IETF Logo Mail Archive

Re: [CDNi] Review of draft-ietf-cdni-delegation-acme-00

"Kevin J. Ma" <kevin.j.ma.ietf@gmail.com> Fri, 17 February 2023 19:22 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0F9C151533 for <cdni@ietfa.amsl.com>; Fri, 17 Feb 2023 11:22:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xcqFFFjGPMe for <cdni@ietfa.amsl.com>; Fri, 17 Feb 2023 11:22:04 -0800 (PST)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6110FC14CEFA for <cdni@ietf.org>; Fri, 17 Feb 2023 11:22:04 -0800 (PST)
Received: by mail-qt1-x831.google.com with SMTP id u22so1635125qtq.13 for <cdni@ietf.org>; Fri, 17 Feb 2023 11:22:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=9sySLjB9k7bFX1/i6F/fb7UhZtXXQLeepqeFaNLSPDQ=; b=nZcoLY2BTzRz0kK8Tf5Y5EtQ8QcX2Hj2E7sCbdkAH/ADz8BUpjqkg0kdEb03GxIGFZ xOYKtYCrJStqRp1rz7ddlwjzYKyxTfTQ7fENEHJFHh1wVXJn9u2nBIfovAx5PI7mh90T 9lfxvetLvwmhTV4Rp51KdMPV5TTYbpfsitX3xrnntcZorQ+9TMSxdeF81+cT3M3RvGg4 Iudkl9K/5P1gzeAl7RpvXVLQq4molUgChCm7VagDLAkiVsCafUCICA47zQPjMLz2vihy shAXBULRX8HUFRzpQJGVF8QGzQOjn0cScxhFQ+EXJEapdtGwQGTK+rx24O6D1x51L+qC obQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9sySLjB9k7bFX1/i6F/fb7UhZtXXQLeepqeFaNLSPDQ=; b=7haJyJ8cwlRAFz/LO9Fkjp3Gx5Oqr3pwxwCSFPfgV/5run4vr+zeWhybk8rje8eWvx j9qBC9xf7sKpmCs2xM519ZLa6iQ6HKDhPISX16HfdqElHhf3JDTEd5MsIrpIe0pWJfbO wlDi4cYOg3vuyBlPnIzG/uX3EYStmTjOFs/AIMZ9ZkV+RyEnPnfAyBbmfh4Lv4UmrwYN LDzmU+AKeY5y/tI/Fdl8u7AwqyAQ7HBf5CZq6eyTCm+YB0yfC7MrwAhlZZbhV55s33JE G1GiANobgySTsC6VZMtoreAteP+ec0V0HqJ+995+h3FY6c3ckn0qeHICQQuX6zpISb+m H38g==
X-Gm-Message-State: AO0yUKUA1NYE4tEewIz8hocCyjRmF6xpulmBGMgSJKM/MXtxMSKXl6Nr gpccjiAAtgswQbLz3YTUnbciNVlPPew=
X-Google-Smtp-Source: AK7set/DJlV9x8ivI4+p6S76yh5JdFz019Z/gdXPo+WFIqdehzoG86h0d0bDL3lgK5Mc8PjhAbfAEw==
X-Received: by 2002:ac8:7dc9:0:b0:3b9:bca3:d93d with SMTP id c9-20020ac87dc9000000b003b9bca3d93dmr2340633qte.22.1676661722441; Fri, 17 Feb 2023 11:22:02 -0800 (PST)
Received: from smtpclient.apple ([2601:191:8400:1650:19af:557c:afd8:765f]) by smtp.gmail.com with ESMTPSA id y190-20020a3764c7000000b0071ddbe8fe23sm3793434qkb.24.2023.02.17.11.22.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Feb 2023 11:22:01 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-2C7B0C16-05A0-474A-9D8D-6F68063642A7"
Content-Transfer-Encoding: 7bit
From: "Kevin J. Ma" <kevin.j.ma.ietf@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 17 Feb 2023 14:21:50 -0500
Message-Id: <BC4AA094-7BB5-46F7-A19C-C0BAE592EC7E@gmail.com>
References: <30583_1676055350_63E69336_30583_99_1_dff74c34c2c847c3b769e75d0f4999e8@orange.com>
Cc: Thomas Fossati <thomas.fossati@arm.com>, cdni@ietf.org
In-Reply-To: <30583_1676055350_63E69336_30583_99_1_dff74c34c2c847c3b769e75d0f4999e8@orange.com>
To: frederic.fieau@orange.com
X-Mailer: iPhone Mail (20D67)
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/K3NwNE3-nltqGdLJNeOLrPLc5X4>
Subject: Re: [CDNi] Review of draft-ietf-cdni-delegation-acme-00
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 19:22:08 -0000

