Re: [Acme] [E] WGLC on draft-ietf-acme-star-delegation
sanjay.mishra@verizon.com Tue, 17 November 2020 03:01 UTC
Return-Path: <sanjay.mishra@verizon.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A853A00DB for <acme@ietfa.amsl.com>; Mon, 16 Nov 2020 19:01:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=verizon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uv-U4mp44tfq for <acme@ietfa.amsl.com>; Mon, 16 Nov 2020 19:01:15 -0800 (PST)
Received: from smtpout1-tdc.verizon.com (smtpout1-tdc.verizon.com [137.188.104.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D54233A00D9 for <acme@ietf.org>; Mon, 16 Nov 2020 19:01:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=verizon.com; i=@verizon.com; q=dns/txt; s=corp; t=1605582075; x=1637118075; h=to:cc:subject:date:message-id:references:in-reply-to: mime-version:from; bh=IR8191eHEaBKPqhfdAxyEsTr4nBPFm1NJrpCjcZ8T58=; b=L0apOgHaXp1MbqaNNRnhhza2zYezxxmSr4ErulV7S4zJJF3kW2wteP44 Fy6IB+kMchsyFPPaAJKzXQjy722XKeMDZtiN42PsOAZ6DKIlkKl5i3BLE TZfGnfRIzl8JC4saDMWtAMNoozy6SpWfx6C+/3IJ7YvhShcBf5pVW6JkR 8=;
From: sanjay.mishra@verizon.com
Received: from tbwexch05apd.uswin.ad.vzwcorp.com ([153.114.162.29]) by smtpout1-tdc.verizon.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA384; 17 Nov 2020 03:01:14 +0000
Received: from tbwexch10apd.uswin.ad.vzwcorp.com (153.114.162.34) by tbwexch05apd.uswin.ad.vzwcorp.com (153.114.162.29) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 16 Nov 2020 22:01:13 -0500
Received: from tbwexch02apd.uswin.ad.vzwcorp.com (153.114.162.26) by tbwexch10apd.uswin.ad.vzwcorp.com (153.114.162.34) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 16 Nov 2020 22:01:12 -0500
Received: from tbwexch02apd.uswin.ad.vzwcorp.com ([153.114.162.26]) by tbwexch02apd.uswin.ad.vzwcorp.com ([153.114.162.26]) with mapi id 15.00.1497.006; Mon, 16 Nov 2020 22:01:12 -0500
To: IETF ACME <acme@ietf.org>
CC: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [E] [Acme] WGLC on draft-ietf-acme-star-delegation
Thread-Index: AQHWmc0dEy6M2Bqap06qT9TRyeA1qqnL5Cag
Date: Tue, 17 Nov 2020 03:01:12 +0000
Message-ID: <891044c0368c44558021d21fbebfd286@tbwexch02apd.uswin.ad.vzwcorp.com>
References: <DAABB51D-55F2-48DB-9616-CA9A44E874C9@gmail.com>
In-Reply-To: <DAABB51D-55F2-48DB-9616-CA9A44E874C9@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.144.60.250]
Content-Type: multipart/alternative; boundary="_000_891044c0368c44558021d21fbebfd286tbwexch02apduswinadvzwc_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/dWwo1-On8DEb0rrx5UnrK6feJFU>
Subject: Re: [Acme] [E] WGLC on draft-ietf-acme-star-delegation
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 03:01:17 -0000
I support WGLC for draft-ietf-acme-star-delegation. This draft together with RFC 8739 forms the core of the delegation method proposed in the draft https://tools.ietf.org/pdf/draft-ietf-cdni-interfaces-https-delegation-04.pdf of which I am the co-author. I support this draft as it adds a mechanism allowing the owner of the identifier to retain control over the delegation and revoke it at any time by canceling the associated certificate renewal with the ACME CA. This capability is needed specifically in the CDNI use case (draft listed above) to allow an upstream entity (e.g. an upstream CDN) revoke any delegation to a downstream entity (e.g. a downstream CDN). Thank you Sanjay From: Acme [mailto:acme-bounces@ietf.org] On Behalf Of Yoav Nir Sent: Saturday, October 3, 2020 5:35 PM To: IETF ACME <acme@ietf.org> Subject: [E] [Acme] WGLC on draft-ietf-acme-star-delegation Hello all This memo proposes a profile of the ACME protocol that allows the owner of an identifier (e.g., a domain name) to delegate to a third party access to a certificate associated with said identifier. A primary use case is that of a CDN (the third party) terminating TLS sessions on behalf of a content provider (the owner of a domain name). The presented mechanism allows the owner of the identifier to retain control over the delegation and revoke it at any time by cancelling the associated STAR certificate renewal with the ACME CA. Another key property of this mechanism is it does not require any modification to the deployed TLS ecosystem. Having this document discussed in the working group for almost two years, the authors and chairs believe that this document is ready for working group last call. So this is to start a 2-week WGLC on this document. Please read the document and send comments to the list. Statements of support or opposition are also welcome, especially if accompanied by a technical explanation. Send the comments to the list by EOD Monday 19-Oct-2020. Rich & Yoav