< draft-ietf-cdni-interfaces-https-delegation-00.txt   draft-ietf-cdni-interfaces-https-delegation-01.txt >
CDNI Working Group F. Fieau, Ed. CDNI Working Group F. Fieau, Ed.
Internet-Draft E. Stephan Internet-Draft E. Stephan
Intended status: Standards Track Orange Intended status: Standards Track Orange
Expires: June 1, 2019 S. Mishra Expires: November 30, 2019 S. Mishra
Verizon Verizon
November 28, 2018 May 29, 2019
CDNI extensions for HTTPS delegation CDNI extensions for HTTPS delegation
draft-ietf-cdni-interfaces-https-delegation-00 draft-ietf-cdni-interfaces-https-delegation-01
Abstract Abstract
The delivery of content over HTTPS involving multiple CDNs raises The delivery of content over HTTPS involving multiple CDNs raises
credential management issues. This document proposes extensions in credential management issues. This document proposes extensions in
CDNI Control and Metadata interfaces to setup HTTPS delegation from CDNI Control and Metadata interfaces to setup HTTPS delegation from
an Upstream CDN (uCDN) to a Downstream CDN (dCDN). an Upstream CDN (uCDN) to a Downstream CDN (dCDN).
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 1, 2019. This Internet-Draft will expire on November 30, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 41 skipping to change at page 2, line 41
requires credential management. This specifically applies when an requires credential management. This specifically applies when an
entity delegates delivery of encrypted content to another trusted entity delegates delivery of encrypted content to another trusted
entity. entity.
Several delegation methods are currently proposed within different Several delegation methods are currently proposed within different
IETF working groups. They specify different methods for provisioning IETF working groups. They specify different methods for provisioning
HTTPS delivery credentials. HTTPS delivery credentials.
This document extends the CDNI Metadata interface to setup HTTPS This document extends the CDNI Metadata interface to setup HTTPS
delegation between an upstream CDN (uCDN) and downstream CDN (dCDN). delegation between an upstream CDN (uCDN) and downstream CDN (dCDN).
Furthermore, it includes a proposal of IANA registry to enable the Furthermore, it includes a proposal of IANA registry to enable adding
adding of new methods. of new methods.
Section 2 is about terminology used in this document. Section 3 Section 2 is about terminology used in this document. Section 3
presents delegation methods specified at the IETF. Section 4 presents delegation methods specified at the IETF. Section 4
addresses the extension for handling HTTPS delegation in CDNI. addresses the extension for handling HTTPS delegation in CDNI.
Section 5 describes simple data types. Section 6 is about an IANA Section 5 describes simple data types. Section 6 addresses IANA
registry for delegation methods. Section 7 raises the security registry for delegation methods. Section 7 covers the security
issues. issues.
2. Terminology 2. Terminology
This document uses terminology from CDNI framework documents such as: This document uses terminology from CDNI framework documents such as:
CDNI framework document [RFC7336], CDNI requirements [RFC7337] and CDNI framework document [RFC7336], CDNI requirements [RFC7337] and
CDNI interface specifications documents: CDNI Metadata interface CDNI interface specifications documents: CDNI Metadata interface
[RFC8006] and CDNI Control interface / Triggers [RFC8007]. [RFC8006] and CDNI Control interface / Triggers [RFC8007].
3. Known delegation methods 3. Known delegation methods
There are currently two Internet drafts within the TLS and ACME There are currently two Internet drafts within the TLS and ACME
working groups adopted to handle delegation of HTTPS delivery between working groups adopted to handle delegation of HTTPS delivery between
entities. entities.
This I-D proposes standardizing HTTPS delegation between the entities This Internet Draft (I-D) proposes standardizing HTTPS delegation
using CDNI interfaces. between the entities using CDNI interfaces.
