draft-ietf-anima-voucher-01.txt   draft-ietf-anima-voucher-02.txt 
ANIMA Working Group K. Watsen ANIMA Working Group K. Watsen
Internet-Draft Juniper Networks Internet-Draft Juniper Networks
Intended status: Standards Track M. Richardson Intended status: Standards Track M. Richardson
Expires: September 14, 2017 Sandelman Software Expires: September 16, 2017 Sandelman Software
M. Pritikin M. Pritikin
Cisco Systems Cisco Systems
T. Eckert T. Eckert
March 13, 2017 Huawei
March 15, 2017
Voucher Profile for Bootstrapping Protocols Voucher Profile for Bootstrapping Protocols
draft-ietf-anima-voucher-01 draft-ietf-anima-voucher-02
Abstract Abstract
This document defines a strategy to securely assign a pledge to an This document defines a strategy to securely assign a pledge to an
owner, using an artifact signed, directly or indirectly, by the owner, using an artifact signed, directly or indirectly, by the
pledge's manufacturer. This artifact is known as a "voucher". pledge's manufacturer. This artifact is known as a "voucher".
The voucher artifact is a YANG-defined JSON document that has been The voucher artifact is a YANG-defined JSON document that has been
signed using a PKCS#7 structure. The voucher artifact is generated signed using a PKCS#7 structure. The voucher artifact is generated
by the pledge's manufacture or delegate (i.e. the MASA). by the pledge's manufacture or delegate (i.e. the MASA).
skipping to change at page 1, line 43 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 14, 2017. This Internet-Draft will expire on September 16, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 8, line 38 skipping to change at page 8, line 38
"domain-certificate-identifier": { "domain-certificate-identifier": {
"subject": "base64-encoded Subject DER" "subject": "base64-encoded Subject DER"
}, },
"device-identifier": "JADA123456789", "device-identifier": "JADA123456789",
"created-on": "2016-10-07T19:31:42Z" "created-on": "2016-10-07T19:31:42Z"
} }
} }
5.3. YANG Module 5.3. YANG Module
<CODE BEGINS> file "ietf-voucher@2017-03-13.yang" <CODE BEGINS> file "ietf-voucher@2017-03-15.yang"
module ietf-voucher { module ietf-voucher {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-voucher"; "urn:ietf:params:xml:ns:yang:ietf-voucher";
prefix "vch"; prefix "vch";
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
skipping to change at page 9, line 35 skipping to change at page 9, line 35
<mailto:pritikin@cisco.com> <mailto:pritikin@cisco.com>
Author: Michael Richardson Author: Michael Richardson
<mailto:mcr+ietf@sandelman.ca>"; <mailto:mcr+ietf@sandelman.ca>";
description description
"This module defines the format for a voucher, which is produced by "This module defines the format for a voucher, which is produced by
a pledge's manufacturer or delegate (MASA) to securely assign one a pledge's manufacturer or delegate (MASA) to securely assign one
or more pledges to an 'owner', so that the pledges may establish a or more pledges to an 'owner', so that the pledges may establish a
secure connection to the owner's network infrastructure."; secure connection to the owner's network infrastructure.";
revision "2017-03-13" { revision "2017-03-15" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: Voucher Profile for Bootstrapping Protocols"; "RFC XXXX: Voucher Profile for Bootstrapping Protocols";
} }
rc:yang-data voucher-artifact { rc:yang-data voucher-artifact {
uses voucher-grouping; uses voucher-grouping;
} }
skipping to change at page 10, line 31 skipping to change at page 10, line 31
description description
"A value indicating the date this voucher was created. This "A value indicating the date this voucher was created. This
node is optional because its primary purpose is for human node is optional because its primary purpose is for human
consumption. However, when present, pledges that have consumption. However, when present, pledges that have
reliable clocks SHOULD ensure that this created-on value reliable clocks SHOULD ensure that this created-on value
is not greater than the current time."; is not greater than the current time.";
} }
leaf expires-on { leaf expires-on {
type yang:date-and-time; type yang:date-and-time;
must "not ../nonce"; must "not(../nonce)";
description description
"A value indicating when this voucher expires. The node is "A value indicating when this voucher expires. The node is
optional as not all pledges support expirations, such as optional as not all pledges support expirations, such as
pledges lacking a reliable clock. pledges lacking a reliable clock.
If the pledge supports expirations and the expires-on value If the pledge supports expirations and the expires-on value
is less then the current time, then the pledge MUST not is less then the current time, then the pledge MUST not
process this voucher."; process this voucher.";
} }
skipping to change at page 13, line 42 skipping to change at page 13, line 42
to any revocation checks performed by the MASA."; to any revocation checks performed by the MASA.";
// DISCUSS: should this be a boolean or an enum indicating // DISCUSS: should this be a boolean or an enum indicating
// "fail open" vs "fail closed" to make the meaning clearer. // "fail open" vs "fail closed" to make the meaning clearer.
} }
leaf nonce { leaf nonce {
type binary { type binary {
length "8..32"; length "8..32";
} }
must "not ../expires-on"; must "not(../expires-on)";
description description
"A value that can be used by a pledge in some bootstrapping "A value that can be used by a pledge in some bootstrapping
protocols to enable anti-replay protection. This node is protocols to enable anti-replay protection. This node is
optional because it is not used by all bootstrapping optional because it is not used by all bootstrapping
protocols. protocols.
When present, the pledge MUST compare the provided nonce When present, the pledge MUST compare the provided nonce
value with another value that the pledge randomly generated value with another value that the pledge randomly generated
and sent to a bootstrap server in an earlier bootstrapping and sent to a bootstrap server in an earlier bootstrapping
message. If the values do not match, then the pledge MUST message. If the values do not match, then the pledge MUST
skipping to change at page 19, line 29 skipping to change at page 19, line 29
EMail: mcr+ietf@sandelman.ca EMail: mcr+ietf@sandelman.ca
URI: http://www.sandelman.ca/ URI: http://www.sandelman.ca/
Max Pritikin Max Pritikin
Cisco Systems Cisco Systems
EMail: pritikin@cisco.com EMail: pritikin@cisco.com
Toerless Eckert Toerless Eckert
Futurewei Technologies Inc.
2330 Central Expy
Santa Clara 95050
USA
EMail: tte+anima@cs.fau.de EMail: tte+ietf@cs.fau.de
 End of changes. 10 change blocks. 
8 lines changed or deleted 13 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/