Re: [CDNi] Review of draft-ietf-cdni-delegation-acme-00
Thomas Fossati <Thomas.Fossati@arm.com> Thu, 26 January 2023 19:58 UTC
Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF56DC14F739; Thu, 26 Jan 2023 11:58:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="ThPnVpUs"; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="ThPnVpUs"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyuRz3UrbRqk; Thu, 26 Jan 2023 11:58:06 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0620.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::620]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BD2EC14E514; Thu, 26 Jan 2023 11:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HlqKS9f8AcWVBt4RiRapEkvAi6iiPPAT/2c370a2vFs=; b=ThPnVpUsBjojMqE2JGHDBtk8+yr93p0ShgJQ5KjcfzKomvtQc8ncT1+OITTr9wYZqizGWGrsViGfBsNA6EVFQuqVHLDLkR5ooyBUa/Wk51A9qcN7Kg9oubmHK8xVzxIwrNHeyafzL8JgLPwhB5kfZaK1Jzd9uwx4tfx9AP+jO6g=
Received: from DB7PR05CA0051.eurprd05.prod.outlook.com (2603:10a6:10:2e::28) by GV1PR08MB8009.eurprd08.prod.outlook.com (2603:10a6:150:9b::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Thu, 26 Jan 2023 19:57:58 +0000
Received: from DBAEUR03FT041.eop-EUR03.prod.protection.outlook.com (2603:10a6:10:2e:cafe::f5) by DB7PR05CA0051.outlook.office365.com (2603:10a6:10:2e::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.22 via Frontend Transport; Thu, 26 Jan 2023 19:57:58 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DBAEUR03FT041.mail.protection.outlook.com (100.127.142.233) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.17 via Frontend Transport; Thu, 26 Jan 2023 19:57:57 +0000
Received: ("Tessian outbound 0d7b2ab0f13d:v132"); Thu, 26 Jan 2023 19:57:57 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: c6b73669763691cc
X-CR-MTA-TID: 64aa7808
Received: from df0ade398153.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id D3ED575E-8447-4804-8F2B-2F90DEE754E4.1; Thu, 26 Jan 2023 19:57:51 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id df0ade398153.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 26 Jan 2023 19:57:51 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iikz9sNQmGpgEu6jdzySsVQNB6Z8Ojr120CrYi+vHOe94gIAwkwJKOm2oGPceafO/J5zV/mVkiI9MLhIof0JmtC0UcRccGGYuZGMVq1TuZ9uS4XPxHibbY8ocAezH8FA+K5AExkTMng0WrO5U93v5H7JoHb6GsSB7LprhRkQPKkRA92SWQaL/JGCdK9yuu1nYclbwd1AG5fHzFBDr1Vs1JYqIKEuu/ZYjVPM74ED3qEoz8nfiND+1YNrREGzuaWlnwx1kXvHx5qWF5r/uCKZ6Z1Ne2d/i6xvqx1VMGYXxpAJ+gBIwtaYVWYSOVBzSxWcuJZ9GSltbSRqTj/99NMtWg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HlqKS9f8AcWVBt4RiRapEkvAi6iiPPAT/2c370a2vFs=; b=BueWdmhWhmRdOpzg/GcOwZV+wg+syz0cpdbVKe2+cHla8RGHgsU34PxJ5VXdjfMPdJY/k7enOr8m5NE7VEpAd/DzQAD90RdJ/NAXpyMKbBE7dQKli5Bsj9/T95CyU1ASEc4Zxm8bVs9ASPel4EtutsNxlPLmLqfl6nNfJwymNtvBqRAMMxBr4XU9gW4e9GuTUqMW1Get3S4ipxzrInRNfGg3EpIaOrgcurux5OkxwU816CvFSOqeFlQo4fvE4MXn1nLcMu+RTHskGnkrB8S+8EPV5/xRvUr4BJkb3W3iSm/OY61HPguU061UK+ndCBR1+srzcOHi7LOxWKGMCAmfJw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HlqKS9f8AcWVBt4RiRapEkvAi6iiPPAT/2c370a2vFs=; b=ThPnVpUsBjojMqE2JGHDBtk8+yr93p0ShgJQ5KjcfzKomvtQc8ncT1+OITTr9wYZqizGWGrsViGfBsNA6EVFQuqVHLDLkR5ooyBUa/Wk51A9qcN7Kg9oubmHK8xVzxIwrNHeyafzL8JgLPwhB5kfZaK1Jzd9uwx4tfx9AP+jO6g=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by AS1PR08MB7401.eurprd08.prod.outlook.com (2603:10a6:20b:4c7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6043.17; Thu, 26 Jan 2023 19:57:49 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::8295:3930:eca:1601]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::8295:3930:eca:1601%3]) with mapi id 15.20.6043.022; Thu, 26 Jan 2023 19:57:49 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "cdni@ietf.org" <cdni@ietf.org>, "draft-ietf-cdni-delegation-acme@ietf.org" <draft-ietf-cdni-delegation-acme@ietf.org>