This document considers the following two I-D that supports HTTPS This document considers the following two I-Ds that supports HTTPS
delegation: delegation:
- Sub-certificates [I-D.ietf-tls-subcerts] - Sub-certificates [I-D.ietf-tls-subcerts]
- Short-term certificates in ACME using STAR API [I-D.ietf-acme-star] - Support for Short-term, Automatically-Renewed (STAR) certificates
in Automated Certificate Management Environment(ACME)
[I-D.ietf-acme-star]
4. Extending the CDNI metadata model 4. Extending the CDNI metadata model
This section defines a CDNI extension to the current Metadata This section defines a CDNI extension to the current Metadata
interface model that allows bootstrapping delegation methods between interface model that allows bootstrapping delegation methods between
a uCDN and a delegate dCDN. a uCDN and a delegate dCDN.
4.1. Extension to PathMetadata object 4.1. Extension to PathMetadata object
This extension reuses PathMetadata object, as defined in [RFC8006], This extension reuses PathMetadata object, as defined in [RFC8006],
skipping to change at page 5, line 14 skipping to change at page 5, line 14
4.2. Delegation methods 4.2. Delegation methods
This section defines the delegation methods objects metadata. Those This section defines the delegation methods objects metadata. Those
metadata allows bootstrapping a secured delegatioin by providing the metadata allows bootstrapping a secured delegatioin by providing the
dCDN with the needed parameters to set it up. dCDN with the needed parameters to set it up.
4.2.1. AcmeStarDelegationMethod object 4.2.1. AcmeStarDelegationMethod object
This section defines the AcmeStarDelegationMethod object which This section defines the AcmeStarDelegationMethod object which
describes metadata related to the use of Acme Star API presented in describes metadata related to the use of Acme STAR API presented in
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
As expressed in [I-D.ietf-acme-star], when an origin has set a As expressed in [I-D.ietf-acme-star], when an origin has set a
delegation to a specific domain (i.e. dCDN), the dCDN should present delegation to a specific domain (i.e. dCDN), the dCDN should present
to the end-user client, a short-term certificate bound to the master to the end-user client, a short-term certificate bound to the master
certificate. certificate.
Property: star-proxy Property: star-proxy
Description: Used to advertise the STAR Proxy to the dCDN. Description: Used to advertise the STAR Proxy to the dCDN.
skipping to change at page 8, line 17 skipping to change at page 8, line 17
Purpose: The purpose of this Payload Type is to distinguish Purpose: The purpose of this Payload Type is to distinguish
SubcertsDelegationMethod MI objects (and any associated capability SubcertsDelegationMethod MI objects (and any associated capability
advertisement) advertisement)
Interface: MI/FCI Interface: MI/FCI
Encoding: see Section 4.2.2 Encoding: see Section 4.2.2
7. Security considerations 7. Security considerations
Extensions proposed here do not change Security Considerations as Extensions proposed here do not alter nor change Security
outlined in the CDNI Metadata and Footprint and Capabilities RFCs Considerations as outlined in the CDNI Metadata and Footprint and
[RFC8006]. Capabilities RFCs [RFC8006].
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-acme-star] [I-D.ietf-acme-star]
Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T.
Fossati, "Support for Short-Term, Automatically-Renewed Fossati, "Support for Short-Term, Automatically-Renewed
(STAR) Certificates in Automated Certificate Management (STAR) Certificates in Automated Certificate Management
Environment (ACME)", draft-ietf-acme-star-04 (work in Environment (ACME)", draft-ietf-acme-star-05 (work in
progress), October 2018. progress), March 2019.
[I-D.ietf-tls-subcerts] [I-D.ietf-tls-subcerts]
Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla, Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla,
"Delegated Credentials for TLS", draft-ietf-tls- "Delegated Credentials for TLS", draft-ietf-tls-
subcerts-02 (work in progress), August 2018. subcerts-03 (work in progress), February 2019.
[RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
"Content Delivery Network Interconnection (CDNI) "Content Delivery Network Interconnection (CDNI)
Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016,
<https://www.rfc-editor.org/info/rfc8006>. <https://www.rfc-editor.org/info/rfc8006>.
[RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network
Interconnection (CDNI) Control Interface / Triggers", Interconnection (CDNI) Control Interface / Triggers",
RFC 8007, DOI 10.17487/RFC8007, December 2016, RFC 8007, DOI 10.17487/RFC8007, December 2016,
<https://www.rfc-editor.org/info/rfc8007>. <https://www.rfc-editor.org/info/rfc8007>.
 End of changes. 14 change blocks. 
20 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/