< draft-sheffer-acme-star-request-00.txt   draft-sheffer-acme-star-request-01.txt >
skipping to change at page 1, line 15 skipping to change at page 1, line 15
Intended status: Standards Track D. Lopez Intended status: Standards Track D. Lopez
Expires: December 18, 2017 O. Gonzalez de Dios Expires: December 18, 2017 O. Gonzalez de Dios
A. Pastor Perales A. Pastor Perales
Telefonica I+D Telefonica I+D
T. Fossati T. Fossati
Nokia Nokia
June 16, 2017 June 16, 2017
Generating Certificate Requests for Short-Term, Automatically-Renewed Generating Certificate Requests for Short-Term, Automatically-Renewed
(STAR) Certificates (STAR) Certificates
draft-sheffer-acme-star-request-00 draft-sheffer-acme-star-request-01
Abstract Abstract
This memo proposes a protocol that allows a domain name owner to This memo proposes a protocol that allows a domain name owner to
delegate to a third party (such as a CDN) control over a certificate delegate to a third party (such as a CDN) control over a certificate
that bears one or more names in that domain. Specifically the third that bears one or more names in that domain. Specifically the third
party creates a Certificate Signing Request for the domain, which can party creates a Certificate Signing Request for the domain, which can
then be used by the domain owner to request a short term and then be used by the domain owner to request a short term and
automatically renewed (STAR) certificate. automatically renewed (STAR) certificate.
skipping to change at page 2, line 22 skipping to change at page 2, line 22
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Conventions used in this document . . . . . . . . . . . . 3 1.2. Conventions used in this document . . . . . . . . . . . . 4
2. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Preconditions . . . . . . . . . . . . . . . . . . . . . . 4 2.1. Preconditions . . . . . . . . . . . . . . . . . . . . . . 4
2.2. Bootstrap . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. Bootstrap . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3. Refresh . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.3. Refresh . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4. Termination . . . . . . . . . . . . . . . . . . . . . . . 7 2.4. Termination . . . . . . . . . . . . . . . . . . . . . . . 7
3. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 8 3. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 8
3.1. STAR API . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1. STAR API . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1.1. Creating a Registration . . . . . . . . . . . . . . . 8 3.1.1. Creating a Registration . . . . . . . . . . . . . . . 8
3.1.2. Polling the Registration . . . . . . . . . . . . . . 9 3.1.2. Polling the Registration . . . . . . . . . . . . . . 9
3.2. Transport Security for the STAR Protocol . . . . . . . . 10 3.2. Transport Security for the STAR Protocol . . . . . . . . 10
4. CDNI Use Cases . . . . . . . . . . . . . . . . . . . . . . . 10 4. CDNI Use Cases . . . . . . . . . . . . . . . . . . . . . . . 10
4.1. Multiple Parallel Delegates . . . . . . . . . . . . . . . 10 4.1. Multiple Parallel Delegates . . . . . . . . . . . . . . . 10
4.2. Chained Delegation . . . . . . . . . . . . . . . . . . . 11 4.2. Chained Delegation . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
5.1. STAR Protocol Authentication . . . . . . . . . . . . . . 11 5.1. STAR Protocol Authentication . . . . . . . . . . . . . . 11
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 12 7.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Document History . . . . . . . . . . . . . . . . . . 13 Appendix A. Document History . . . . . . . . . . . . . . . . . . 13
A.1. draft-sheffer-acme-star-request-00 . . . . . . . . . . . 13 A.1. draft-sheffer-acme-star-request-01 . . . . . . . . . . . 13
A.2. draft-sheffer-acme-star-request-00 . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
This document is a companion document to [I-D.ietf-acme-star]. To This document is a companion document to [I-D.ietf-acme-star]. To
avoid duplication, we give here a barebones description of the avoid duplication, we give here a barebones description of the
motivation for this solution. For more details and further use motivation for this solution. For more details and further use
cases, please refer to the introductory sections of [I-D.ietf-acme- cases, please refer to the introductory sections of
star]. [I-D.ietf-acme-star].
A content provider (referred to in this document as Domain Name A content provider (referred to in this document as Domain Name
Owner, DNO) has agreements in place with one or more Content Delivery Owner, DNO) has agreements in place with one or more Content Delivery
Networks (CDNs) that are contracted to serve its content over HTTPS. Networks (CDNs) that are contracted to serve its content over HTTPS.
