idnits 2.17.1 draft-ietf-cdni-interfaces-https-delegation-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 7 instances of too long lines in the document, the longest one being 12 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (November 04, 2019) is 1606 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-15) exists of draft-ietf-tls-subcerts-04 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 CDNI Working Group F. Fieau, Ed. 3 Internet-Draft E. Stephan 4 Intended status: Standards Track Orange 5 Expires: May 7, 2020 S. Mishra 6 Verizon 7 November 04, 2019 9 CDNI extensions for HTTPS delegation 10 draft-ietf-cdni-interfaces-https-delegation-02 12 Abstract 14 The delivery of content over HTTPS involving multiple CDNs raises 15 credential management issues. This document proposes extensions in 16 CDNI Control and Metadata interfaces to setup HTTPS delegation from 17 an Upstream CDN (uCDN) to a Downstream CDN (dCDN). 19 Status of This Memo 21 This Internet-Draft is submitted in full conformance with the 22 provisions of BCP 78 and BCP 79. 24 Internet-Drafts are working documents of the Internet Engineering 25 Task Force (IETF). Note that other groups may also distribute 26 working documents as Internet-Drafts. The list of current Internet- 27 Drafts is at https://datatracker.ietf.org/drafts/current/. 29 Internet-Drafts are draft documents valid for a maximum of six months 30 and may be updated, replaced, or obsoleted by other documents at any 31 time. It is inappropriate to use Internet-Drafts as reference 32 material or to cite them other than as "work in progress." 34 This Internet-Draft will expire on May 7, 2020. 36 Copyright Notice 38 Copyright (c) 2019 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (https://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. Code Components extracted from this document must 47 include Simplified BSD License text as described in Section 4.e of 48 the Trust Legal Provisions and are provided without warranty as 49 described in the Simplified BSD License. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3. Known delegation methods . . . . . . . . . . . . . . . . . . 3 56 4. Extending the CDNI metadata model . . . . . . . . . . . . . . 3 57 4.1. Extension to PathMetadata object . . . . . . . . . . . . 3 58 4.2. Delegation methods . . . . . . . . . . . . . . . . . . . 4 59 4.2.1. AcmeStarDelegationMethod object . . . . . . . . . . . 5 60 4.2.2. SubcertsDelegationMethod object . . . . . . . . . . . 6 61 5. Metadata Simple Data Type Descriptions . . . . . . . . . . . 8 62 5.1. Periodicity . . . . . . . . . . . . . . . . . . . . . . . 8 63 6. IANA considerations . . . . . . . . . . . . . . . . . . . . . 8 64 6.1. CDNI MI AcmeStarDelegationMethod Payload Type . . . . . . 9 65 6.2. CDNI MI SubCertsDelegationMethod Payload Type . . . . . . 9 66 7. Security considerations . . . . . . . . . . . . . . . . . . . 9 67 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 9 68 8.1. Normative References . . . . . . . . . . . . . . . . . . 9 69 8.2. Informative References . . . . . . . . . . . . . . . . . 10 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 72 1. Introduction 74 Content delivery over HTTPS using one or more CDNs along the path 75 requires credential management. This specifically applies when an 76 entity delegates delivery of encrypted content to another trusted 77 entity. 79 Several delegation methods are currently proposed within different 80 IETF working groups. They specify different methods for provisioning 81 HTTPS delivery credentials. 83 This document extends the CDNI Metadata interface to setup HTTPS 84 delegation between an upstream CDN (uCDN) and downstream CDN (dCDN) 85 using the Standardized delegation methods. Furthermore, it includes 86 a proposal of IANA registry to enable adding of new methods. 