IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-09.txt

frederic.fieau@orange.com Thu, 25 August 2022 10:23 UTC

Return-Path: <frederic.fieau@orange.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA4EEC14F606 for <cdni@ietfa.amsl.com>; Thu, 25 Aug 2022 03:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y0zog22J6KYO for <cdni@ietfa.amsl.com>; Thu, 25 Aug 2022 03:23:11 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82DFAC1524A2 for <cdni@ietf.org>; Thu, 25 Aug 2022 03:22:29 -0700 (PDT)
Received: from opfedar01.francetelecom.fr (unknown [xx.xx.xx.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by opfedar25.francetelecom.fr (ESMTP service) with ESMTPS id 4MCzYH5x8Fz8sv6; Thu, 25 Aug 2022 12:22:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1661422947; bh=fEZXmxDa9iEzHToCELGMHNVYL6ztwA28VRfZGB7htVs=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=fIhLzC4Pi6kJDoCBPBox8IUQ+1XfDiV5YkmXylcMqNK1gTsGMsk9quOa2PQdBOslD xwodEHx5PhRvt6uMoPz4gf1A4vE346Qi4szj8g6KkvAkut6H1oPUvhvzHFn7g1Bv2A PvVPZY80XYQ5y3RkCVyZ5Uk24sw1WmEp/V+ILqUCh7cKKSzEDBj/0dUMFLbx9m+FTQ XHdCCA63qGheTyYedZbRMuXo1GVHllbMP6w+4KkKnp90bbl9PSnjQ/iLpNH4HhF8aD vKew1ewwrRJzJAnSzl5J7zbDnmo9a6lB0fJ+iJpgocKAQtl7/ZXvNfpEOWKtFnSlR1 L2ys0rppId03w==
From: frederic.fieau@orange.com
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
CC: "cdni@ietf.org" <cdni@ietf.org>
Thread-Topic: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-09.txt
Thread-Index: AQHYkt/J/epq4QDRQUeWURWw1hWofa12EYSqgB9KcACABeNTvoAjPMzg
Date: Thu, 25 Aug 2022 10:22:27 +0000
Message-ID: <30961_1661422947_63074D63_30961_20_1_43b5af0151f64c68811d51507c7ea2e0@orange.com>
References: <165729427993.39080.17406768534072744732@ietfa.amsl.com> <17832_1657300932_62C867C4_17832_349_1_586565583e6246baa836eb4c2eb508dd@orange.com> <CAMrHYE26xNLh=3Z=QyRL61knd9CP=yQ3P58BJgxbXSB+ce7QXw@mail.gmail.com> <CAMrHYE03mco4+aEfTv-xg9Pn_6F_uug9u=+LpoWA0pKMTj3Hvg@mail.gmail.com> <4975_1659364554_62E7E4CA_4975_149_1_8eb79427d9dc4ceb8c197de3127c68f3@orange.com> <CAMrHYE0yrhYqthhur8ZgTX5H4tgfCkp92L5Hj0LJQ0PHGXjeBQ@mail.gmail.com>
In-Reply-To: <CAMrHYE0yrhYqthhur8ZgTX5H4tgfCkp92L5Hj0LJQ0PHGXjeBQ@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Enabled=true; MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_SetDate=2022-08-25T10:22:25Z; MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Method=Standard; MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Name=Orange_restricted_external.2; MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_SiteId=90c7a20a-f34b-40bf-bc48-b9253b6f5d20; MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_ActionId=d73054dd-89dd-4fbb-815c-7d9bd25c7e10; MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_ContentBits=2
x-originating-ip: [10.115.27.51]
Content-Type: multipart/alternative; boundary="_000_43b5af0151f64c68811d51507c7ea2e0orangecom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/IEaR7njmHgj4sA6GnhvKZ6QwE2o>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-09.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 10:23:15 -0000

Hi Kevin,

>  wrt the comment on section 1, you are adding an entry to an existing registry; you are not proposing a new registry.  I still don't think that last sentence is correct.
Done

>  wrt section 3, I still don't think the section is necessary.  There's no need to explain how FCI works.  (Note: The example is also not correct, "delegation-methods" should be "metadata".)
I would think, on the contrary it's worth explaining how this interface should be used to advertise for the supported methods. Moreover, the second draft on subcerts delegation is also concerned by this. To me, we should keep it in the draft.
Corrected the "metadata".

>  wrt the example in section 4, I don't think you need the HostMatch example, and the ACMEStarDelegationMethod example is still missing the "generic-metadata-type" field, which is critical.
Done

>  wrt the security considerations, it would be helpful to explain what is critical about the contents of the ACMEStarDelegationMethod metadata, and why it should be protected.
I clarified a bit, but the objects referred in the metadata are related to the Acme-Star draft. The security question is mostly tackled in RFC9115 section 7.

Thank you,

Regards,
Frédéric



De : Kevin Ma <kevin.j.ma.ietf@gmail.com>
Envoyé : mardi 2 août 2022 07:41
À : FIEAU Frédéric INNOV/NET <frederic.fieau@orange.com>
Cc : cdni@ietf.org
Objet : Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-09.txt

Hi Frederic,

  Thanks for the quick turnaround.

  wrt the comment on section 1, you are adding an entry to an existing registry; you are not proposing a new registry.  I still don't think that last sentence is correct.

  wrt section 3, I still don't think the section is necessary.  There's no need to explain how FCI works.  (Note: The example is also not correct, "delegation-methods" should be "metadata".)

  wrt the example in section 4, I don't think you need the HostMatch example, and the ACMEStarDelegationMethod example is still missing the "generic-metadata-type" field, which is critical.

  wrt the security considerations, it would be helpful to explain what is critical about the contents of the ACMEStarDelegationMethod metadata, and why it should be protected.

thanx.