The CDN terminates the HTTPS connection at one of its edge cache The CDN terminates the HTTPS connection at one of its edge cache
servers and needs to present its clients (browsers, set-top-boxes) a servers and needs to present its clients (browsers, set-top-boxes) a
certificate whose name matches the authority of the URL that is certificate whose name matches the authority of the URL that is
requested, i.e. that of the DNO. However, many DNOs balk at sharing requested, i.e. that of the DNO. However, many DNOs balk at sharing
their long-term private keys with another organization and, equally, their long-term private keys with another organization and, equally,
delegates (henceforth referred to as NDC, Name Delegation Consumer) delegates (henceforth referred to as NDC, Name Delegation Consumer)
would rather not have to handle other parties' long-term secrets. would rather not have to handle other parties' long-term secrets.
This document describes a protocol where the DNO and the NDC agree on This document describes a protocol where the DNO and the NDC agree on
a CSR template and the NDC generates a CSR for a private key that it a CSR template and the NDC generates a CSR for a private key that it
holds. The DNO then uses the ACME protocol (as extended in [I- holds. The DNO then uses the ACME protocol (as extended in
D.ietf-acme-star] to issue the STAR certificate. [I-D.ietf-acme-star] to issue the STAR certificate.
The generated short-term certificate is automatically renewed by an The generated short-term certificate is automatically renewed by an
ACME Certification Authority (CA) [I-D.ietf-acme-acme] and routinely ACME Certification Authority (CA) [I-D.ietf-acme-acme] and routinely
fetched into the NDC and used for HTTPS connections. The DNO can end fetched into the NDC and used for HTTPS connections. The DNO can end
the delegation at any time by simply instructing the CA to stop the the delegation at any time by simply instructing the CA to stop the
automatic renewal and letting the certificate expire shortly automatic renewal and letting the certificate expire shortly
thereafter. thereafter.
1.1. Terminology 1.1. Terminology
skipping to change at page 12, line 5 skipping to change at page 12, line 5
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-acme-acme] [I-D.ietf-acme-acme]
Barnes, R., Hoffman-Andrews, J., and J. Kasten, "Automatic Barnes, R., Hoffman-Andrews, J., and J. Kasten, "Automatic
Certificate Management Environment (ACME)", draft-ietf- Certificate Management Environment (ACME)", draft-ietf-
acme-acme-06 (work in progress), March 2017. acme-acme-06 (work in progress), March 2017.
[I-D.sheffer-acme-star] [I-D.ietf-acme-star]
Sheffer, Y., Lopez, D., Dios, O., and T. Fossati, "Use of Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T.
Short-Term, Automatically-Renewed (STAR) Certificates to Fossati, "Use of Short-Term, Automatically-Renewed (STAR)
Delegate Authority over Web Sites", draft-sheffer-acme- Certificates to Delegate Authority over Web Sites", draft-
star-02 (work in progress), May 2017. ietf-acme-star-00 (work in progress), June 2017.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme", [RFC7617] Reschke, J., "The 'Basic' HTTP Authentication Scheme",
RFC 7617, DOI 10.17487/RFC7617, September 2015, RFC 7617, DOI 10.17487/RFC7617, September 2015,
<http://www.rfc-editor.org/info/rfc7617>. <http://www.rfc-editor.org/info/rfc7617>.
skipping to change at page 13, line 9 skipping to change at page 13, line 9
[I-D.fieau-cdni-https-delegation] [I-D.fieau-cdni-https-delegation]
Fieau, F., Emile, S., and S. Mishra, "HTTPS delegation in Fieau, F., Emile, S., and S. Mishra, "HTTPS delegation in
CDNI", draft-fieau-cdni-https-delegation-01 (work in CDNI", draft-fieau-cdni-https-delegation-01 (work in
progress), March 2017. progress), March 2017.
Appendix A. Document History Appendix A. Document History
[[Note to RFC Editor: please remove before publication.]] [[Note to RFC Editor: please remove before publication.]]
A.1. draft-sheffer-acme-star-request-00 A.1. draft-sheffer-acme-star-request-01
o Correct reference to WG draft.
A.2. draft-sheffer-acme-star-request-00
o Initial version, the STAR API extracted from draft-sheffer-acme- o Initial version, the STAR API extracted from draft-sheffer-acme-
star-02. star-02.
Authors' Addresses Authors' Addresses
Yaron Sheffer Yaron Sheffer
Intuit Intuit
EMail: yaronf.ietf@gmail.com EMail: yaronf.ietf@gmail.com
 End of changes. 8 change blocks. 
14 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/