IETF Logo Mail Archive

[CDNi] Review of draft-ietf-cdni-delegation-acme-00

Thomas Fossati <Thomas.Fossati@arm.com> Tue, 24 January 2023 10:10 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0393AC14CEFE; Tue, 24 Jan 2023 02:10:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="wPSDOWEY"; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="wPSDOWEY"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iG98BAbA48oH; Tue, 24 Jan 2023 02:10:48 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on2042.outbound.protection.outlook.com [40.107.6.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D7EAC14F738; Tue, 24 Jan 2023 02:10:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2LMMaWmEMy1Ht+/3os22LLOteDImFbT0emxMe9d4+jo=; b=wPSDOWEYVpTqNRpvDLUPpuqBY/n+9CAD4/JS7N7uxp4xrvu/d4IhzyEa+MGm97PPtEcWbXwZ/elqwMdhfE9hebirhEX+IlR4DMq6MUDcEptdpuOzLCOboq5ZgyJ4rshqS3adBPtsV3JEt8pxvqR775jibHc7vqpETN+EVbsqrP8=
Received: from AS9PR04CA0104.eurprd04.prod.outlook.com (2603:10a6:20b:50e::17) by VI1PR08MB5485.eurprd08.prod.outlook.com (2603:10a6:803:138::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Tue, 24 Jan 2023 10:10:38 +0000
Received: from AM7EUR03FT049.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:50e:cafe::ae) by AS9PR04CA0104.outlook.office365.com (2603:10a6:20b:50e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33 via Frontend Transport; Tue, 24 Jan 2023 10:10:38 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM7EUR03FT049.mail.protection.outlook.com (100.127.140.234) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6023.16 via Frontend Transport; Tue, 24 Jan 2023 10:10:37 +0000
Received: ("Tessian outbound baf1b7a96f25:v132"); Tue, 24 Jan 2023 10:10:37 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 27bc0e389365a8a7
X-CR-MTA-TID: 64aa7808
Received: from 5fdaea21c3bd.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id BD8933FA-B9CB-4804-80E5-B99BF90F47FE.1; Tue, 24 Jan 2023 10:10:30 +0000
Received: from EUR02-VI1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 5fdaea21c3bd.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Tue, 24 Jan 2023 10:10:30 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CCVW60oXiX6F4Zt05QXHOSOlDVTr7UD6bJQu4pNo+ZhAZK+J/WJ6EsEVMtL6jCLyDJdglp8wqmNBS57oIvrxcRbswlfj4RHmJCCydI/xFg3IvV2+8ZOUsc0sAbLAACGlnLrxOmX+5BOdH3U7eb68Lntj7eRBBdZl0OZGRyK380jy1xz9hk0Vx1/BWeSl4SVeSFaxWlkTCjr8H9rSzw+y45hVTLDiY/0LYZQz+BOBsax69VAH0VNqE3o9bRqcJhbrOb6uedRrMJWZAuB5/S4I9eAEyOOa1vYRduQ9TtTqK2iDS77zNXR1qxSNYkhQYGrptlT/7YBuT5wkDKK7/H9dkQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2LMMaWmEMy1Ht+/3os22LLOteDImFbT0emxMe9d4+jo=; b=DF8b30CXXT6hf+tkLgEd8F4eMAo9l0HG/VC35GhSs3kVCZF2V23ePTXRmyuxJagBCGw1r2LD6aamfHr2A0ohd694z0caeLYpmDb+qarJDBi8M6K6G8k8edvZuCWiHV0/sEm08wUSmhcB9e5+Fytd0mFsPs7ooXm85zmxd2R3owA4Tu9+p1BEFaSQUenAa1VtpwbKKPXWWjGoNbWO9S39N8NBCyQ02MHRIfrLkeluqrXaTLTSgusV+PvOvj5jfI9zXLSJpyQA0s0nWxOmRsmJIco8H80goJKG/ZIXGCwQpb2b6MpYZ7r6WyUfltMgEfogg55JphzcUaMLbCMUCYn+Kg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2LMMaWmEMy1Ht+/3os22LLOteDImFbT0emxMe9d4+jo=; b=wPSDOWEYVpTqNRpvDLUPpuqBY/n+9CAD4/JS7N7uxp4xrvu/d4IhzyEa+MGm97PPtEcWbXwZ/elqwMdhfE9hebirhEX+IlR4DMq6MUDcEptdpuOzLCOboq5ZgyJ4rshqS3adBPtsV3JEt8pxvqR775jibHc7vqpETN+EVbsqrP8=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by VI1PR08MB5407.eurprd08.prod.outlook.com (2603:10a6:803:132::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Tue, 24 Jan 2023 10:10:27 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::8295:3930:eca:1601]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::8295:3930:eca:1601%3]) with mapi id 15.20.6002.033; Tue, 24 Jan 2023 10:10:27 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "cdni@ietf.org" <cdni@ietf.org>, "draft-ietf-cdni-delegation-acme@ietf.org" <draft-ietf-cdni-delegation-acme@ietf.org>
