 }

    cSecPolicyRuleFilterReference  OBJECT-TYPE
        SYNTAX      SnmpAdminString
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "A string that references the associated filter for the
            Security Policy rule. Data traffic flow (inbound/outbound)
            comparison against the associated filter provide the basis
            in which a Security Policy rule is applied to the given data
            traffic flow."
        ::= { cSecPolicyRuleEntry 4 }

    cSecPolicyRuleAction  OBJECT-TYPE
        SYNTAX      INTEGER { protect(1), bypass(10), discard(20),
                              discardInbound(21), discardOutbound(22) }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "This object indicates what action the ECU should take on
            matching a data traffic flow against a filter (as defined by
            cSecPolicyRuleFilterReference). The value of this column can
            take one of four enumeration values.

            [1] protect: The 'protect' enumeration value indicates that
            the data traffic flow should be protected by a Secure
            Connection with attributes defined by the associated filter
            (cSecPolicyRuleFilterReference).

            [10] bypass: The 'bypass' enumeration value indicates that
            the data traffic flow should be bypassed with no
            cryptographic protection/services provided.

            [20] discard: The 'discard enumeration value indicates that
            the data traffic flow, agnostic of their direction, should
            be discarded.

            [21] discardInbound: The 'discardInbound' enumeration value
            indicates that an inbound data traffic flow should be
            discarded.




Sun, et al.              Expires January 9, 2020              [Page 113]


Internet-Draft                    CCMIB                        July 2019


            [22] discardOutbound: The 'discardOutbound' enumeration
            value indicates that an outbound data traffic flow should be
            discarded.

            Implementations that do not support the 'discardInbound' and
            'discardOutbound' enumeration values should return a
            wrongValue exception during a SET to the
            cSecPolicyRuleAction object.

            A valid enumeration value must be specified in order for
            cSecPolicyRuleRowStatus to be 'active'."
        ::= { cSecPolicyRuleEntry 5 }

    cSecPolicyRuleRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created,
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this table have valid
            values, as detailed by each individual column's description.

            At a minimum, implementations must support createAndGo and
            destroy management functions. Support for createAndWait,
            active, notInService, and notReady management functions is
            optional."
        ::= { cSecPolicyRuleEntry 6 }

    -- *****************************************************************
    -- Module Conformance Information
    -- *****************************************************************

    cSecurePolicyCompliances  OBJECT IDENTIFIER
        ::= { cSecurePolicyConformance 1 }

    cSecurePolicyGroups  OBJECT IDENTIFIER
        ::= { cSecurePolicyConformance 2 }

    cSecurePolicyCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for secure policy information."
        MODULE
        MANDATORY-GROUPS { cSecurePolicyGroup }




Sun, et al.              Expires January 9, 2020              [Page 114]


Internet-Draft                    CCMIB                        July 2019


        GROUP cSecurePolicyNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."
        ::= { cSecurePolicyCompliances  1 }

    cSecurePolicyGroup OBJECT-GROUP
        OBJECTS {
                    cSecPolicyRuleTableCount,
                    cSecPolicyRuleTableLastChanged,
                    cSecPolicyRulePriorityID,
                    cSecPolicyRuleDescription,
                    cSecPolicyRuleType,
                    cSecPolicyRuleFilterReference,
                    cSecPolicyRuleAction,
                    cSecPolicyRuleRowStatus
                }
        STATUS current
        DESCRIPTION
            "This group is composed of objects related to secure policy
            information."
        ::= { cSecurePolicyGroups 1 }

    cSecurePolicyNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cSecPolicyChanged
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to secure
            policy information."
        ::= { cSecurePolicyGroups 2 }

    END

5.8.  Secure Connection Information

   This module makes reference to: Section 5.2, [RFC2578], [RFC2579],
   [RFC2580], [RFC3411], and [RFC4303].

