draft-ietf-cdni-interfaces-https-delegation-02.txt   draft-ietf-cdni-interfaces-https-delegation-03.txt 
CDNI Working Group F. Fieau, Ed. CDNI Working Group F. Fieau, Ed.
Internet-Draft E. Stephan Internet-Draft E. Stephan
Intended status: Standards Track Orange Intended status: Standards Track Orange
Expires: May 7, 2020 S. Mishra Expires: September 10, 2020 S. Mishra
Verizon Verizon
November 04, 2019 March 09, 2020
CDNI extensions for HTTPS delegation CDNI extensions for HTTPS delegation
draft-ietf-cdni-interfaces-https-delegation-02 draft-ietf-cdni-interfaces-https-delegation-03
Abstract Abstract
The delivery of content over HTTPS involving multiple CDNs raises The delivery of content over HTTPS involving multiple CDNs raises
credential management issues. This document proposes extensions in credential management issues. This document proposes extensions in
CDNI Control and Metadata interfaces to setup HTTPS delegation from CDNI Control and Metadata interfaces to setup HTTPS delegation from
an Upstream CDN (uCDN) to a Downstream CDN (dCDN). an Upstream CDN (uCDN) to a Downstream CDN (dCDN).
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 7, 2020. This Internet-Draft will expire on September 10, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 23 skipping to change at page 2, line 23
4.1. Extension to PathMetadata object . . . . . . . . . . . . 3 4.1. Extension to PathMetadata object . . . . . . . . . . . . 3
4.2. Delegation methods . . . . . . . . . . . . . . . . . . . 4 4.2. Delegation methods . . . . . . . . . . . . . . . . . . . 4
4.2.1. AcmeStarDelegationMethod object . . . . . . . . . . . 5 4.2.1. AcmeStarDelegationMethod object . . . . . . . . . . . 5
4.2.2. SubcertsDelegationMethod object . . . . . . . . . . . 6 4.2.2. SubcertsDelegationMethod object . . . . . . . . . . . 6
5. Metadata Simple Data Type Descriptions . . . . . . . . . . . 8 5. Metadata Simple Data Type Descriptions . . . . . . . . . . . 8
5.1. Periodicity . . . . . . . . . . . . . . . . . . . . . . . 8 5.1. Periodicity . . . . . . . . . . . . . . . . . . . . . . . 8
6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8
6.1. CDNI MI AcmeStarDelegationMethod Payload Type . . . . . . 9 6.1. CDNI MI AcmeStarDelegationMethod Payload Type . . . . . . 9
6.2. CDNI MI SubCertsDelegationMethod Payload Type . . . . . . 9 6.2. CDNI MI SubCertsDelegationMethod Payload Type . . . . . . 9
7. Security considerations . . . . . . . . . . . . . . . . . . . 9 7. Security considerations . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Comments and questions . . . . . . . . . . . . . . . . . . . 9
8.1. Normative References . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . 10 9.1. Normative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 9.2. Informative References . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
Content delivery over HTTPS using one or more CDNs along the path Content delivery over HTTPS using one or more CDNs along the path
requires credential management. This specifically applies when an requires credential management. This specifically applies when an
entity delegates delivery of encrypted content to another trusted entity delegates delivery of encrypted content to another trusted
entity. entity.
Several delegation methods are currently proposed within different Several delegation methods are currently proposed within different
IETF working groups. They specify different methods for provisioning IETF working groups. They specify different methods for provisioning
skipping to change at page 2, line 49 skipping to change at page 2, line 50
This document extends the CDNI Metadata interface to setup HTTPS This document extends the CDNI Metadata interface to setup HTTPS
delegation between an upstream CDN (uCDN) and downstream CDN (dCDN) delegation between an upstream CDN (uCDN) and downstream CDN (dCDN)
using the Standardized delegation methods. Furthermore, it includes using the Standardized delegation methods. Furthermore, it includes
a proposal of IANA registry to enable adding of new methods. a proposal of IANA registry to enable adding of new methods.
Section 2 is about terminology used in this document. Section 3 Section 2 is about terminology used in this document. Section 3
presents delegation methods specified at the IETF. Section 4 presents delegation methods specified at the IETF. Section 4
addresses the extension for handling HTTPS delegation in CDNI. addresses the extension for handling HTTPS delegation in CDNI.