Thread-Topic: Review of draft-ietf-cdni-delegation-acme-00
Thread-Index: AQHZL9sihHzh/6lPL0CR8yx6Kxf1lw==
Date: Tue, 24 Jan 2023 10:10:00 +0000
Message-ID: <DB9PR08MB65241A19DCF2D10FF4FAF7609CC99@DB9PR08MB6524.eurprd08.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DB9PR08MB6524:EE_|VI1PR08MB5407:EE_|AM7EUR03FT049:EE_|VI1PR08MB5485:EE_
X-MS-Office365-Filtering-Correlation-Id: b50e8777-a1c5-42da-2286-08dafdf33d5d
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: UKH8BO2nOamDXip3iRCQw/OI9yAitW7UuGe/W0sbFD8LJWYkfw4qPkPX17AB/X1C7bpt7dTL8vAROSD3mcni06OMtBK5Nbjn2F+3qx/IHEPSt+0XvM5qcSp7sVzASJ69Xgu4bx0xPfG4pNEIFC+Q8DW53rxmrkO121OGvL8h4SnaLwcQ6vTIXuJVQrc0cwkfeB+mexnzAYO2QanIBvwK8tgRlmjtmpH9UF9tt7hK6SNjZMhgDEybnFYXjMpokgLtX0JCNjva+H/IM4WM+6bxl//sMAhClTzSapxleoW4hdynl6GujIpo4ahotOlZB8mReuNEq39MNfawhn+/pGZ2sPAbmR0vobJR8BnoDzufsPXD2X4CYOuQb5qczAGrxg0UMsR243YY+jLCHL+txdT30odlUteQjxw8HtwJNtV93Ea+/YmSM/57QrgQPTuWFv0gQ68S4jC3/xVKmpQIUKlLEU/ustPg97uUc9nkBA/dvVHu6P0RRwBAIF9kAvY6xKQhDZHr+iPmkNlkOd/N/09ZqYZgD61MDX722n50OFAwQv+LTN3vOxiEH+L0blVUkTwKFz1P1/tT9r9zLSYPU9EHuy7Kmrah1SeV6xt9Z1adUSkcVj49wNg6lHi6Lhrn1iLgF0hrjGIG2qTPs3k1D06GM8dX9kEtzizjFG4SSpvKlRZQgpT8jya6QHGXi9WAnlmJNVfD/4Ejfy4CnmWx1CRw1g==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(366004)(396003)(376002)(346002)(39860400002)(136003)(451199015)(33656002)(71200400001)(7696005)(316002)(41300700001)(8676002)(91956017)(450100002)(110136005)(66946007)(76116006)(64756008)(66556008)(66476007)(55016003)(66446008)(83380400001)(86362001)(38100700002)(38070700005)(122000001)(478600001)(9686003)(6666004)(186003)(26005)(6506007)(2906002)(8936002)(5660300002)(52536014); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB65241A19DCF2D10FF4FAF7609CC99DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5407
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM7EUR03FT049.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: b295ccc7-30bd-4704-624b-08dafdf3375c
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 7+M/PkaDx47jNAEaeBm+Q8cgjMawH/8NevAC17rYdn4fqKki6IFaTVVkb2Z8rG5FdWHURTHnJ0pZoh4gcu1RuwUpw2tZ9a8zOtVfyXDSrC5c0zvCk285VDP/zsIswCCmcY10jCZjwVc6rekQ8+uphZ/nkF73a0Twu7aoS8rCFR+d4a1G6BYmGS/KFbTNxOuqUBE1ySyqDG+sVfU4N4KlQ02b4X+YHVfC6RoauqQ8lFv01n/pCx679K/4bRviE9zKQQXGkwXEXg5tQOPOdpLWTCSKvG7lMkCQkk+NkHV7yK5M9Pa/7HTsmXFhJRLy6AeAue5wngmgHJXcnQv82AfEStE3yr8E+fHHcpWbkguusWYx3hLppJ5C1Cq8/+AdJH9HPOc/deaTGlwfAxDPItmiXOQByD0gxPkgRQoBBkjN2uW2TYbxgWoMeoxj8ip/t40OCrco+xutFsKdbRVUPT+7rEWR6JZ9mtq4WeylmBUGgr8DG8Vdjd6SNaYq9HTCk6ut5aQ9fJI8XtWWlQ+bX+cKcJvXRtp+djyQs+n2GWruTBh5HWL7/7c65/GXsB1bSy3vFM1sl+EPginjQVnGSdlSh5hw7qPJk7U++CPkXH8cNPBKpvwb91Q2wdiqXboUGsEV84AzzxVQ+B1zjGzIdUBCrJcwUnTfPTQW1aD2P2y0mtFtH9QEqiUadgLTR8CDhvIWPmSzndmwLVFnIW5ESk/dAw==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230022)(4636009)(39860400002)(376002)(136003)(396003)(346002)(451199015)(46966006)(40470700004)(36840700001)(82740400003)(33656002)(86362001)(82310400005)(81166007)(356005)(40460700003)(70586007)(110136005)(336012)(316002)(9686003)(7696005)(6666004)(26005)(186003)(6506007)(478600001)(55016003)(2906002)(40480700001)(36860700001)(70206006)(8676002)(450100002)(52536014)(47076005)(8936002)(5660300002)(41300700001)(83380400001); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Jan 2023 10:10:37.3803 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b50e8777-a1c5-42da-2286-08dafdf33d5d
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM7EUR03FT049.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5485
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/0I9QOi3kkRbjHZj-ABMz1SKDu3o>
Subject: [CDNi] Review of draft-ietf-cdni-delegation-acme-00
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jan 2023 10:10:53 -0000