88 Section 2 is about terminology used in this document. Section 3 89 presents delegation methods specified at the IETF. Section 4 90 addresses the extension for handling HTTPS delegation in CDNI. 91 Section 5 describes simple data types. Section 6 addresses IANA 92 registry for delegation methods. Section 7 covers the security 93 issues. 95 2. Terminology 97 This document uses terminology from CDNI framework documents such as: 98 CDNI framework document [RFC7336], CDNI requirements [RFC7337] and 99 CDNI interface specifications documents: CDNI Metadata interface 100 [RFC8006] and CDNI Control interface / Triggers [RFC8007]. 102 3. Known delegation methods 104 There are currently two Internet drafts within the TLS and ACME 105 working groups adopted to handle delegation of HTTPS delivery between 106 entities. 108 This Internet Draft (I-D) proposes standardizing HTTPS delegation 109 between the entities using CDNI interfaces. 111 This document considers the following two I-Ds that deals with HTTPS 112 delegation: 114 - Sub-certificates [I-D.ietf-tls-subcerts] 116 - Short-term, Automatically-Renewed (STAR) certificates in Automated 117 Certificate Management Environment(ACME) [I-D.ietf-acme-star] 119 4. Extending the CDNI metadata model 121 This section defines a CDNI extension to the current Metadata 122 interface model that allows bootstrapping delegation methods between 123 a uCDN and a delegate dCDN. 125 4.1. Extension to PathMetadata object 127 This extension reuses PathMetadata object, as defined in [RFC8006], 128 and adds new "Delegation methods" objects as specified in the 129 following sections. 131 This allows to explicitly indicate support for a given method. 132 Therefore, the presence (or lack thereof) of an 133 AcmeStarDelegationMethod, SubcertsDelegationMethod, and/or further 134 delegation methods, imply support (or lack thereof) for the given 135 method. 137 Example: 139 The PathMatch object can reference a path-metadata that points at the 140 delegation information. Delegation metadata are added to 141 PathMetaData object. 143 Below shows both PathMatch and PathMetaData objects related to a path 144 (here /movies/* located at 145 https://metadata.ucdn.example/video.example.com/movies) 147 PathMatch: 148 { 149 "path-pattern": { 150 "pattern": "/movies/*", 151 "case-sensitive": true 152 }, 153 "path-metadata": { 154 "type": "MI.PathMetadata", 155 "href": "https://metadata.ucdn.example/video.example.com/movies" 156 } 157 } 159 Following the example above, the PathMetadata can be modeled 160 for ACMEStarDelegationMethod as: 162 PathMetadata: 163 { 164 "metadata": [ 165 { 166 "generic-metadata-type": "MI.AcmeStarDelegationMethod", 167 "generic-metadata-value": { 168 "star-proxy": "10.2.2.2", 169 "acme-server" : "10.2.3.3", 170 "credentials-location-uri": "www.ucdn.com/credentials", 171 "periodicity": 36000, 172 "CSR-template": Json/Text representing the CSR template (see section 4.2) 173 }}] 174 } 176 The existence of the "MI.AcmeStarDelegationMethod" object in a 177 PathMetaData Object shall enable the use of one of the 178 AcmeStarDelegation Methods, chosen by the delegating entity. The 179 delegation method will be activated for the set of Path defined in 180 the PathMatch. See Section 4.2 for more details about delegation 181 methods metadata specification. 183 4.2. Delegation methods 185 This section defines the delegation methods objects metadata. Those 186 metadata allows bootstrapping a secured delegatioin by providing the 187 dCDN with the needed parameters to set it up. 189 4.2.1. AcmeStarDelegationMethod object 191 This section defines the AcmeStarDelegationMethod object which 192 describes metadata related to the use of ACME/STAR API presented in 193 [I-D.ietf-acme-star] 195 As expressed in [I-D.ietf-acme-star], when an origin has set a 196 delegation to a specific domain (i.e. dCDN), the dCDN should present 197 to the end-user client, a short-term certificate bound to the master 198 certificate. 