draft-ietf-cdni-interfaces-https-delegation-01.txt   draft-ietf-cdni-interfaces-https-delegation-02.txt 
CDNI Working Group F. Fieau, Ed. CDNI Working Group F. Fieau, Ed.
Internet-Draft E. Stephan Internet-Draft E. Stephan
Intended status: Standards Track Orange Intended status: Standards Track Orange
Expires: November 30, 2019 S. Mishra Expires: May 7, 2020 S. Mishra
Verizon Verizon
May 29, 2019 November 04, 2019
CDNI extensions for HTTPS delegation CDNI extensions for HTTPS delegation
draft-ietf-cdni-interfaces-https-delegation-01 draft-ietf-cdni-interfaces-https-delegation-02
Abstract Abstract
The delivery of content over HTTPS involving multiple CDNs raises The delivery of content over HTTPS involving multiple CDNs raises
credential management issues. This document proposes extensions in credential management issues. This document proposes extensions in
CDNI Control and Metadata interfaces to setup HTTPS delegation from CDNI Control and Metadata interfaces to setup HTTPS delegation from
an Upstream CDN (uCDN) to a Downstream CDN (dCDN). an Upstream CDN (uCDN) to a Downstream CDN (dCDN).
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 30, 2019. This Internet-Draft will expire on May 7, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 14 skipping to change at page 2, line 14
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Known delegation methods . . . . . . . . . . . . . . . . . . 3 3. Known delegation methods . . . . . . . . . . . . . . . . . . 3
4. Extending the CDNI metadata model . . . . . . . . . . . . . . 3 4. Extending the CDNI metadata model . . . . . . . . . . . . . . 3
4.1. Extension to PathMetadata object . . . . . . . . . . . . 3 4.1. Extension to PathMetadata object . . . . . . . . . . . . 3
4.2. Delegation methods . . . . . . . . . . . . . . . . . . . 5 4.2. Delegation methods . . . . . . . . . . . . . . . . . . . 4
4.2.1. AcmeStarDelegationMethod object . . . . . . . . . . . 5 4.2.1. AcmeStarDelegationMethod object . . . . . . . . . . . 5
4.2.2. SubcertsDelegationMethod object . . . . . . . . . . . 6 4.2.2. SubcertsDelegationMethod object . . . . . . . . . . . 6
5. Metadata Simple Data Type Descriptions . . . . . . . . . . . 7 5. Metadata Simple Data Type Descriptions . . . . . . . . . . . 8
5.1. Periodicity . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. Periodicity . . . . . . . . . . . . . . . . . . . . . . . 8
6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 7 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. CDNI MI AcmeStarDelegationMethod Payload Type . . . . . . 7 6.1. CDNI MI AcmeStarDelegationMethod Payload Type . . . . . . 9
6.2. CDNI MI SubCertsDelegationMethod Payload Type . . . . . . 8 6.2. CDNI MI SubCertsDelegationMethod Payload Type . . . . . . 9
7. Security considerations . . . . . . . . . . . . . . . . . . . 8 7. Security considerations . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 9
8.2. Informative References . . . . . . . . . . . . . . . . . 8 8.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
Content delivery over HTTPS using one or more CDNs along the path Content delivery over HTTPS using one or more CDNs along the path
requires credential management. This specifically applies when an requires credential management. This specifically applies when an
entity delegates delivery of encrypted content to another trusted entity delegates delivery of encrypted content to another trusted
entity. entity.
Several delegation methods are currently proposed within different Several delegation methods are currently proposed within different
IETF working groups. They specify different methods for provisioning IETF working groups. They specify different methods for provisioning
HTTPS delivery credentials. HTTPS delivery credentials.
This document extends the CDNI Metadata interface to setup HTTPS This document extends the CDNI Metadata interface to setup HTTPS
delegation between an upstream CDN (uCDN) and downstream CDN (dCDN). delegation between an upstream CDN (uCDN) and downstream CDN (dCDN)
Furthermore, it includes a proposal of IANA registry to enable adding using the Standardized delegation methods. Furthermore, it includes
of new methods. a proposal of IANA registry to enable adding of new methods.
