IETF Logo Mail Archive

Re: [CDNi] FW: New Version Notification for draft-fieau-interfaces-https-delegation-subcerts-01.txt

Christoph Neumann <Christoph.Neumann@broadpeak.tv> Tue, 05 July 2022 08:42 UTC

Return-Path: <Christoph.Neumann@broadpeak.tv>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC61FC15C152 for <cdni@ietfa.amsl.com>; Tue, 5 Jul 2022 01:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.807
X-Spam-Level:
X-Spam-Status: No, score=-6.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadpeakshare.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODAUUW1NuBQV for <cdni@ietfa.amsl.com>; Tue, 5 Jul 2022 01:42:50 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80111.outbound.protection.outlook.com [40.107.8.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD492C15C154 for <cdni@ietf.org>; Tue, 5 Jul 2022 01:42:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cvWgJQS31Y4CO0oKiKfcEnhTMCkrnFJDZUJxIVFeygffC59B6GD1beMFwpR/BZonJ8xTf2p0Hc295FIjC+QHGT2/1ALjNpFV1QXhaP1K1m5SSFWc097DFBnWGvoo8QFSzp9Aqh2MlmC+FBb15RyP2xarRsfJOxmh85Zk9ouuhfEmDJSVxWfF6gOG6+GpAPVO7wehwTlz4i4nEuqTF7ltG61JnE+YTlEnEzMGhN2aAJSjP/JM7QKKN8vK63rAT8TNHZntAPO7a0mAcpfpW4dJqHQkHNcIfT+JBMUqQ7acYNMYOWsFb3+Ig1zKJsw/yWrLV1ViOVt+4H3qb7XtuJLrmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=65TVcuT7UDM5oRF+ErAEVQ6CickxKBcv8znqSZCpo44=; b=VK0S/jsabRAr7CfjhjFA+w1wkWLafleH/yrvW+f0FefCIfMIwILHomDfKKhIJKPaIfScLJq+JHnKzZxag22oCmqg+o+MAMbIJf5FsFEEy4Ztidb1je9Ml+q81si537kkEOA+m2fddhfNTzSgionvx5aE+cJcNeWZ4BqHBlWSyDis8Up5BUrsyd7Df/1fQqJAabCsjwVkZDrDY7tcihlEwIJq2hsLms7nWf5F3FcbD3J6H8RmYAivvX+NiZGzskdKIX7/CUdgEXnlv+B+wUXpjOmaQxbVbB7FkRikC4fBnuNXQGbh6M6MtthM7nUJ6J010kqFvVM9BbhZFjShgcj1Kw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=broadpeak.tv; dmarc=pass action=none header.from=broadpeak.tv; dkim=pass header.d=broadpeak.tv; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadpeakshare.onmicrosoft.com; s=selector2-broadpeakshare-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=65TVcuT7UDM5oRF+ErAEVQ6CickxKBcv8znqSZCpo44=; b=kDQI398HJQoXgNND1eTCXcIMmInOb8M68yUMvmvujk78RrSi6/Gf6vuOCTGDuK0HFQU4wF2LUUU8UjTjZPWvewFAUN423D3Z0DoIidO57GuOBfcY5r9ZGXzTiV+96QlJXtzrAhuCAz/4ttRc/e+6Og8+jJB4GJpAs+dBnDbj8zg=
Received: from AM9PR10MB4152.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1cd::13) by AS1PR10MB5315.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:4a1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.21; Tue, 5 Jul 2022 08:42:43 +0000
Received: from AM9PR10MB4152.EURPRD10.PROD.OUTLOOK.COM ([fe80::38ea:3dce:9b11:6121]) by AM9PR10MB4152.EURPRD10.PROD.OUTLOOK.COM ([fe80::38ea:3dce:9b11:6121%4]) with mapi id 15.20.5395.021; Tue, 5 Jul 2022 08:42:43 +0000