Section 5 describes simple data types. Section 6 addresses IANA Section 5 describes simple data types. Section 6 addresses IANA
registry for delegation methods. Section 7 covers the security registry for delegation methods. Section 7 covers the security
issues. issues. Section 8 is about comments and questions.
2. Terminology 2. Terminology
This document uses terminology from CDNI framework documents such as: This document uses terminology from CDNI framework documents such as:
CDNI framework document [RFC7336], CDNI requirements [RFC7337] and CDNI framework document [RFC7336], CDNI requirements [RFC7337] and
CDNI interface specifications documents: CDNI Metadata interface CDNI interface specifications documents: CDNI Metadata interface
[RFC8006] and CDNI Control interface / Triggers [RFC8007]. [RFC8006] and CDNI Control interface / Triggers [RFC8007].
3. Known delegation methods 3. Known delegation methods
There are currently two Internet drafts within the TLS and ACME There are currently two Internet drafts within the TLS and ACME
working groups adopted to handle delegation of HTTPS delivery between working groups adopted to handle delegation of HTTPS delivery between
entities. entities.
This Internet Draft (I-D) proposes standardizing HTTPS delegation This Internet Draft (I-D) proposes standardizing HTTPS delegation
between the entities using CDNI interfaces. between the entities using CDNI interfaces.
This document considers the following two I-Ds that deals with HTTPS This document considers the following two I-Ds that deals with HTTPS
delegation: delegation:
- Sub-certificates [I-D.ietf-tls-subcerts] - Sub-certificates [I-D.ietf-tls-subcerts] in the TLS Working Group.
- Short-term, Automatically-Renewed (STAR) certificates in Automated - Short-term, Automatically-Renewed (STAR) certificates in Automated
Certificate Management Environment(ACME) [I-D.ietf-acme-star] Certificate Management Environment(ACME) [I-D.ietf-acme-star]
4. Extending the CDNI metadata model 4. Extending the CDNI metadata model
This section defines a CDNI extension to the current Metadata This section defines a CDNI extension to the current Metadata
interface model that allows bootstrapping delegation methods between interface model that allows bootstrapping delegation methods between
a uCDN and a delegate dCDN. a uCDN and a delegate dCDN.
skipping to change at page 4, line 5 skipping to change at page 4, line 5
AcmeStarDelegationMethod, SubcertsDelegationMethod, and/or further AcmeStarDelegationMethod, SubcertsDelegationMethod, and/or further
delegation methods, imply support (or lack thereof) for the given delegation methods, imply support (or lack thereof) for the given
method. method.
Example: Example:
The PathMatch object can reference a path-metadata that points at the The PathMatch object can reference a path-metadata that points at the
delegation information. Delegation metadata are added to delegation information. Delegation metadata are added to
PathMetaData object. PathMetaData object.
Below shows both PathMatch and PathMetaData objects related to a path Below shows both PathMatch and PathMetaData objects related to a
(here /movies/* located at path, for example, here /movies/* located at
https://metadata.ucdn.example/video.example.com/movies) https://metadata.ucdn.example/video.example.com/movies
PathMatch: PathMatch:
{ {
"path-pattern": { "path-pattern": {
"pattern": "/movies/*", "pattern": "/movies/*",
"case-sensitive": true "case-sensitive": true
}, },
"path-metadata": { "path-metadata": {
"type": "MI.PathMetadata", "type": "MI.PathMetadata",
"href": "https://metadata.ucdn.example/video.example.com/movies" "href": "https://metadata.ucdn.example/video.example.com/movies"
skipping to change at page 4, line 48 skipping to change at page 4, line 48
The existence of the "MI.AcmeStarDelegationMethod" object in a The existence of the "MI.AcmeStarDelegationMethod" object in a
PathMetaData Object shall enable the use of one of the PathMetaData Object shall enable the use of one of the
AcmeStarDelegation Methods, chosen by the delegating entity. The AcmeStarDelegation Methods, chosen by the delegating entity. The
delegation method will be activated for the set of Path defined in delegation method will be activated for the set of Path defined in
the PathMatch. See Section 4.2 for more details about delegation the PathMatch. See Section 4.2 for more details about delegation
methods metadata specification. methods metadata specification.