    CC-SECURE-CONNECTION-INFO-MIB  DEFINITIONS  ::=  BEGIN

    IMPORTS
        ccSecureConnectionInfo
            FROM CC-FEATURE-HIERARCHY-MIB             -- FROM Sec 5.2
        OBJECT-TYPE, Unsigned32, NOTIFICATION-TYPE,
        MODULE-IDENTITY
            FROM SNMPv2-SMI                           -- FROM RFC 2578
        MODULE-COMPLIANCE, OBJECT-GROUP,



Sun, et al.              Expires January 9, 2020              [Page 115]


Internet-Draft                    CCMIB                        July 2019


        NOTIFICATION-GROUP
            FROM SNMPv2-CONF                          -- FROM RFC 2580
        SnmpAdminString
            FROM SNMP-FRAMEWORK-MIB                   -- FROM RFC 3411
        RowStatus, DateAndTime, TimeStamp
            FROM SNMPv2-TC;                           -- FROM RFC 2579

    ccSecureConnectionInfoMIB  MODULE-IDENTITY
        LAST-UPDATED  "201609302154Z"
        ORGANIZATION  "CCMIB CCB"
        CONTACT-INFO
            "CC MIB Configuration Control Board
             Email: CCMIB.CCB@us.af.mil"
        DESCRIPTION
            "This MIB defines the CC MIB Secure Connection Information
            objects.

            Copyright (c) 2019 IETF Trust and the persons
            identified as authors of the code.  All rights reserved.

            Redistribution and use in source and binary forms, with
            or without modification, is permitted pursuant to, and
            subject to the license terms contained in, the Simplified
            BSD License set forth in Section 4.c of the IETF Trust's
            Legal Provisions Relating to IETF Documents
            (http://trustee.ietf.org/license-info).

            This version of this MIB module is part of RFC xxxx;
            see the RFC itself for full legal notices."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        REVISION      "201609302154Z"
        DESCRIPTION   "CC MIB 1.0.5 FINAL. Published as RFC xxxx."
    -- RFC Ed.: RFC-editor please fill in xxxx.
        ::= { ccSecureConnectionInfo 1 }

    -- *****************************************************************
    -- Secure Connection Info Information Segments
    -- *****************************************************************

    cSecureConnectionConformance  OBJECT IDENTIFIER
        ::= { ccSecureConnectionInfoMIB 1 }
    cSecureConnectionInfo  OBJECT IDENTIFIER
        ::= { ccSecureConnectionInfoMIB 2 }
    cSecureConnectionInfoScalars  OBJECT IDENTIFIER
        ::= { ccSecureConnectionInfoMIB 3 }
    cSecureConnectionInfoNotify  OBJECT IDENTIFIER
        ::= { ccSecureConnectionInfoMIB 4 }




Sun, et al.              Expires January 9, 2020              [Page 116]


Internet-Draft                    CCMIB                        July 2019


    -- *****************************************************************
    -- Secure Connection Info Scalars
    -- *****************************************************************


    -- *****************************************************************
    -- Secure Connection Info Notifications
    -- *****************************************************************

    cSecConnectionEstablished  NOTIFICATION-TYPE
        OBJECTS     { cSecConTableID }
        STATUS      current
        DESCRIPTION
            "A notification indicating that a new Secure Connection was
            successfully established."
        ::= { cSecureConnectionInfoNotify 1 }

    cSecConnectionDeleted  NOTIFICATION-TYPE
        OBJECTS     { cSecConTableID }
        STATUS      current
        DESCRIPTION
            "A notification indicating that an existent Secure
            Connection was successfully deleted."
        ::= { cSecureConnectionInfoNotify 2 }

    -- *****************************************************************
    -- CC MIB cSecConTable
    -- *****************************************************************

    cSecConTableCount  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The number of rows in the cSecConTable."
        ::= { cSecureConnectionInfo 1 }

    cSecConTableLastChanged  OBJECT-TYPE
        SYNTAX      TimeStamp
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "The last time any entry in the table was modified, created,
            or deleted by either SNMP, agent, or other management method
            (e.g., via an HMI). Managers can use this object to ensure
            that no changes to configuration of this table have happened
            since the last time it examined the table. A value of 0
            indicates that no entry has been changed since the agent