From: Christoph Neumann <Christoph.Neumann@broadpeak.tv>
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
CC: "cdni@ietf.org" <cdni@ietf.org>
Thread-Topic: [CDNi] FW: New Version Notification for draft-fieau-interfaces-https-delegation-subcerts-01.txt
Thread-Index: AQHYEs3O/WGjyn79306MBfdlVJi0dqx1ebhggBh7AICABv2ugIDaT08AgAEu0HA=
Date: Tue, 05 Jul 2022 08:42:43 +0000
Message-ID: <AM9PR10MB41529F2F26BC09DCDD646FD98F819@AM9PR10MB4152.EURPRD10.PROD.OUTLOOK.COM>
References: <164321280803.8419.9611477208216008922@ietfa.amsl.com> <PRAPR10MB5273E44C9F88EBE2882AEBC08F209@PRAPR10MB5273.EURPRD10.PROD.OUTLOOK.COM> <CAMrHYE0TaHxBD7PH7Gc36T6zJWHo4kWQxHCDR4s_mWw0C2Ss1A@mail.gmail.com> <PRAPR10MB5273B098872588130F6A47E08F349@PRAPR10MB5273.EURPRD10.PROD.OUTLOOK.COM> <CAMrHYE0bXS4qvGwD49t_2QrCwRt4f9T+fPbFi-w-n69xfkYtUQ@mail.gmail.com>
In-Reply-To: <CAMrHYE0bXS4qvGwD49t_2QrCwRt4f9T+fPbFi-w-n69xfkYtUQ@mail.gmail.com>
Accept-Language: en-US, fr-FR
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=broadpeak.tv;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1b025ceb-5b0c-46dd-38f9-08da5e62540d
x-ms-traffictypediagnostic: AS1PR10MB5315:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yxQSAwkt/hdunpAWRh/iMGs5n0rWVtaM7N+cutdb6IoYNPSAtsrnivhXGBiafBiF+0RpEyu7c9i7k9DZ1//lVRHH6lD1xl9qYOLyN1hUp7umT7LbyuNm5SabP/DvfhXnW/l+WK4WNAMRXd0ybfHjXNz/mEghrIJQaujoZ9SQH/3/7pOvfMbZLNGvf7Zj0JmZP0HbSm52gh9qWoQr20crwCf2JNs9mbNbYgAPZJgTikyHJCNLUVTbAiqlestymPs5+uW6OjaXCZ6EKTuhSby49DSYPD4nBEa+rLcrZiBv48JajbLu00tdyzxcd+P07AqstfEnmh2u2N2mowdB4ml/8N0GmibGmCOZdgwB/ABPnGMYtA3kioiPGvDpo9IdaXtkq84r6is8vQRUN41KpVbTNRfkLDrm6GT/nRh1hNlmeZAg6oInsvgrOLaSVyxvEQ6ouCs5aL3Ef30L5f8DfmFVqe0VfDPkphdL9eZUqaWkje8GWeAmdq5TwglLkR4b3FEP9ANGDqEh9DgoZk4GbWDHiBEnPTDulMO+iUc6wG8Hrm2p0IaXRHD2Qby630QRe9rXMBt6GXNSf/JustLZbiqQELaRCwY/IboVu7/gjmREs6cYqquwXpTdpVCID5BPyUc4w8ejGfejfcSsR+A3pz4tW8HZt0rYK2ct1Yv8AWv/lSzwhfDcKQTiDRzjpbmxFrfGE3dfeGR27lW41RoBRerHGRWBaZqzfaGm7YdYlvJw7NLCIybvB3z4VTjB7+aKj7k7FXr24GKyQ/1i6oqozstP07YcfXCmpdi/Y2J+n/afF6HPZjRnZSw34g99uMgMhs3XnXy+IpAIPUrEv+Q+BmniMPQuTXqUQiv0PSroF55r7lsP7rDbazUetxMBp6QpQY58
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM9PR10MB4152.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(366004)(396003)(136003)(346002)(39850400004)(166002)(8936002)(52536014)(38100700002)(966005)(15974865002)(86362001)(33656002)(478600001)(122000001)(66946007)(76116006)(4326008)(8676002)(9686003)(64756008)(66446008)(66476007)(30864003)(66556008)(5660300002)(71200400001)(26005)(55016003)(186003)(53546011)(15650500001)(316002)(7696005)(6916009)(2906002)(41300700001)(6506007)(83380400001)(66574015)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: jVs7KrHLubpD+oIptPTgDrIhpcqI8LoGPIgBRm8cIKPbn0j9Hirxqx7VOz3009yW+EpVBHGeFZISL9qtZXlSuSMOQ6RTW/liEZq/cI7/3T3H3OuTUPdFZK9YT5Vct1cDywVajJcjmmE+Qis/hHNrXXsK5f5xOQsuDKr4HKhgCC05FrzAeWMzBci3aoVPHeTUDHkMKr6hwfNdkOK9J2FX2ZhGLBYgQ2iGYPief7i3mQluT0gNQwop/T9MbOAq9HDe+WQDuRyxd4d2ZsQct0G0YGJM2NffmxJK58EeTqLlDaqCnLl3h2inFGtY/KwS1FwTNcyzfWdb5lwpoXWmPA93zmGvr7tUx0qwsupdTbrrMgV/QU80oD0fK1Ag/cfeASDJIpwKwH8BuQrWUX/On2LirAxIqedoDBoXq6BHRUJyX4rG2FXDx65U8zER/DO6ZyGDChmYP7ZfizOY20lHCo8CGerRgzvyrEgs1iUKmg5Aq3hIwXOh5qCBJ1BOIpH8F2ShGQ+G1YAxWb8iZ3VltiljCOm9+bSDW1y2He8XHRx1s0RupXXgroqeXUobpKnGi8wig6H4TlH6TKy85xhsgJVBcACIBdu4aX9yM01STd8ROwCCXzAnol+On/NlRJQq74HpFVOwQDQwUVncb8OpixUvIyr7sY2fL35k/hzon8P/qVR7/gjQwqEtNtHivtZhEhAvc3uuZ3SGLQsTO5cyp35xOcSpLwakMCKkGwYQlYI4IvNUS0iFRwnb7ZSNxDOtKG26F63D0qL4AN7frJ7w0P3FNAz++jR/l6zlZ73EknGX8tv3b91gE2EERfuOQr7yedK/cguo4OvlRRADXxyyfximsXTeyCNjGlm72q3HVEcjdNEH/MpiBPJdzW/kWbr2ZBn03YyJGHw4GlnXb7jt9QBRfjBx6Z3bP/YhyjKBVOcYS6D2LeZYuhTOjYTLV7eNOcOXwpe0hz9QX4kYXBlwRNWVFAzsiDkLVDPvOmqB/RWqpGWqsUxuLnV18u0c4MsyEBO44NuX99qgRxIW3BGaWpQuhWjBmoyMnDTWjOCVF+FpHBQpOmdTw8LDTmEy78rI+LmehbKrkB/H4aUqqFj8PCkK7XUXXFv9s4XBGBzMVs1rWA7p3u70yq1p1/oPpcLn0VzFo1bziHaPV3t7g7knJC96QvlyESia1LmUI7h4IXhPw+GThMnHM2/rc999fCbuoXGvcb8Lp9ruhFhzvyKgDxvcYzcZhiWQ7IX9WXls1MVF4MsNuf75bLPCsFUDYogj3KnCgvsNnrfokcB2XwEieSmaix4la0LQ/fK/mIE/ZaSvn/jRaN7YuxIyPc4aSnE6MkoOw25qAbSkZ9gjwmbP5K77nRdn05ZIJaXd5hdlHypZdju7QoMgTy4o0kj0dDtPdOPnSIfh5AXGf2b3L+P95Qtc+h5ep9MgFVHFSLEkCmH9MZMmPXu6DBETvWJozHqntCIOL4jKyYP52HLY/Rx3EbB2hGfNqphp67o+SpDTXM1peQ/Lb4dLAr9C5rcT83oFF554IWudtJPQq8IeppOWjQ/aE4bOrQ5kk5inOthiSBJCt9Y+/s+yFumDWSm+EMFBdTBdSFQe82OMNJ7Uj5QP72yl7g==
Content-Type: multipart/alternative; boundary="_000_AM9PR10MB41529F2F26BC09DCDD646FD98F819AM9PR10MB4152EURP_"
MIME-Version: 1.0
X-OriginatorOrg: broadpeak.tv
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM9PR10MB4152.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b025ceb-5b0c-46dd-38f9-08da5e62540d
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2022 08:42:43.5836 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0ebe44ea-c9c9-438d-a040-7e699f358ed4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8oJ6WW/B6wQQGUoilhy+VxP6gx4BzOwY81Ay2XwvE0d44RRhwZLQhJpT5GpZEWQoiycs2E51K0iwuTWop8Tyf+ZmMcB/czuvjPG442mtr1Y=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR10MB5315
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/WlTqlsETVFvpiRNsjJdFg6mHo0w>
Subject: Re: [CDNi] FW: New Version Notification for draft-fieau-interfaces-https-delegation-subcerts-01.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 08:42:53 -0000