4.2. Delegation methods 4.2. Delegation methods
This section defines the delegation methods objects metadata. Those This section defines the delegation methods objects metadata. Those
metadata allows bootstrapping a secured delegatioin by providing the metadata allows bootstrapping a secured delegation by providing the
dCDN with the needed parameters to set it up. dCDN with the needed parameters to set it up.
4.2.1. AcmeStarDelegationMethod object 4.2.1. AcmeStarDelegationMethod object
This section defines the AcmeStarDelegationMethod object which This section defines the AcmeStarDelegationMethod object which
describes metadata related to the use of ACME/STAR API presented in describes metadata related to the use of ACME/STAR API presented in
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
As expressed in [I-D.ietf-acme-star], when an origin has set a As expressed in [I-D.ietf-acme-star], when an origin has set a
delegation to a specific domain (i.e. dCDN), the dCDN should present delegation to a specific domain (i.e. dCDN), the dCDN should present
to the end-user client, a short-term certificate bound to the master to the end-user client, a short-term certificate bound to the master
certificate. certificate.
dCDN uCDN Content Provider ACME/STAR dCDN uCDN Content Provider CA
| ACME/STAR proxy ACME/STAR Server | ACME/STAR proxy ACME/STAR client ACME/STAR Server
| | | | | | | |
| GET Metadata incl. Delegation object | | | 1. GET Metadata incl. Delegation Method object with CSR template [CDNI]
+-------------------->| | | +-------------------->| | |
| 200 OK + Metadata | | | | 200 OK + Metadata incl. CSR template [CDNI] |
|<--------------------+ | | |<--------------------+ | |
| Request delegation (CNAME: www.dcdn.example) + dCDN public key | | 2. Request delegation: video.dcdn.example + dCDN public key |
+-------------------->| | | +-------------------->| | |
| | Request STAR Cert + dCDN public key | | | 3. Request STAR Cert + dCDN public key |
| +-------------------->| Request STAR cert + PubKey | +-------------------->| 4. Request STAR cert + PubKey
| | |-------------------->| | | |-------------------->|
| | | STAR certificate | | | | 5. STAR certificate |
| | STAR certificate |<--------------------| | | 6. STAR certificate |<--------------------|
| STAR certificate |<--------------------+ | | 7. STAR certificate |<--------------------+ |
+<--------------------| | | +<--------------------| | |
| | | | | | | |
| Retrieve STAR certificate (credential-location-uri) | | 8. Retrieve STAR certificate (credential-location-uri) |
+---------------------------------------------------------------->| +---------------------------------------------------------------->|
| | | |--+ renew | | | |--+ 9. renew
| | | | | cert | | | | | cert
| Star certificate | | |<-+ | 10. Star certificate | |<-+
|<----------------------------------------------------------------+ |<----------------------------------------------------------------+
| ... | | | | ... | | |
Figure 1: Example call-flow of STAR delegation in CDNI Figure 1: Example call-flow of STAR delegation in CDNI showing 2 levels of delegation
Property: star-proxy Property: star-proxy
Description: Used to advertise the STAR Proxy to the dCDN. Description: Used to advertise the STAR Proxy to the dCDN.
Endpoint type defined in RFC8006, Section 4.3.3. Endpoint type defined in RFC8006, Section 4.3.3.
Type: Endpoint Type: Endpoint
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
skipping to change at page 6, line 37 skipping to change at page 6, line 37
Section 5.1. Section 5.1.
Type: Periodicity Type: Periodicity
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
Property: CSR-template Property: CSR-template
Description: The CSR template must be included in the metadata Description: The CSR template must be included in the metadata
when dealing with AcmeStarDelegation Methods. It shall follow the when dealing with AcmeStarDelegation Methods. It shall follow the
description in [I-D.ietf-acme-star] section 3. It should be description in [I-D.ietf-acme-star-delegation] section 3. It
included in JSON/text format. should be included in JSON/text format.