Section 2 is about terminology used in this document. Section 3 Section 2 is about terminology used in this document. Section 3
presents delegation methods specified at the IETF. Section 4 presents delegation methods specified at the IETF. Section 4
addresses the extension for handling HTTPS delegation in CDNI. addresses the extension for handling HTTPS delegation in CDNI.
Section 5 describes simple data types. Section 6 addresses IANA Section 5 describes simple data types. Section 6 addresses IANA
registry for delegation methods. Section 7 covers the security registry for delegation methods. Section 7 covers the security
issues. issues.
2. Terminology 2. Terminology
skipping to change at page 3, line 21 skipping to change at page 3, line 21
3. Known delegation methods 3. Known delegation methods
There are currently two Internet drafts within the TLS and ACME There are currently two Internet drafts within the TLS and ACME
working groups adopted to handle delegation of HTTPS delivery between working groups adopted to handle delegation of HTTPS delivery between
entities. entities.
This Internet Draft (I-D) proposes standardizing HTTPS delegation This Internet Draft (I-D) proposes standardizing HTTPS delegation
between the entities using CDNI interfaces. between the entities using CDNI interfaces.
This document considers the following two I-Ds that supports HTTPS This document considers the following two I-Ds that deals with HTTPS
delegation: delegation:
- Sub-certificates [I-D.ietf-tls-subcerts] - Sub-certificates [I-D.ietf-tls-subcerts]
- Support for Short-term, Automatically-Renewed (STAR) certificates - Short-term, Automatically-Renewed (STAR) certificates in Automated
in Automated Certificate Management Environment(ACME) Certificate Management Environment(ACME) [I-D.ietf-acme-star]
[I-D.ietf-acme-star]
4. Extending the CDNI metadata model 4. Extending the CDNI metadata model
This section defines a CDNI extension to the current Metadata This section defines a CDNI extension to the current Metadata
interface model that allows bootstrapping delegation methods between interface model that allows bootstrapping delegation methods between
a uCDN and a delegate dCDN. a uCDN and a delegate dCDN.
4.1. Extension to PathMetadata object 4.1. Extension to PathMetadata object
This extension reuses PathMetadata object, as defined in [RFC8006], This extension reuses PathMetadata object, as defined in [RFC8006],
by adding new "Delegation methods" objects as specified in the and adds new "Delegation methods" objects as specified in the
following sections. following sections.
This allows to explicitly indicate support for the given method. This allows to explicitly indicate support for a given method.
Therefore, the presence (or lack thereof) of an Therefore, the presence (or lack thereof) of an
AcmeStarDelegationMethod, SubcertsDelegationMethod, and/or further AcmeStarDelegationMethod, SubcertsDelegationMethod, and/or further
delegation methods, imply support (or lack thereof) for the given delegation methods, imply support (or lack thereof) for the given
method. method.
Example: Example:
The PathMatch object can reference a path-metadata that points at the The PathMatch object can reference a path-metadata that points at the
delegation information. Delegation metadata are added to delegation information. Delegation metadata are added to
PathMetaData object. PathMetaData object.
