draft-ietf-cdni-interfaces-https-delegation-03.txt   draft-ietf-cdni-interfaces-https-delegation-04.txt 
CDNI Working Group F. Fieau, Ed. CDNI Working Group F. Fieau, Ed.
Internet-Draft E. Stephan Internet-Draft E. Stephan
Intended status: Standards Track Orange Intended status: Standards Track Orange
Expires: September 10, 2020 S. Mishra Expires: March 13, 2021 S. Mishra
Verizon Verizon
March 09, 2020 September 09, 2020
CDNI extensions for HTTPS delegation CDNI extensions for HTTPS delegation
draft-ietf-cdni-interfaces-https-delegation-03 draft-ietf-cdni-interfaces-https-delegation-04
Abstract Abstract
The delivery of content over HTTPS involving multiple CDNs raises The delivery of content over HTTPS involving multiple CDNs raises
credential management issues. This document proposes extensions in credential management issues. This document proposes extensions in
CDNI Control and Metadata interfaces to setup HTTPS delegation from CDNI Control and Metadata interfaces to setup HTTPS delegation from
an Upstream CDN (uCDN) to a Downstream CDN (dCDN). an Upstream CDN (uCDN) to a Downstream CDN (dCDN).
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 10, 2020. This Internet-Draft will expire on March 13, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 27 skipping to change at page 3, line 27
This Internet Draft (I-D) proposes standardizing HTTPS delegation This Internet Draft (I-D) proposes standardizing HTTPS delegation
between the entities using CDNI interfaces. between the entities using CDNI interfaces.
This document considers the following two I-Ds that deals with HTTPS This document considers the following two I-Ds that deals with HTTPS
delegation: delegation:
- Sub-certificates [I-D.ietf-tls-subcerts] in the TLS Working Group. - Sub-certificates [I-D.ietf-tls-subcerts] in the TLS Working Group.
- Short-term, Automatically-Renewed (STAR) certificates in Automated - Short-term, Automatically-Renewed (STAR) certificates in Automated
Certificate Management Environment(ACME) [I-D.ietf-acme-star] Certificate Management Environment(ACME) [RFC8739]
4. Extending the CDNI metadata model 4. Extending the CDNI metadata model
This section defines a CDNI extension to the current Metadata This section defines a CDNI extension to the current Metadata
interface model that allows bootstrapping delegation methods between interface model that allows bootstrapping delegation methods between
a uCDN and a delegate dCDN. a uCDN and a delegate dCDN.
4.1. Extension to PathMetadata object 4.1. Extension to PathMetadata object
This extension reuses PathMetadata object, as defined in [RFC8006], This extension reuses PathMetadata object, as defined in [RFC8006],
skipping to change at page 5, line 9 skipping to change at page 5, line 9
4.2. Delegation methods 4.2. Delegation methods
This section defines the delegation methods objects metadata. Those This section defines the delegation methods objects metadata. Those
metadata allows bootstrapping a secured delegation by providing the metadata allows bootstrapping a secured delegation by providing the
dCDN with the needed parameters to set it up. dCDN with the needed parameters to set it up.
4.2.1. AcmeStarDelegationMethod object 4.2.1. AcmeStarDelegationMethod object
This section defines the AcmeStarDelegationMethod object which This section defines the AcmeStarDelegationMethod object which
describes metadata related to the use of ACME/STAR API presented in describes metadata related to the use of ACME/STAR API presented in
[I-D.ietf-acme-star] [RFC8739]
As expressed in [I-D.ietf-acme-star], when an origin has set a As expressed in [RFC8739], when an origin has set a delegation to a
delegation to a specific domain (i.e. dCDN), the dCDN should present specific domain (i.e. dCDN), the dCDN should present to the end-user
to the end-user client, a short-term certificate bound to the master client, a short-term certificate bound to the master certificate.
certificate.
dCDN uCDN Content Provider CA dCDN uCDN Content Provider CA
| ACME/STAR proxy ACME/STAR client ACME/STAR Server | ACME/STAR proxy ACME/STAR client ACME/STAR Server
| | | | | | | |
| 1. GET Metadata incl. Delegation Method object with CSR template [CDNI] | 1. GET Metadata incl. Delegation Method object with CSR template [CDNI]
+-------------------->| | | +-------------------->| | |
| 200 OK + Metadata incl. CSR template [CDNI] | | 200 OK + Metadata incl. CSR template [CDNI] |
|<--------------------+ | | |<--------------------+ | |
| 2. Request delegation: video.dcdn.example + dCDN public key | | 2. Request delegation: video.dcdn.example + dCDN public key |
+-------------------->| | | +-------------------->| | |
skipping to change at page 6, line 37 skipping to change at page 6, line 37
Section 5.1. Section 5.1.