Type: Text Type: JSON
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
4.2.2. SubcertsDelegationMethod object 4.2.2. SubcertsDelegationMethod object
This section defines the SubcertsDelegationMethod object which This section defines the SubcertsDelegationMethod object which
describes metadata related to the use of Subcerts as presented in describes metadata related to the use of Subcerts as presented in
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
Client dCDN uCDN Content Client dCDN uCDN Content
| | | Provider | | | Provider
| | | | | | | |
| | | CP Subcert | | | | Certificate |
| | |<--------------------| | | |<--------------------|
| | GET Metadata incl. Subcerts Delegation obj| | | GET Metadata incl. Subcerts method obj |
| +-------------------->| | | +-------------------->| |
| | 200 OK + Metadata | | | | 200 OK + Metadata | |
| |<--------------------+ | | |<--------------------+ |
| | Get Content Provider| | | | Get Subcert | |
| +-------------------->| | | +-------------------->| |
| | Subcert | | | | Subcert | |
| |<--------------------+ | | |<--------------------+ |
| Client Hello + Subcert support | | | Client Hello + Subcert support | |
+-------------------->| | | +-------------------->| | |
| Server Hello + Subcert | | | Server Hello + Subcert | |
|<--------------------| | | |<--------------------| | |
| Certificate | | | | Certificate | | |
|<--------------------| | | |<--------------------| | |
| TLS ServerKeyExchange | | | TLS ServerKeyExchange | |
skipping to change at page 9, line 41 skipping to change at page 9, line 41
Interface: MI/FCI Interface: MI/FCI
Encoding: see Section 4.2.2 Encoding: see Section 4.2.2
7. Security considerations 7. Security considerations
Extensions proposed here do not alter nor change Security Extensions proposed here do not alter nor change Security
Considerations as outlined in the CDNI Metadata and Footprint and Considerations as outlined in the CDNI Metadata and Footprint and
Capabilities RFCs [RFC8006]. Capabilities RFCs [RFC8006].
8. References 8. Comments and questions
8.1. Normative References Should dCDN be visible from the Content Provider or not? This would
lead to different solutions to handle delegation towards the CP. In
most cases, the dCDNs should never be visible to the CP, in order to
reduce the burden of certificates generation for dCDN.
9. References
9.1. Normative References
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T.
Fossati, "Support for Short-Term, Automatically-Renewed Fossati, "Support for Short-Term, Automatically-Renewed
(STAR) Certificates in Automated Certificate Management (STAR) Certificates in Automated Certificate Management
Environment (ACME)", draft-ietf-acme-star-11 (work in Environment (ACME)", draft-ietf-acme-star-11 (work in
progress), October 2019. progress), October 2019.
[I-D.ietf-acme-star-delegation]
Sheffer, Y., Lopez, D., Pastor, A., and T. Fossati, "An
ACME Profile for Generating Delegated STAR Certificates",
draft-ietf-acme-star-delegation-03 (work in progress),
March 2020.
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla, Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla,
"Delegated Credentials for TLS", draft-ietf-tls- "Delegated Credentials for TLS", draft-ietf-tls-
subcerts-04 (work in progress), July 2019. subcerts-06 (work in progress), February 2020.
[RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
"Content Delivery Network Interconnection (CDNI) "Content Delivery Network Interconnection (CDNI)
Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016,
<https://www.rfc-editor.org/info/rfc8006>. <https://www.rfc-editor.org/info/rfc8006>.
[RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network
Interconnection (CDNI) Control Interface / Triggers", Interconnection (CDNI) Control Interface / Triggers",
RFC 8007, DOI 10.17487/RFC8007, December 2016, RFC 8007, DOI 10.17487/RFC8007, December 2016,
<https://www.rfc-editor.org/info/rfc8007>. <https://www.rfc-editor.org/info/rfc8007>.
8.2. Informative References 9.2. Informative References
[RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed., [RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed.,
"Framework for Content Distribution Network "Framework for Content Distribution Network
Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336, Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336,
August 2014, <https://www.rfc-editor.org/info/rfc7336>. August 2014, <https://www.rfc-editor.org/info/rfc7336>.
[RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution [RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution
Network Interconnection (CDNI) Requirements", RFC 7337, Network Interconnection (CDNI) Requirements", RFC 7337,
DOI 10.17487/RFC7337, August 2014, DOI 10.17487/RFC7337, August 2014,
<https://www.rfc-editor.org/info/rfc7337>. <https://www.rfc-editor.org/info/rfc7337>.
 End of changes. 30 change blocks. 
39 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/