Hi Fred, Sanjay and Emile,

I have reviewed the latest draft and it looks good to me.

There are a few comments & suggestions below.

Cheers, t

-=-=-=-=-=-

## abstract

* why plural "metadata objects"?  Suggestion:

OLD

Specifically, this document defines CDNI Metadata interface objects
to enable delegation of X.509 certificates leveraging delegation
schemes defined in RFC9115.

NEW

Specifically, this document defines a CDNI Metadata interface object
to enable delegation of X.509 certificates leveraging delegation
schemes defined in RFC9115.


## §1

* expand FCI on first use:

 Section 2 presents delegation metadata for the FCI interface.


## §3

* typo (extra “to”)

  When a uCDN delegates to a dCDN to deliver HTTPS traffic using DNS
  Redirection [RFC7975],

  When a uCDN delegates a dCDN to delivery of HTTPS traffic using DNS
  Redirection [RFC7975],


* typo (missing parentheses):

OLD

   The ACMEDelegationMethod applies to both ACME STAR delegation, which
   provides a delegation model based on short-term certificates with
   automatic renewal Section 2.3.2 of [RFC9115], and non-STAR
   delegation, which allows delegation between CDNs using long-term
   certificates Section 2.3.3 of [RFC9115].

NEW

   The ACMEDelegationMethod applies to both ACME STAR delegation, which
   provides a delegation model based on short-term certificates with
   automatic renewal (Section 2.3.2 of [RFC9115]), and non-STAR
   delegation, which allows delegation between CDNs using long-term
   certificates (Section 2.3.3 of [RFC9115]).

## §3.1

* this seems to suggest that the consumer can tell STAR and non-STAR
  based on "delegation certificate validity", but it's not clear to me
  what that means.

   The ACMEDelegationMethod object allows a uCDN to both define STAR and
   non-STAR delegation depending on the delegation certificate validity.

  From the following examples (§3.1.1) I gather there's an implicit way
  to distinguish based on the presence/absence of the lifetime*
  properties.  Is that what was intended?  If so, it should be clarified.


IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email