Sun, et al.              Expires January 9, 2020              [Page 117]


Internet-Draft                    CCMIB                        July 2019


            initialized. The value in CC-DEVICE-INFO-MIB cSystemUpTime
            should be used to populate this column."
        ::= { cSecureConnectionInfo 2 }

    cSecConTable  OBJECT-TYPE
        SYNTAX      SEQUENCE OF CSecConEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "The cSecConTable stores general Secure Connection
            (active/inactive) information associated with the ECU. This
            table provides the base/common information for Secure
            Connections."
        ::= { cSecureConnectionInfo 3 }

    cSecConEntry  OBJECT-TYPE
        SYNTAX      CSecConEntry
        MAX-ACCESS  not-accessible
        STATUS      current
        DESCRIPTION
            "A row containing general information about an
            active/inactive Secure Connection."
        INDEX      { cSecConTableID }
        ::= { cSecConTable 1 }

    CSecConEntry  ::= SEQUENCE {
        cSecConTableID              Unsigned32,
        cSecConType                 OCTET STRING,
        cSecConDataPlaneID          OCTET STRING,
        cSecConDirection            INTEGER,
        cSecConKeyReference         OCTET STRING,
        cSecConCryptographicSuite   OCTET STRING,
        cSecConEstablishmentTime    DateAndTime,
        cSecConStatus               OCTET STRING,
        cSecConRowStatus            RowStatus,
        cSecConRemoteKeyReference   OCTET STRING
    }

    cSecConTableID  OBJECT-TYPE
        SYNTAX      Unsigned32
        MAX-ACCESS  read-only
        STATUS      current
        DESCRIPTION
            "Local unique index that identifies a Secure Connection.
            This column is the primary index to the cSecConTable."
        ::= { cSecConEntry 1 }

    cSecConType  OBJECT-TYPE



Sun, et al.              Expires January 9, 2020              [Page 118]


Internet-Draft                    CCMIB                        July 2019


        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Optional column that defines the related protocol type of
            the Secure Connection. Depending on this column's populated
            value, entries will vary in respect to which other
            columns/tables (if at all) are applicable to the Secure
            Connection. Example of values for this column are: 'ipsec'
            for Internet Protocol Security secure connections and 'tls'
            for Transport Layer Security/Secure Socket Layer secure
            connections."
        ::= { cSecConEntry 2 }

    cSecConDataPlaneID  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The unique identifier associated with the Secure
            Connection, based on the Secure Connection protocol.

            Note, this is a free form OCTET STRING column where
            meaningful values/format are defined per Secure Connection
            protocol type basis. For instance, in an IPsec context
            (i.e., cSecConType value is set to 'ipsec'), this column
            would store the Security Parameter Index (SPI) for a given
            Encapsulating Security Payload Version 3 Security
            Association (RFC 4303 - Section 2.1.)."
        ::= { cSecConEntry 3 }

    cSecConDirection  OBJECT-TYPE
        SYNTAX      INTEGER { inbound(1), outbound(2),
                              bidirectional(3) }
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The data plane traffic flow direction for the Secure
            Connection.

            [1] inbound: data plane traffic flow is incoming on the
            Secure Connection.

            [2] outbound: data plane traffic flow is outgoing on the
            Secure Connection.

            [3] bidirectional: data plane traffic flow is incoming and
            outgoing on the Secure Connection."



Sun, et al.              Expires January 9, 2020              [Page 119]


Internet-Draft                    CCMIB                        July 2019


        ::= { cSecConEntry 4 }

    cSecConKeyReference  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(0..255))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Administrative string that references key material
            associated with the Secure Connection. This column
            references an entry (via table index value) in a key-related
            table in the CC-KEY-MANAGEMENT-MIB.