Type: Periodicity Type: Periodicity
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
Property: CSR-template Property: CSR-template
Description: The CSR template must be included in the metadata Description: The CSR template must be included in the metadata
when dealing with AcmeStarDelegation Methods. It shall follow the when dealing with AcmeStarDelegation Methods. It shall follow the
description in [I-D.ietf-acme-star-delegation] section 3. It description in [RFC8739] section 3. It should be included in
should be included in JSON/text format. JSON/text format.
Type: JSON Type: JSON
Mandatory-to-Specify: Yes Mandatory-to-Specify: Yes
4.2.2. SubcertsDelegationMethod object 4.2.2. SubcertsDelegationMethod object
This section defines the SubcertsDelegationMethod object which This section defines the SubcertsDelegationMethod object which
describes metadata related to the use of Subcerts as presented in describes metadata related to the use of Subcerts as presented in
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
skipping to change at page 10, line 9 skipping to change at page 10, line 9
Should dCDN be visible from the Content Provider or not? This would Should dCDN be visible from the Content Provider or not? This would
lead to different solutions to handle delegation towards the CP. In lead to different solutions to handle delegation towards the CP. In
most cases, the dCDNs should never be visible to the CP, in order to most cases, the dCDNs should never be visible to the CP, in order to
reduce the burden of certificates generation for dCDN. reduce the burden of certificates generation for dCDN.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-acme-star]
Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T.
Fossati, "Support for Short-Term, Automatically-Renewed
(STAR) Certificates in Automated Certificate Management
Environment (ACME)", draft-ietf-acme-star-11 (work in
progress), October 2019.
[I-D.ietf-acme-star-delegation] [I-D.ietf-acme-star-delegation]
Sheffer, Y., Lopez, D., Pastor, A., and T. Fossati, "An Sheffer, Y., Lopez, D., Pastor, A., and T. Fossati, "An
ACME Profile for Generating Delegated STAR Certificates", ACME Profile for Generating Delegated STAR Certificates",
draft-ietf-acme-star-delegation-03 (work in progress), draft-ietf-acme-star-delegation-04 (work in progress),
March 2020. August 2020.
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla, Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla,
"Delegated Credentials for TLS", draft-ietf-tls- "Delegated Credentials for TLS", draft-ietf-tls-
subcerts-06 (work in progress), February 2020. subcerts-09 (work in progress), June 2020.
[RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
"Content Delivery Network Interconnection (CDNI) "Content Delivery Network Interconnection (CDNI)
Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016,
<https://www.rfc-editor.org/info/rfc8006>. <https://www.rfc-editor.org/info/rfc8006>.
[RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network
Interconnection (CDNI) Control Interface / Triggers", Interconnection (CDNI) Control Interface / Triggers",
RFC 8007, DOI 10.17487/RFC8007, December 2016, RFC 8007, DOI 10.17487/RFC8007, December 2016,
<https://www.rfc-editor.org/info/rfc8007>. <https://www.rfc-editor.org/info/rfc8007>.
[RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor
Perales, A., and T. Fossati, "Support for Short-Term,
Automatically Renewed (STAR) Certificates in the Automated
Certificate Management Environment (ACME)", RFC 8739,
DOI 10.17487/RFC8739, March 2020,
<https://www.rfc-editor.org/info/rfc8739>.
9.2. Informative References 9.2. Informative References
[RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed., [RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed.,
"Framework for Content Distribution Network "Framework for Content Distribution Network
Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336, Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336,
August 2014, <https://www.rfc-editor.org/info/rfc7336>. August 2014, <https://www.rfc-editor.org/info/rfc7336>.
[RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution [RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution
Network Interconnection (CDNI) Requirements", RFC 7337, Network Interconnection (CDNI) Requirements", RFC 7337,
DOI 10.17487/RFC7337, August 2014, DOI 10.17487/RFC7337, August 2014,
 End of changes. 12 change blocks. 
22 lines changed or deleted 21 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/