--  Kevin J. Ma


On Mon, Aug 1, 2022 at 10:35 AM <frederic.fieau@orange.com<mailto:frederic.fieau@orange.com>> wrote:
Hi Kevin,

Just posted the last version taking into account your comments.

Section 1. and 3
We removed FCI.SupportedDelegationMethods,
There is still the MI.AcmeSTarDelegationMEthod object to register. So the IANA section is not empty.

Section 4.1
Removed the explanations of section 4.1 and moved the example at the bottom of section 4.

Section 6.
We added a recommendation  to protect the critical parts of the objects.

Nits taken into account.


Regards,
Frederic

De : Kevin Ma <kevin.j.ma.ietf@gmail.com<mailto:kevin.j.ma.ietf@gmail.com>>
Envoyé : vendredi 29 juillet 2022 15:47
À : FIEAU Frédéric INNOV/NET <frederic.fieau@orange.com<mailto:frederic.fieau@orange.com>>
Cc : cdni@ietf.org<mailto:cdni@ietf.org>
Objet : Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-09.txt

Hi Frederic,

  Some comments on the updated draft below.

thanx!

--  Kevin J. Ma

section 1:
  remove "Furthermore, it includes a proposal of IANA registry to enable adding of delegation methods."  There is no longer a new registry?

section 3:
  I don't see any need for a new FCI object.  RFC8008 already has an FCI.Metadata object, and MI.AcmeStarDelegationMethod can just be advertised through that existing object?

section 4.1:
  This section seems to mostly just explain how the Metadata interface works?  I don't think it is necessary.  I would just remove this section.
  The final example of what a serialized MI.AcmeStarDelegationMethod generic metadata object looks like should be in a section 4.2.1 (including the generic-metadata-type) and referenced from IANA section 5.1

section 6:
  If the ACME delegation objects were divulged, what would be the impact?  Yes, they should be protected by the proper/mandated encryption and authentication on the Metadata interface, but I think it is best to document what is at stake (if anything)

nits:
- section 1:
  "holder of a X.509" -> "a holder of ane X.509"
  "on-demand a X.509" -> "on-demand an X.509" (multiple places)
  "use of certificate authority" -> "use of the certificate authority"
  "an upstream CDN (uCDN) and a downstream CDN (dCDN)" -> "a uCDN and a dCDN"
  "based on mechanism specified" -> "based on the mechanism specified"
- section 4.1:
  "CDNI Delegation metadata" -> "ACMEStarDelegationMethod metadata" ?
  "an HostMatch object" -> "a HostMatch object" (multiple places)
  "The existence of delegation method in the CDNI metadata Object" -> "The existence of ACMEStarDelegationMethod in the CDNI metadata"
  "set of Host" -> "set of Hosts"
- section 4.2:
  "(i.e. dCDN)" -> "(i.e., the dCDN)"
  "end-user client, a short-term" -> "end-user client a short-term"
- section 5.1:
  "see Section 5" -> "see Section 4.2.1"


On Sat, Jul 9, 2022 at 9:55 AM Kevin Ma <kevin.j.ma.ietf@gmail.com<mailto:kevin.j.ma.ietf@gmail.com>> wrote:
Hi Frederic,

  (As Chair) Thanks for the updated draft.  If we think this is pretty close to final, I will start my pre-shepherd review.  I encourage everyone to please take a look, as we would like to try and finish up this work by IETF 115.

  I fully support updating the name of the draft to deconflict it from the subcerts draft.

thanx!

--  Kevin J. Ma


On Fri, Jul 8, 2022 at 1:22 PM <frederic.fieau@orange.com<mailto:frederic.fieau@orange.com>> wrote:
Hi all

I've submitted the -09 version of draft-ietf-cdni-interfaces-https-delegation-09. Changes are mainly on the abstract and introduction.
Also I would suggest to change the title to : "CDNI metadata for HTTPS delegation using Short-Term Automatically Renewed Certificates".

Feel free to comment.

Thank you,
Regards,
Frederic



Orange Restricted

-----Message d'origine-----
De : CDNi <cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org>> De la part de internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Envoyé : vendredi 8 juillet 2022 17:31
À : i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
Cc : cdni@ietf.org<mailto:cdni@ietf.org>
Objet : [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-09.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Content Delivery Networks Interconnection WG of the IETF.

        Title           : CDNI extensions for HTTPS delegation
        Authors         : Frederic Fieau
                          Emile Stephan
                          Sanjay Mishra
  Filename        : draft-ietf-cdni-interfaces-https-delegation-09.txt
  Pages           : 9
  Date            : 2022-07-08

Abstract:
   This document defines a new Footprint and Capabilities metadata
   objects to support HTTPS delegation between two or more
   interconnected CDNs.  Specifically, this document outlines CDNI
   Metadata interface objects for delegation method as published in the
   ACME-STAR document [RFC9115].


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-cdni-interfaces-https-delegation/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-cdni-interfaces-https-delegation-09.html

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-interfaces-https-delegation-09


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni


Orange Restricted


Orange Restricted

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

v2.23.0 | Report a Bug | By Email