PathMatch: Below shows both PathMatch and PathMetaData objects related to a path
{ (here /movies/* located at
"path-pattern": { https://metadata.ucdn.example/video.example.com/movies)
"pattern": "/movies/*",
"case-sensitive": true
},
"path-metadata": {
"type": "MI.PathMetadata",
"href": "https://metadata.ucdn.example/video.example.com/movies"
}
}
Below shows the PathMetaData Object related to /movie/* PathMatch:
(located at https://metadata.ucdn.example/video.example.com/movies) {
"path-pattern": {
"pattern": "/movies/*",
"case-sensitive": true
},
"path-metadata": {
"type": "MI.PathMetadata",
"href": "https://metadata.ucdn.example/video.example.com/movies"
}
}
PathMetadata: Following the example above, the PathMetadata can be modeled
{ for ACMEStarDelegationMethod as:
"metadata": [
{ PathMetadata:
"generic-metadata-type": "MI.TimeWindowACL", {
"metadata": [
{
"generic-metadata-type": "MI.AcmeStarDelegationMethod",
"generic-metadata-value": { "generic-metadata-value": {
"times": [{ "star-proxy": "10.2.2.2",
"windows": [ "acme-server" : "10.2.3.3",
{ "credentials-location-uri": "www.ucdn.com/credentials",
"start": "1213948800", "periodicity": 36000,
"end": "1478047392" "CSR-template": Json/Text representing the CSR template (see section 4.2)
}]}], }}]
"action": "allow", }
}},
{
"generic-metadata-type": "MI.AcmeStarDelegationMethod",
"generic-metadata-value": {
"star-proxy": "10.2.2.2",
"acme-server" : "10.2.3.3",
"credentials-location-uri": "www.ucdn.com/credentials",
"periodicity": 36000
}}]
}
The existence of the "MI.AcmeStarDelegationMethod" object in a The existence of the "MI.AcmeStarDelegationMethod" object in a
PathMetaData Object shall enable the use of one of the PathMetaData Object shall enable the use of one of the
AcmeStarDelegation Methods, chosen by the delegate. The delegation AcmeStarDelegation Methods, chosen by the delegating entity. The
method will be activated for the set of Path defined in the delegation method will be activated for the set of Path defined in
PathMatch. See Section 4.2 for more details about delegation methods the PathMatch. See Section 4.2 for more details about delegation
metadata specification. methods metadata specification.
4.2. Delegation methods 4.2. Delegation methods
This section defines the delegation methods objects metadata. Those This section defines the delegation methods objects metadata. Those
metadata allows bootstrapping a secured delegatioin by providing the metadata allows bootstrapping a secured delegatioin by providing the
dCDN with the needed parameters to set it up. dCDN with the needed parameters to set it up.
4.2.1. AcmeStarDelegationMethod object 4.2.1. AcmeStarDelegationMethod object
This section defines the AcmeStarDelegationMethod object which This section defines the AcmeStarDelegationMethod object which
describes metadata related to the use of Acme STAR API presented in describes metadata related to the use of ACME/STAR API presented in
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
As expressed in [I-D.ietf-acme-star], when an origin has set a As expressed in [I-D.ietf-acme-star], when an origin has set a
delegation to a specific domain (i.e. dCDN), the dCDN should present delegation to a specific domain (i.e. dCDN), the dCDN should present
to the end-user client, a short-term certificate bound to the master to the end-user client, a short-term certificate bound to the master
certificate. certificate.
dCDN uCDN Content Provider ACME/STAR
| ACME/STAR proxy ACME/STAR Server
| | | |
| GET Metadata incl. Delegation object | |
+-------------------->| | |
| 200 OK + Metadata | | |
|<--------------------+ | |
| Request delegation (CNAME: www.dcdn.example) + dCDN public key |
+-------------------->| | |
| | Request STAR Cert + dCDN public key |
| +-------------------->| Request STAR cert + PubKey
| | |-------------------->|
| | | STAR certificate |
| | STAR certificate |<--------------------|
| STAR certificate |<--------------------+ |
+<--------------------| | |
| | | |
| Retrieve STAR certificate (credential-location-uri) |
+---------------------------------------------------------------->|
| | | |--+ renew
| | | | | cert
| Star certificate | | |<-+
|<----------------------------------------------------------------+
| ... | | |
Figure 1: Example call-flow of STAR delegation in CDNI
Property: star-proxy Property: star-proxy
Description: Used to advertise the STAR Proxy to the dCDN. Description: Used to advertise the STAR Proxy to the dCDN.
Endpoint type defined in RFC8006, Section 4.3.3. Endpoint type defined in RFC8006, Section 4.3.3.
Type: Endpoint Type: Endpoint
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
Property: acme-server Property: acme-server
skipping to change at page 6, line 4 skipping to change at page 6, line 25
Description: expresses the location of the credentials to be Description: expresses the location of the credentials to be
fetched by the dCDN. Link type is as defined in RFC8006, fetched by the dCDN. Link type is as defined in RFC8006,
Section 4.3.1. Section 4.3.1.