            If there is no appropriate value to populate with, this
            column would be populated with an empty string, ''."
        ::= { cSecConEntry 5 }

    cSecConCryptographicSuite  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The set of cryptographic attributes (e.g. Encryption
            Algorithm, Integrity Algorithm) respective to the Secure
            Connection. Note, this is a free form OCTET STRING column,
            meaning implementations may utilize a standardized
            definition of string values that describe a set of
            cryptographic suites or use a proprietary definition of
            string values for supported cryptographic suites."
        ::= { cSecConEntry 6 }

    cSecConEstablishmentTime  OBJECT-TYPE
        SYNTAX      DateAndTime
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The local date and time when the Secure Connection was or
            will be established. The value in this column may be
            manually set to a date and time prior to the effective date
            of the key material (if associated) as referenced by the
            cSecConKeyReference column. If this column value is not
            manually configured with a date and time then the value will
            be automatically populated with the current cSystemDate
            value in respect to when the cSecConRowStatus column is
            first set to Active.

            Note, implementations may treat this column as an alpha date
            for the Secure Connection, and thus ascertain other Secure
            Connection-related values based on this time."



Sun, et al.              Expires January 9, 2020              [Page 120]


Internet-Draft                    CCMIB                        July 2019


        ::= { cSecConEntry 7 }

    cSecConStatus  OBJECT-TYPE
        SYNTAX      OCTET STRING
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Column that provides the current status of the Secure
            Connection. Note, this is a free form OCTET STRING column
            where meaningful values are defined per Secure Connection
            protocol type basis (i.e., as defined by the cSecConType
            value) or per implementation basis.

            If there is no appropriate value to populate with, this
            column would be populated with an empty string, ''."
        ::= { cSecConEntry 8 }

    cSecConRowStatus  OBJECT-TYPE
        SYNTAX      RowStatus
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "The status of the row, by which new entries may be created,
            or old entries deleted from this table.

            Entries created within this table may not become active
            unless all read-create columns in this table have valid
            values, as detailed by each individual column's description.

            The set of RowStatus enumerations that must be supported is
            dependent on the type of secure connection. At a minimum,
            implementations must support createAndGo and destroy if the
            secure connection can be created and destroyed by the
            manager. Implementations must support active and
            notInService if the secure connection can be
            enabled/disabled by the manager."
        ::= { cSecConEntry 9 }

    cSecConRemoteKeyReference  OBJECT-TYPE
        SYNTAX      OCTET STRING (SIZE(0..255))
        MAX-ACCESS  read-create
        STATUS      current
        DESCRIPTION
            "Administrative string that references remote key material
            associated with the Secure Connection (i.e., the remote key
            material used by the peer to establish the Secure
            Connection. This column references an entry (via table index
            value) in cRemoteKeyMaterialTable (CC-KEY-MANAGEMENT-MIB).



Sun, et al.              Expires January 9, 2020              [Page 121]


Internet-Draft                    CCMIB                        July 2019


            If there is no appropriate value to populate with, this
            column would be populated with an empty string, ''"
        ::= {cSecConEntry 10}

    -- *****************************************************************
    -- Module Conformance Information
    -- *****************************************************************

    cSecureConnectionCompliances  OBJECT IDENTIFIER
        ::= { cSecureConnectionConformance 1}

    cSecureConnectionGroups  OBJECT IDENTIFIER
        ::= { cSecureConnectionConformance 2}

    cSecureConnectionCompliance MODULE-COMPLIANCE
        STATUS    current
        DESCRIPTION
            "Compliance levels for secure connection information."
        MODULE
        MANDATORY-GROUPS { cSecureConnectionGroup }

        GROUP cSecureConnectionNotifyGroup
        DESCRIPTION
            "This notification group is optional for implementation."