Hi Kevin,

The interface we are proposing to fetch the delegated credentials is indeed very simple. Only a req/resp on an URL.
If I understand you correctly you think this is still outside the scope of CDNI.
But I'm not quite sure where to define it elsewhere (also because the mechanism is quite simple).
I could not find any other existing standard our mechanism that would allow us to fetch the delegated credentials.


Regarding FCI:
The maximum expiration time of a delegated credential is 7 days. If we stay in this order of magnitude (i.e.  a credential lasts a few days), FCI could do the job: the dCDN monitors the number of credentials that expires in the next day, and ask for new ones by announcing this number of required delegated credentials via an FCI object (the uCDN will very probably query the FCI within the next day).
However, before the first configuration of the dCDN from the uCDN the dCDN does not really know how many servers will be used for the uCDN services and contents and consequently does not really know how many delegated credentials may be needed. I.e., the "first" FCI announcement will be something like the number of caching servers available by the dCDN (or the number of servers per footprint).

So bottom line: FCI could work, but it we will not be very dynamic (e.g., if credentials that last a few hours). If we go for FCI, the only MI object that would stay is the MI.DelegatedCredentials.
If we want a more dynamic mechanism, we need a simple req/resp interface.
My proposal: Maybe we could start with the FCI based mechanism, knowing that it will have limitations in terms of dynamicity, and in the meantime work on how to specify/tackle more dynamic delegated credential fetching mechanisms (and try to figure out where the right place is to specify these).

Christoph


From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Sent: lundi 4 juillet 2022 16:38
To: Christoph Neumann <Christoph.Neumann@broadpeak.tv>
Cc: cdni@ietf.org
Subject: Re: [CDNi] FW: New Version Notification for draft-fieau-interfaces-https-delegation-subcerts-01.txt

Hi Christoph,

  Adding a new interface to CDNI is definitely out of scope of the current charter, and I'm not sure that it really makes sense as part of CDNI.  It would be a fairly basic req/resp, so from that perspective, I understand why the proposal went with metadata as opposed to an interface.

  The FCI proposal for advertising how many certs are required is interesting.  My one concern (other than security) would be about the load.  How often does the required number of subcerts change, and how often do the subcerts themselves change and need to be re-retrieved?

  I think that if an existing interface was already specified for retrieving the subcert data, having the metadata convey just a pointer to that interface would be much cleaner.  But, the metadata is expected to be somewhat ephemeral, so I guess there isn't a reason the data couldn't be represented/conveyed as metadata.  My primary concern is still the fact that key material is being passed, and that potentially opens up a can of worms from a security perspective.

  I think the discussion of these design choices could certainly be done as part of a working group document.  We can try to get a secdir opinion.

  Are you leaning in a particular direction?

thanx!

--  Kevin J. Ma



On Tue, Feb 15, 2022 at 12:12 PM Christoph Neumann <Christoph.Neumann@broadpeak.tv<mailto:Christoph.Neumann@broadpeak.tv>> wrote:
Hi Kevin,

Thanks for your comments.

MI.DelegatedCredentials may or may not be part of the Metadata Interface (MI) described in RFC8006 (In theory, it should not part of it, I agree with you here, at least as it is in the current proposal) but it should be somehow part of CDNi .

The way to retrieve MI.DelegatedCredentials as defined in the proposal is a bit particular. As only the dCDN knows how many delegated credentials (MI.DelegatedCredentials) it needs , it must fetch/request as many MI.DelegatedCredentials as required. On the other side, the uCDN may decide to respond with different or identical MI.DelegatedCredentials payloads.  I also note that there is an error in the current text which can be a bit confusing: page 4: second paragraph, we should read:

"The MI.ConfDelegatedCredentials contains a URI (credentials-location-uri) that allows the dCDN to download delegated credentials. The expected behavior of this URI is that each time that the dCDN accesses this URI a MI.DelegatedCredentials object containing a delegated credential with its corresponding private key is delivered."

I reckon this workflow is not typical to RFC8006 which would favor a separate/new interface for describing that process. This drives to the possibility of only adding MI.ConfDelegatedCredentials to MI (RFC8006) . However, if we cannot describe the protocol to fetch the MI.DelegatedCredentials object and its payload structure (i.e. private key +  DelegatedCredential as defined in [I-D.ietf-tls-subcerts]) as part of CDNi, the MI.ConfDelegatedCredentials becomes pointless. Ideally, we should generate a new CDNi interface dedicated to subcert describing the MI.DelegatedCredentials payload and the protocol between the uCDN and dCDN.