Thread-Topic: Review of draft-ietf-cdni-delegation-acme-00
Thread-Index: AQHZL9sihHzh/6lPL0CR8yx6Kxf1l66xIPkx
Date: Thu, 26 Jan 2023 19:57:36 +0000
Message-ID: <DB9PR08MB6524DB623478E0F8640EECFB9CCF9@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <DB9PR08MB65241A19DCF2D10FF4FAF7609CC99@DB9PR08MB6524.eurprd08.prod.outlook.com>
In-Reply-To: <DB9PR08MB65241A19DCF2D10FF4FAF7609CC99@DB9PR08MB6524.eurprd08.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DB9PR08MB6524:EE_|AS1PR08MB7401:EE_|DBAEUR03FT041:EE_|GV1PR08MB8009:EE_
X-MS-Office365-Filtering-Correlation-Id: d05cce31-d793-4073-3268-08daffd79f0d
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: vosMIlpngJxEPnvHAAi1+F0ztH7NsCf+o7o06Auz5jO19/nCUmSOCM0Zr/LpV3y8Ku0wnc1qJLJfy3s1Urj0ZhlrUoXjgaf1xDE8qKALn+Ryz61d0nN14clz43yStqMug1v6Xm2tsbqefddvZV5maDn9aQ61twaWFutakxBwXX56fFggxToXsXbgxismnh0FvoWxgPVC39XbQld/AVO7QyNxDaEtBHEcpGdqdWMNVzCreIRpaL8q/1b0t4szVtI9zaz/9owbhOEuqSCXJLaHjn9783In1eygI+h3r5Ht2oq5uixhgpc7KjjJcZ8z+uLoLqyJWi1a+vFPtCWL+V3YrVUKCVIhpqQv12loJg8wGJXwwW1IllLO7luAjoHZG40pWvnIDszSYnCnLj4tEJ3jNunl5JYIM2PtJlJ2e/V6z8SwIdqpkDm56Fvsou7m205cFJd1scXfI0/auThorYyBN597kzfMA06k7DH5x1eBZe5ASiB5Tc6WF+LUOzYUGCx/emkzyJqGvGaBysrzn5/Ie3kHMVmtCTVGb1P4/ITDGPmkN59sYarak5EWdaeWbe0WIqBWD33EXRyuMGUq9ckaouI5ki+TyTDo0pRrkkdi047FXrIGjM+sX/zAhVZS146ypK7gRI1j+38ilOmupiwGu+pnxMsWCOemzz2gH5NYHea8qk9n4qC552thKIJ2y7C3hsNhzuH0gT2hhgpXeDU+rFdvHPcJSm2rzVJpFVweTX0=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(396003)(376002)(346002)(366004)(136003)(39860400002)(451199018)(66446008)(33656002)(55016003)(38070700005)(71200400001)(166002)(52536014)(86362001)(186003)(64756008)(6506007)(76116006)(26005)(6666004)(110136005)(9686003)(478600001)(450100002)(53546011)(66476007)(66556008)(966005)(38100700002)(66946007)(8936002)(7696005)(83380400001)(41300700001)(122000001)(2906002)(91956017)(5660300002)(8676002)(316002); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB6524DB623478E0F8640EECFB9CCF9DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS1PR08MB7401
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DBAEUR03FT041.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 2ebd54e8-fb7f-4122-dc02-08daffd79a15
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RVFhV9DMkUtPdUmyBRcRdECj6YxUoYkgZ6o/hRHFUKJXDyPFXrFV1u/Z9YprzGlSnpjwgBXC1U9dLynD/ibEKTudtMy7BrzQxFie82C60uDTiSJx/zQ1XIcJkLSaLA0SDc6q8skPACPBM802BCQfm/BoH4AocgpzCLLHJdRtw59MNRPFlRQdW7r5F2txVQuQJ8V52fv62Pds4db28DCW+2VB06q8OYRahjFe+3Er6ou82YwG4APiQxnedBR+SNbsnnQxukvEV5jor67b6lF7oddJI/8gFqpx6M/7YHD312QbQeMxLCCI30QKkZ7vx3sV/y3YSzs/F2GbHWRM32ib1pBSf6YLqxK9RfB0Yb2XTpmSfuS03Pa6SrNkPsT11Ohy+JsBvagUtCMIkloQNA99LQ0WLcib6lHXqoTzVFnG4a2Gk4232dhUcYCRmbvPyHUJsgBskIRA+EU/7jEUiE5vHkoMrOmhqev5P4bCAgY9rwskZsZyy9lYabFcwXjhA5J1iNjjfU1OeYpAw/4TgatRDCNYon6L7yt0nocMR4yoryX7+1uQ6OKE1fz+/bcOvN2eBcQgi0oyhaay39FqXWa9QXZ+w8pGZ2AaU1W9XwaCpgU5H6rI39587Zo67wYe4f8zWDx+3/3ijks5fgtdJzB1mc/eQVTBhEbpLfuKbrOQbtZMM/u2LssA+SunHmhqkkxZ0kxAILAHmYmMSRn9Fbl8tLrmxTvXUJa60GfznGlmo5k=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230025)(4636009)(39860400002)(136003)(346002)(396003)(376002)(451199018)(36840700001)(40470700004)(46966006)(40460700003)(316002)(82740400003)(52536014)(36860700001)(5660300002)(86362001)(81166007)(356005)(70206006)(336012)(2906002)(450100002)(70586007)(40480700001)(55016003)(9686003)(33656002)(82310400005)(8676002)(41300700001)(47076005)(83380400001)(966005)(7696005)(53546011)(166002)(186003)(6506007)(478600001)(8936002)(6666004)(110136005)(26005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Jan 2023 19:57:57.7840 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d05cce31-d793-4073-3268-08daffd79f0d