        OBJECT cSecConType
        MIN-ACCESS not-accessible
        DESCRIPTION
            "Implementation of this object is optional."
        ::= { cSecureConnectionCompliances  1 }

    cSecureConnectionGroup OBJECT-GROUP
        OBJECTS {
                    cSecConTableCount,
                    cSecConTableLastChanged,
                    cSecConTableID,
                    cSecConType,
                    cSecConDataPlaneID,
                    cSecConDirection,
                    cSecConKeyReference,
                    cSecConCryptographicSuite,
                    cSecConEstablishmentTime,
                    cSecConStatus,
                    cSecConRowStatus,
                    cSecConRemoteKeyReference
                }
        STATUS current
        DESCRIPTION



Sun, et al.              Expires January 9, 2020              [Page 122]


Internet-Draft                    CCMIB                        July 2019


            "This group is composed of objects related to secure
            connection information."
        ::= { cSecureConnectionGroups 1 }

    cSecureConnectionNotifyGroup NOTIFICATION-GROUP
        NOTIFICATIONS {
                        cSecConnectionEstablished,
                        cSecConnectionDeleted
                      }
        STATUS current
        DESCRIPTION
            "This group is composed of notifications related to secure
            connection information."
        ::= { cSecureConnectionGroups 2 }

    END

6.  IANA Considerations

   This document makes no requests of IANA.  All of the object
   identifiers used in the document are defined in the IANA Private
   Enterprise Number (PEN) ccmib arc (34493).

   RFC EDITOR:  Please delete the following note prior to publication

   NOTE:  "cpsg" is undergoing a name change to "ccmib".

7.  Security Considerations

   SNMP versions prior to SNMPv3 did not include adequate security.
   Even if the network itself is secure (for example by using IPsec),
   there is no control as to who on the secure network is allowed to
   access and GET/SET (read/change/create/delete) the objects in this
   MIB module.

   Implementations SHOULD provide the security features described by the
   SNMPv3 framework (see [RFC3410]), and implementations claiming
   compliance to the SNMPv3 standard MUST include full support for
   authentication and privacy via the User-based Security Model (USM)
   [RFC3414] with the AES cipher algorithm [RFC3826].  Implementations
   MAY also provide support for the Transport Security Model (TSM)
   [RFC5591] in combination with a secure transport such as SSH
   [RFC5592] or TLS/DTLS [RFC6353].

   Further, deployment of SNMP versions prior to SNMPv3 is NOT
   RECOMMENDED.  Instead, it is RECOMMENDED to deploy SNMPv3 and to
   enable cryptographic security.  It is then a customer/operator
   responsibility to ensure that the SNMP entity giving access to an



Sun, et al.              Expires January 9, 2020              [Page 123]


Internet-Draft                    CCMIB                        July 2019


   instance of this MIB module is properly configured to give access to
   the objects only to those principals (users) that have legitimate
   rights to indeed GET or SET (change/create/delete) them.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
              editor.org/info/rfc2119>.

   [RFC2578]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Structure of Management Information
              Version 2 (SMIv2)", STD 58, RFC 2578,
              DOI 10.17487/RFC2578, April 1999, <https://www.rfc-
              editor.org/info/rfc2578>.

   [RFC2579]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Textual Conventions for SMIv2",
              STD 58, RFC 2579, DOI 10.17487/RFC2579, April 1999,
              <https://www.rfc-editor.org/info/rfc2579>.

   [RFC2580]  McCloghrie, K., Ed., Perkins, D., Ed., and J.
              Schoenwaelder, Ed., "Conformance Statements for SMIv2",
              STD 58, RFC 2580, DOI 10.17487/RFC2580, April 1999,
              <https://www.rfc-editor.org/info/rfc2580>.

   [RFC3411]  Harrington, D., Presuhn, R., and B. Wijnen, "An
              Architecture for Describing Simple Network Management
              Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
              DOI 10.17487/RFC3411, December 2002, <https://www.rfc-
              editor.org/info/rfc3411>.

   [RFC3414]  Blumenthal, U. and B. Wijnen, "User-based Security Model
              (USM) for version 3 of the Simple Network Management
              Protocol (SNMPv3)", STD 62, RFC 3414,
              DOI 10.17487/RFC3414, December 2002, <https://www.rfc-
              editor.org/info/rfc3414>.

   [RFC3826]  Blumenthal, U., Maino, F., and K. McCloghrie, "The
              Advanced Encryption Standard (AES) Cipher Algorithm in the
              SNMP User-based Security Model", RFC 3826,
              DOI 10.17487/RFC3826, June 2004, <https://www.rfc-
              editor.org/info/rfc3826>.