Hi Frederic,

  Looking good.  A couple other minor comments:
  - in the time-window description, should the "must"s be capital "MUST"s?  if not, can we rephrase?
  - in section 4.1, make the reference to section 3.1 instead of 3
  - in the security considerations, i still think it would be useful to add a sentence about what an attacker could do if they got the acme-delegation URL.  could they generate certs and masquerade as the site, or is it innocuous?  

thanx!

--  Kevin J. Ma

Sent from my iPhone

> On Feb 10, 2023, at 1:56 PM, frederic.fieau@orange.com wrote:
> 
> 
> Hi Thomas,
> 
> 
> 
> Thank you for your review and comments.
> 
> I made the following changes on the Github https://github.com/FredericFi/cdni-wg/blob/main/draft-ietf-cdni-delegation-acme.md
> 
> If no further remarks, I will post the draft in the next days.
> 
> 
> 
> Thanks!
> 
> Frederic
> 
> 
> 
>  
> > I just realised I had another comment that got lost in the translation
> > between my notes and the email... which is: the lifetime-adjust property
> > should be optional rather than mandatory, to mirror the STAR definitions
> > in Section 3.1.1 [1].
> 
> Done
>   
> > ## abstract
> > 
> > * why plural "metadata objects"?  Suggestion:
> > 
> > OLD
> > 
> > Specifically, this document defines CDNI Metadata interface objects to
> > enable delegation of X.509 certificates leveraging delegation schemes
> > defined in RFC9115.
> > 
> > NEW
> > 
> > Specifically, this document defines a CDNI Metadata interface object
> > to enable delegation of X.509 certificates leveraging delegation
> > schemes defined in RFC9115.
> > 
> > 
> 
> Done
> 
> > * expand FCI on first use:
> > 
> >  Section 2 presents delegation metadata for the FCI interface.
> 
> Done
> 
> 
> > * typo (extra “to”)
> > 
> >   When a uCDN delegates to a dCDN to deliver HTTPS traffic using DNS
> >   Redirection [RFC7975],
> > 
> >   When a uCDN delegates a dCDN to delivery of HTTPS traffic using DNS
> >   Redirection [RFC7975],
> > 
> > 
> 
> Done
> 
> > * typo (missing parentheses):
> > 
> > OLD
> > 
> >    The ACMEDelegationMethod applies to both ACME STAR delegation,
> >    which provides a delegation model based on short-term certificates
> >    with automatic renewal Section 2.3.2 of [RFC9115], and non-STAR
> >    delegation, which allows delegation between CDNs using long-term
> >    certificates Section 2.3.3 of [RFC9115].
> > 
> > NEW
> > 
> >    The ACMEDelegationMethod applies to both ACME STAR delegation,
> >    which provides a delegation model based on short-term certificates
> >    with automatic renewal (Section 2.3.2 of [RFC9115]), and non-STAR
> >    delegation, which allows delegation between CDNs using long-term
> >    certificates (Section 2.3.3 of [RFC9115]).
> > 
> 
> Done
> 
> > ## §3.1
> > 
> > * this seems to suggest that the consumer can tell STAR and non-STAR
> >   based on "delegation certificate validity", but it's not clear to me
> >   what that means.
> > 
> >    The ACMEDelegationMethod object allows a uCDN to both define STAR
> >    and non-STAR delegation depending on the delegation certificate
> >    validity.
> > 
> >   From the following examples (§3.1.1) I gather there's an implicit
> >   way to distinguish based on the presence/absence of the lifetime*
> >   properties.  Is that what was intended?  If so, it should be
> >   clarified.
>  
> Done
> 
> 
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email