There is however a possible complementary solution to this. The dCDN may advertise about supporting the subcert capability through a dedicated new FCI object named e.g., FCI.delegatedCredentials. The latter would indicate the number of required [different] delegated credential objects. The uCDN when configuring the dCDN would then use an MI object (we can name it MI.ConfDelegatedCredentials) to communicate the delegated credentials (i.e. private key +  DelegatedCredential) via an array of MI objects. I.e, MI.ConfDelegatedCredentials would be defines as:
Property: array of MI.DelegatedCredentials objects.

The MI.ConfDelegatedCredentials object would have to be updated/communicated by the uCDN each time any or all of the delegated credential's validity is going to expired and/or each time a new FCI.delegatedCredentials object is updated/created.  With that way to do we stay compatible with the RFC 8006 spirit, do not need an extra CDNi interface and provides a complete/coherent mechanism for configuring the dCDN with the delegated credentials.

Any thoughts on this latter proposal?

Christoph


From: Kevin Ma <kevin.j.ma.ietf@gmail.com<mailto:kevin.j.ma.ietf@gmail.com>>
Sent: vendredi 11 février 2022 07:04
To: Christoph Neumann <Christoph.Neumann@broadpeak.tv<mailto:Christoph.Neumann@broadpeak.tv>>
Cc: cdni@ietf.org<mailto:cdni@ietf.org>
Subject: Re: [CDNi] FW: New Version Notification for draft-fieau-interfaces-https-delegation-subcerts-01.txt

Hi Christoph,

  (As Chair) I think it is fair to call for adoption of the draft, since it was just a split, though I think it would be good to reaffirm that the WG has an appetite for this work, since it has been a while since we agreed to adopt the original draft.  If folks could please confirm on the list that they believe TLS subcerts are still useful to support in CDNI, that would be great.

  (As an Individual) The actual requirements to support TLS subcerts seem pretty minimal (see my comments on the draft below).  Assuming the TLS subcerts draft is on track to be published (I see that the AD recently requested a revision), I am in favor of adopting the draft.

thanx!

--  Kevin J. Ma

comments:
---------

- does "MI.DelegatedCredentials" need to be defined in this draft?  It is not transferred via the MI?  is "MI.ConfDelegatedCredentials" sufficient for CDNI's purposes?
- in the call flows, it looks like only steps 3 and 4 for "MI.ConfDelegatedCredentials" are related to CDNI?  perhaps we could make that even more clear, so that there aren't a lot of questions about the security of what's being proposed?
- the draft needs security and privacy sections (the security section gets easier if we are clear that the draft only really defines the "MI.ConfDelegatedCredentials" object which is a simple link and subcerts does all the heavy security lifting; the privacy section gets easier if we remove MI.DelegatedCredentials and let the subvert draft deal with passing around a "private key")



On Wed, Jan 26, 2022 at 11:33 AM Christoph Neumann <Christoph.Neumann@broadpeak.tv<mailto:Christoph.Neumann@broadpeak.tv>> wrote:
Dear all,

I submitted a new version of the draft on CDNI Metadata for Delegated Credentials (see below).

As discussed and agreed in the CDNi working group, this draft resulted from splitting the original CDNi extensions for HTTPS delegation draft (draft-ietf-cdni-interfaces-https-delegation) into two:
- one that handles STAR/ACME type delegation, which remained in draft-ietf-cdni-interfaces-https-delegation
- one that handles delegated credentials, described in draft-fieau-interfaces-https-delegation-subcerts

The delegated credentials draft is currently handled as an individual submission, and I would like to ask for adoption of this draft in the CDNi working group.

Further, feel free to comment the draft on the mailing list.

Best regards,
Christoph

-----Original Message-----
From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Sent: mercredi 26 janvier 2022 17:00
To: Christoph Neumann <christoph.neumann@broadpeak.tv<mailto:christoph.neumann@broadpeak.tv>>; Emile Stephan <emile.stephan@orange.com<mailto:emile.stephan@orange.com>>; Frederic Fieau <frederic.fieau@orange.com<mailto:frederic.fieau@orange.com>>; Guillaume Bichot <guillaume.bichot@broadpeak.tv<mailto:guillaume.bichot@broadpeak.tv>>; Stephan Emile <emile.stephan@orange.com<mailto:emile.stephan@orange.com>>
Subject: New Version Notification for draft-fieau-interfaces-https-delegation-subcerts-01.txt


A new version of I-D, draft-fieau-interfaces-https-delegation-subcerts-01.txt
has been successfully submitted by Christoph Neumann and posted to the IETF repository.