Sun, et al.              Expires January 9, 2020              [Page 124]


Internet-Draft                    CCMIB                        July 2019


   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
              <https://www.rfc-editor.org/info/rfc5280>.

   [RFC5591]  Harrington, D. and W. Hardaker, "Transport Security Model
              for the Simple Network Management Protocol (SNMP)",
              STD 78, RFC 5591, DOI 10.17487/RFC5591, June 2009,
              <https://www.rfc-editor.org/info/rfc5591>.

   [RFC5592]  Harrington, D., Salowey, J., and W. Hardaker, "Secure
              Shell Transport Model for the Simple Network Management
              Protocol (SNMP)", RFC 5592, DOI 10.17487/RFC5592, June
              2009, <https://www.rfc-editor.org/info/rfc5592>.

   [RFC5914]  Housley, R., Ashmore, S., and C. Wallace, "Trust Anchor
              Format", RFC 5914, DOI 10.17487/RFC5914, June 2010,
              <https://www.rfc-editor.org/info/rfc5914>.

   [RFC6030]  Hoyer, P., Pei, M., and S. Machani, "Portable Symmetric
              Key Container (PSKC)", RFC 6030, DOI 10.17487/RFC6030,
              October 2010, <https://www.rfc-editor.org/info/rfc6030>.

   [RFC6353]  Hardaker, W., "Transport Layer Security (TLS) Transport
              Model for the Simple Network Management Protocol (SNMP)",
              STD 78, RFC 6353, DOI 10.17487/RFC6353, July 2011,
              <https://www.rfc-editor.org/info/rfc6353>.

8.2.  Informative References

   [RFC1213]  McCloghrie, K. and M. Rose, "Management Information Base
              for Network Management of TCP/IP-based internets: MIB-II",
              STD 17, RFC 1213, DOI 10.17487/RFC1213, March 1991,
              <https://www.rfc-editor.org/info/rfc1213>.

   [RFC3410]  Case, J., Mundy, R., Partain, D., and B. Stewart,
              "Introduction and Applicability Statements for Internet-
              Standard Management Framework", RFC 3410,
              DOI 10.17487/RFC3410, December 2002, <https://www.rfc-
              editor.org/info/rfc3410>.

   [RFC3418]  Presuhn, R., Ed., "Management Information Base (MIB) for
              the Simple Network Management Protocol (SNMP)", STD 62,
              RFC 3418, DOI 10.17487/RFC3418, December 2002,
              <https://www.rfc-editor.org/info/rfc3418>.





Sun, et al.              Expires January 9, 2020              [Page 125]


Internet-Draft                    CCMIB                        July 2019


   [RFC4303]  Kent, S., "IP Encapsulating Security Payload (ESP)",
              RFC 4303, DOI 10.17487/RFC4303, December 2005,
              <https://www.rfc-editor.org/info/rfc4303>.

Appendix A.  Contributors

   The following people made technical contributions to this
   specification:

   o  Shadi Azoum
      Naval Information Warfare Center Pacific
      shadi.azoum@navy.mil

   o  Elliott Jones
      Naval Information Warfare Center Pacific
      elliott.jones@navy.mil

   o  Lily Sun
      Naval Information Warfare Center Pacific
      lily.sun@navy.mil

Authors' Addresses

   Jeffrey Sun
   Naval Information Warfare Center Pacific

   Email: sunjeff@spawar.navy.mil


   Mike Irani
   Naval Information Warfare Center Pacific

   Email: irani@spawar.navy.mil


   Tom Nguyen
   Naval Information Warfare Center Pacific

   Email: tmnguyen@spawar.navy.mil


   Ray Purvis
   The MITRE Corporation

   Email: rpurvis@mitre.org






Sun, et al.              Expires January 9, 2020              [Page 126]


Internet-Draft                    CCMIB                        July 2019


   Sean Turner
   sn3rd

   Email: sean@sn3rd.com















































Sun, et al.              Expires January 9, 2020              [Page 127]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/