Type: Link Type: Link
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
Property: periodicity Property: periodicity
Description: expresses the credentials renewal periodicity. See Description: expresses the credentials renewal periodicity. See
Section 5.1. Section 5.1.
Type: Periodicity Type: Periodicity
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
Property: CSR-template
Description: The CSR template must be included in the metadata
when dealing with AcmeStarDelegation Methods. It shall follow the
description in [I-D.ietf-acme-star] section 3. It should be
included in JSON/text format.
Type: Text
Mandatory-to-Specify: Yes
4.2.2. SubcertsDelegationMethod object 4.2.2. SubcertsDelegationMethod object
This section defines the SubcertsDelegationMethod object which This section defines the SubcertsDelegationMethod object which
describes metadata related to the use of Subcerts as presented in describes metadata related to the use of Subcerts as presented in
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
Client dCDN uCDN Content
| | | Provider
| | | |
| | | CP Subcert |
| | |<--------------------|
| | GET Metadata incl. Subcerts Delegation obj|
| +-------------------->| |
| | 200 OK + Metadata | |
| |<--------------------+ |
| | Get Content Provider| |
| +-------------------->| |
| | Subcert | |
| |<--------------------+ |
| Client Hello + Subcert support | |
+-------------------->| | |
| Server Hello + Subcert | |
|<--------------------| | |
| Certificate | | |
|<--------------------| | |
| TLS ServerKeyExchange | |
|<--------------------| | |
| TLS ClientKeyExchange | |
|<--------------------| | |
| TLS Finished | | |
|<--------------------| | |
| | | |
Figure 2: Example call-flow of SubCert delegation in CDNI
As expressed in [I-D.ietf-tls-subcerts], when an origin has set a As expressed in [I-D.ietf-tls-subcerts], when an origin has set a
delegation to a specific domain (i.e. dCDN), the dCDN should present delegation to a downstream entity such as a downstream CDN (i.e.
the Origin or uCDN certificate or "delegated_credential" during the dCDN), the dCDN should present the Origin or uCDN certificate or
TLS handshake [RFC8446] to the end-user client application, instead "delegated_credential" during the TLS handshake [RFC8446] to the end-
of its own certificate. user client application, instead of its own certificate.
Property: credentials-delegating-entity Property: credentials-delegating-entity
Description: Endpoint ID (IP) of the delegating Entity (uCDN). Description: Endpoint ID (IP) of the delegating Entity (uCDN).
Endpoint type defined in RFC8006, Section 4.3.3. Endpoint type defined in RFC8006, Section 4.3.3.
Type: Endpoint Type: Endpoint
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
skipping to change at page 8, line 29 skipping to change at page 9, line 49
Capabilities RFCs [RFC8006]. Capabilities RFCs [RFC8006].
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T.
Fossati, "Support for Short-Term, Automatically-Renewed Fossati, "Support for Short-Term, Automatically-Renewed
(STAR) Certificates in Automated Certificate Management (STAR) Certificates in Automated Certificate Management
Environment (ACME)", draft-ietf-acme-star-05 (work in Environment (ACME)", draft-ietf-acme-star-11 (work in
progress), March 2019. progress), October 2019.
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla, Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla,
"Delegated Credentials for TLS", draft-ietf-tls- "Delegated Credentials for TLS", draft-ietf-tls-
subcerts-03 (work in progress), February 2019. subcerts-04 (work in progress), July 2019.
[RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
"Content Delivery Network Interconnection (CDNI) "Content Delivery Network Interconnection (CDNI)
Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016,
<https://www.rfc-editor.org/info/rfc8006>. <https://www.rfc-editor.org/info/rfc8006>.
[RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network
Interconnection (CDNI) Control Interface / Triggers", Interconnection (CDNI) Control Interface / Triggers",
RFC 8007, DOI 10.17487/RFC8007, December 2016, RFC 8007, DOI 10.17487/RFC8007, December 2016,
<https://www.rfc-editor.org/info/rfc8007>. <https://www.rfc-editor.org/info/rfc8007>.
 End of changes. 24 change blocks. 
71 lines changed or deleted 132 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/