200 dCDN uCDN Content Provider ACME/STAR 201 | ACME/STAR proxy ACME/STAR Server 202 | | | | 203 | GET Metadata incl. Delegation object | | 204 +-------------------->| | | 205 | 200 OK + Metadata | | | 206 |<--------------------+ | | 207 | Request delegation (CNAME: www.dcdn.example) + dCDN public key | 208 +-------------------->| | | 209 | | Request STAR Cert + dCDN public key | 210 | +-------------------->| Request STAR cert + PubKey 211 | | |-------------------->| 212 | | | STAR certificate | 213 | | STAR certificate |<--------------------| 214 | STAR certificate |<--------------------+ | 215 +<--------------------| | | 216 | | | | 217 | Retrieve STAR certificate (credential-location-uri) | 218 +---------------------------------------------------------------->| 219 | | | |--+ renew 220 | | | | | cert 221 | Star certificate | | |<-+ 222 |<----------------------------------------------------------------+ 223 | ... | | | 225 Figure 1: Example call-flow of STAR delegation in CDNI 227 Property: star-proxy 229 Description: Used to advertise the STAR Proxy to the dCDN. 230 Endpoint type defined in RFC8006, Section 4.3.3. 232 Type: Endpoint 234 Mandatory-to-Specify: Yes 236 Property: acme-server 238 Description: used to advertise the ACME server to the dCDN. 239 Endpoint type is defined in RFC8006, Section 4.3.3. 241 Type: Endpoint 243 Mandatory-to-Specify: Yes 245 Property: credentials-location-uri 247 Description: expresses the location of the credentials to be 248 fetched by the dCDN. Link type is as defined in RFC8006, 249 Section 4.3.1. 251 Type: Link 253 Mandatory-to-Specify: Yes 255 Property: periodicity 257 Description: expresses the credentials renewal periodicity. See 258 Section 5.1. 260 Type: Periodicity 262 Mandatory-to-Specify: Yes 264 Property: CSR-template 266 Description: The CSR template must be included in the metadata 267 when dealing with AcmeStarDelegation Methods. It shall follow the 268 description in [I-D.ietf-acme-star] section 3. It should be 269 included in JSON/text format. 271 Type: Text 273 Mandatory-to-Specify: Yes 275 4.2.2. SubcertsDelegationMethod object 277 This section defines the SubcertsDelegationMethod object which 278 describes metadata related to the use of Subcerts as presented in 279 [I-D.ietf-tls-subcerts] 281 Client dCDN uCDN Content 282 | | | Provider 283 | | | | 284 | | | CP Subcert | 285 | | |<--------------------| 286 | | GET Metadata incl. Subcerts Delegation obj| 287 | +-------------------->| | 288 | | 200 OK + Metadata | | 289 | |<--------------------+ | 290 | | Get Content Provider| | 291 | +-------------------->| | 292 | | Subcert | | 293 | |<--------------------+ | 294 | Client Hello + Subcert support | | 295 +-------------------->| | | 296 | Server Hello + Subcert | | 297 |<--------------------| | | 298 | Certificate | | | 299 |<--------------------| | | 300 | TLS ServerKeyExchange | | 301 |<--------------------| | | 302 | TLS ClientKeyExchange | | 303 |<--------------------| | | 304 | TLS Finished | | | 305 |<--------------------| | | 306 | | | | 308 Figure 2: Example call-flow of SubCert delegation in CDNI 310 As expressed in [I-D.ietf-tls-subcerts], when an origin has set a 311 delegation to a downstream entity such as a downstream CDN (i.e. 312 dCDN), the dCDN should present the Origin or uCDN certificate or 313 "delegated_credential" during the TLS handshake [RFC8446] to the end- 314 user client application, instead of its own certificate. 316 Property: credentials-delegating-entity 318 Description: Endpoint ID (IP) of the delegating Entity (uCDN). 319 Endpoint type defined in RFC8006, Section 4.3.3. 321 Type: Endpoint 323 Mandatory-to-Specify: Yes 325 Property: credential-recipient-entity 326 Description: Endpoint ID (IP) of the delegated entity (dCDN). 