Name:           draft-fieau-interfaces-https-delegation-subcerts
Revision:       01
Title:          CDNI Metadata for Delegated Credentials
Document date:  2022-01-26
Group:          Individual Submission
Pages:          9
URL:            https://www.ietf.org/archive/id/draft-fieau-interfaces-https-delegation-subcerts-01.txt<https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-fieau-interfaces-https-delegation-subcerts-01.txt&data=05%7C01%7CChristoph.Neumann%40broadpeak.tv%7C8b13163efecf4c81e0a708da5dcad7d5%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637925423647998561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RgRHcbvAH1wNsTG3WVxQYkKPBqQJyTLh0uWiBdj8j%2B4%3D&reserved=0>
Status:            https://datatracker.ietf.org/doc/draft-fieau-interfaces-https-delegation-subcerts/<https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-fieau-interfaces-https-delegation-subcerts%2F&data=05%7C01%7CChristoph.Neumann%40broadpeak.tv%7C8b13163efecf4c81e0a708da5dcad7d5%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637925423647998561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=BtLMbicItqAPo3gTHkTG20eVpu7LmnHLT3i5uYU5Vig%3D&reserved=0>
Htmlized:            https://datatracker.ietf.org/doc/html/draft-fieau-interfaces-https-delegation-subcerts<https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-fieau-interfaces-https-delegation-subcerts&data=05%7C01%7CChristoph.Neumann%40broadpeak.tv%7C8b13163efecf4c81e0a708da5dcad7d5%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637925423647998561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Cb9Za4AgjXJWj5wwiDTjQo6Vvq5Z%2Fd%2BXWqWvPpHdl%2Bk%3D&reserved=0>
Diff:            https://www.ietf.org/rfcdiff?url2=draft-fieau-interfaces-https-delegation-subcerts-01<https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-fieau-interfaces-https-delegation-subcerts-01&data=05%7C01%7CChristoph.Neumann%40broadpeak.tv%7C8b13163efecf4c81e0a708da5dcad7d5%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637925423647998561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=PntkcVDGoNnFsmaiGeG7zuuMAtCEjs8zja05F4HW5Mk%3D&reserved=0>

Abstract:
   The delivery of content over HTTPS involving multiple CDNs raises
   credential management issues.  This document defines metadata in CDNI
   Control and Metadata interface to setup HTTPS delegation using
   Delegated Credentials from an Upstream CDN (uCDN) to a Downstream CDN
   (dCDN).





The IETF Secretariat


_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni<https://fra01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&data=05%7C01%7CChristoph.Neumann%40broadpeak.tv%7C8b13163efecf4c81e0a708da5dcad7d5%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637925423647998561%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vl2YIYd2avXU%2FLCVOXSqVxJV%2BG4ByhH4e4p59R1ao48%3D&reserved=0>

Broadpeak, S.A. Registered offices at 15 rue Claude Chappe, Zone des Champs Blancs, 35510 Cesson-Sévigné, France | Rennes
Trade Register: 524 473 063
This e-mail and its attachments contain confidential information from Broadpeak S.A. and/or its affiliates (Broadpeak), which is intended only for the person to whom it is addressed.
If you are not the intended recipient of this email, please notify immediately the sender by phone or email and delete it. Any use of the information contained herein in any way, including, but not limited to, total or partial disclosure, reproduction, or dissemination, by persons other than the intended recipient(s) is prohibited, unless expressly authorized by Broadpeak. Broadpeak, S.A. and its affiliates respect privacy laws, and is committed to the protection of personal data. Emails and/or attachments thereof exchanged between us may include your personal data which may be processed by Broadpeak and/or its affiliates according to applicable privacy laws & regulations.
In compliance with Regulation (EU) 2016/679 (GDPR) and applicable implementation in local legislations, you can exercise at any time your rights of access, rectification or erasure of your personal data, as well as your rights to restriction, portability or object to the processing.
For such purpose, or to know more about how Broadpeak processes your personal data, you may contact Broadpeak by email privacy@broadpeak.tv.
Local authority : Commission Nationale Informatique et Libertés (CNIL): 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 or www.cnil.fr

v2.23.0 | Report a Bug | By Email