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DBAEUR03FT041.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV1PR08MB8009
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/Spz5XmZ-SxC7tysaZMvk1IjyEWg>
Subject: Re: [CDNi] Review of draft-ietf-cdni-delegation-acme-00
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2023 19:58:09 -0000
I just realised I had another comment that got lost in the translation between my notes and the email... which is: the lifetime-adjust property should be optional rather than mandatory, to mirror the STAR definitions in Section 3.1.1 [1]. cheers, t [1] https://www.rfc-editor.org/rfc/rfc8739#section-3.1.1 On 24/01/2023, 10:10, "Thomas Fossati" Thomas.Fossati@arm.com<mailto:Thomas.Fossati@arm.com> wrote: > > Hi Fred, Sanjay and Emile, > > I have reviewed the latest draft and it looks good to me. > > There are a few comments & suggestions below. > > Cheers, t > > -=-=-=-=-=- > > ## abstract > > * why plural "metadata objects"? Suggestion: > > OLD > > Specifically, this document defines CDNI Metadata interface objects to > enable delegation of X.509 certificates leveraging delegation schemes > defined in RFC9115. > > NEW > > Specifically, this document defines a CDNI Metadata interface object > to enable delegation of X.509 certificates leveraging delegation > schemes defined in RFC9115. > > > ## §1 > > * expand FCI on first use: > > Section 2 presents delegation metadata for the FCI interface. > > > ## §3 > > * typo (extra “to”) > > When a uCDN delegates to a dCDN to deliver HTTPS traffic using DNS > Redirection [RFC7975], > > When a uCDN delegates a dCDN to delivery of HTTPS traffic using DNS > Redirection [RFC7975], > > > * typo (missing parentheses): > > OLD > > The ACMEDelegationMethod applies to both ACME STAR delegation, > which provides a delegation model based on short-term certificates > with automatic renewal Section 2.3.2 of [RFC9115], and non-STAR > delegation, which allows delegation between CDNs using long-term > certificates Section 2.3.3 of [RFC9115]. > > NEW > > The ACMEDelegationMethod applies to both ACME STAR delegation, > which provides a delegation model based on short-term certificates > with automatic renewal (Section 2.3.2 of [RFC9115]), and non-STAR > delegation, which allows delegation between CDNs using long-term > certificates (Section 2.3.3 of [RFC9115]). > > ## §3.1 > > * this seems to suggest that the consumer can tell STAR and non-STAR > based on "delegation certificate validity", but it's not clear to me > what that means. > > The ACMEDelegationMethod object allows a uCDN to both define STAR > and non-STAR delegation depending on the delegation certificate > validity. > > From the following examples (§3.1.1) I gather there's an implicit > way to distinguish based on the presence/absence of the lifetime* > properties. Is that what was intended? If so, it should be > clarified. IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [CDNi] Review of draft-ietf-cdni-delegation-acme-… Thomas Fossati
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Thomas Fossati
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… frederic.fieau
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Thomas Fossati
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Kevin J. Ma
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Thomas Fossati
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Kevin J. Ma
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Thomas Fossati
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Kevin J. Ma
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… frederic.fieau
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… frederic.fieau
- Re: [CDNi] Review of draft-ietf-cdni-delegation-a… Kevin Ma