327 Endpoint type is defined in RFC8006, Section 4.3.3. 329 Type: Endpoint 331 Mandatory-to-Specify: Yes 333 Property: credentials-location-uri 335 Description: expresses the location of the credentials to be 336 fetched by the dCDN. Link type is as defined in RFC8006, 337 Section 4.3.1. 339 Type: Link 341 Mandatory-to-Specify: Yes 343 Property: periodicity 345 Description: expresses the credentials renewal periodicity. See 346 Section 5.1. 348 Type: Periodicity 350 Mandatory-to-Specify: Yes 352 5. Metadata Simple Data Type Descriptions 354 This section describes the simple data types that are used for 355 properties for objects in this document. 357 5.1. Periodicity 359 A time value expressed in seconds to indicate a periodicity. 361 Type: Integer 363 6. IANA considerations 365 This document requests the registration of the following entries 366 under the "CDNI Payload Types" registry hosted by IANA regarding 367 "CDNI delegation": 369 +----------------------------+---------------+ 370 | Payload Type | Specification | 371 +----------------------------+---------------+ 372 | MI.AcmeStarDelegationMethod| RFCthis | 373 | MI.SubCertDelegationMethod | RFCthis | 374 +----------------------------+---------------+ 376 [RFC Editor: Please replace RFCthis with the published RFC number for 377 this document.] 379 6.1. CDNI MI AcmeStarDelegationMethod Payload Type 381 Purpose: The purpose of this Payload Type is to distinguish 382 AcmeStarDelegationMethod MI objects (and any associated capability 383 advertisement) 385 Interface: MI/FCI 387 Encoding: see Section 4.2.1 389 6.2. CDNI MI SubCertsDelegationMethod Payload Type 391 Purpose: The purpose of this Payload Type is to distinguish 392 SubcertsDelegationMethod MI objects (and any associated capability 393 advertisement) 395 Interface: MI/FCI 397 Encoding: see Section 4.2.2 399 7. Security considerations 401 Extensions proposed here do not alter nor change Security 402 Considerations as outlined in the CDNI Metadata and Footprint and 403 Capabilities RFCs [RFC8006]. 405 8. References 407 8.1. Normative References 409 [I-D.ietf-acme-star] 410 Sheffer, Y., Lopez, D., Dios, O., Pastor, A., and T. 411 Fossati, "Support for Short-Term, Automatically-Renewed 412 (STAR) Certificates in Automated Certificate Management 413 Environment (ACME)", draft-ietf-acme-star-11 (work in 414 progress), October 2019. 416 [I-D.ietf-tls-subcerts] 417 Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla, 418 "Delegated Credentials for TLS", draft-ietf-tls- 419 subcerts-04 (work in progress), July 2019. 421 [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, 422 "Content Delivery Network Interconnection (CDNI) 423 Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, 424 . 426 [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network 427 Interconnection (CDNI) Control Interface / Triggers", 428 RFC 8007, DOI 10.17487/RFC8007, December 2016, 429 . 431 8.2. Informative References 433 [RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed., 434 "Framework for Content Distribution Network 435 Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336, 436 August 2014, . 438 [RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution 439 Network Interconnection (CDNI) Requirements", RFC 7337, 440 DOI 10.17487/RFC7337, August 2014, 441 . 443 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 444 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 445 . 447 Authors' Addresses 449 Frederic Fieau (editor) 450 Orange 451 40-48, avenue de la Republique 452 Chatillon 92320 453 France 455 Email: frederic.fieau@orange.com 456 Emile Stephan 457 Orange 458 2, avenue Pierre Marzin 459 Lannion 22300 460 France 462 Email: emile.stephan@orange.com 464 Sanjay Mishra 465 Verizon 466 13100 Columbia Pike 467 Silver Spring MD 20904 468 USA 470 Email: sanjay.mishra@verizon.com