Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-12.txt

Kevin Ma <kevin.j.ma.ietf@gmail.com> Thu, 01 December 2022 05:01 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE64FC13A073 for <cdni@ietfa.amsl.com>; Wed, 30 Nov 2022 21:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gs00m1cmZUma for <cdni@ietfa.amsl.com>; Wed, 30 Nov 2022 21:01:11 -0800 (PST)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A0BBC13A04F for <cdni@ietf.org>; Wed, 30 Nov 2022 21:01:11 -0800 (PST)
Received: by mail-ej1-x636.google.com with SMTP id o13so1572342ejm.1 for <cdni@ietf.org>; Wed, 30 Nov 2022 21:01:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BOTRMtqeNdl8KdyiuBnN6/iPgfxB/jx72HazbRdxc3Q=; b=BrSEy8XHc5DgMfNd0rSX8XPlyfCzz8/yy4pRI6T0Uo2c4tF6ahja7+tfwdjw1bS7pT X5hZcFhKPVlID9BjWJBcYYYIJbdZsL0rKPSp1qW5GFB4R3r2PQO5JeoYV6fdCh+I5ShL o9kkBd4rzAbWk2LnxMkGnJtQFmNuaZ68dZPwZQ5JhzhyRz5xzrsTw/4H8w/8JaXHMKhb cNGo+cEaZ4o6HHs6Eh3XC/KFNYFDBWLkzu5RWlh0yI71pSuTol9y+TWXQzsQ/r7i1i/P VuAR75Gkf3Qq43MMpODmG8DB6Mv9DVtPY8EZlo1v5KzPrTN1ZKG+ndLi5AYjmmNs9Qav vk/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BOTRMtqeNdl8KdyiuBnN6/iPgfxB/jx72HazbRdxc3Q=; b=NnDxUDifXbmMGK3UYznpJsOEr5QNY7fOf/IHmvrZf8OKhGOnEiNvVM5dVwtRfPhB0c CpRu4gAU+aLgywFCYanxFplQYr9xZksF0RQBgHzFerc78P8bU3gjd/bMjKCPbt0I3Tlm yGrb+xFJsNQCS1v2vEmhUb0bAHU72NKr39Vj7CqHqVokrOb8M7fI1g9sx/tncexgAqde j2LvO1xJ4vyCgmxEJ2HJdt3ldh1fOY9v/AxBtWopVp3w7/NFslNHZKFhRzEbNXcoq+QR hYdvLc6v0HJZctfWtYEwpsQYuhcc+XCb2J6OWkLysqKGy2xJRa49u1FtupQ14VjL4XQe GDIQ==
X-Gm-Message-State: ANoB5plKX7l8i/LKfpdP+7CiMXL/0SsmaJKFHwkRrlpw7Wwn242pCAxI LJZvDevSuVas1tQhqKxwCJPhRppaIoLdpBtCGdY=
X-Google-Smtp-Source: AA0mqf5szHIAJVwhQMnbpu50hUKU2PPt1gKqdwlh/qAzJHdT0XzMgP43C4oGtaiQppHxeNiansr928oLbhVgxjQ+8+Y=
X-Received: by 2002:a17:906:8493:b0:7be:a769:2f41 with SMTP id m19-20020a170906849300b007bea7692f41mr17216690ejx.690.1669870869269; Wed, 30 Nov 2022 21:01:09 -0800 (PST)
MIME-Version: 1.0
References: <166653280725.26704.12110287413167260743@ietfa.amsl.com> <CAMrHYE23-10XUu8giV8HrOTOseRygsMaOY51br5Q60KvgOScnA@mail.gmail.com> <18989_1668356014_637117AE_18989_128_1_18f3c5c00bc44ba2b01bbe12f2eefede@orange.com>
In-Reply-To: <18989_1668356014_637117AE_18989_128_1_18f3c5c00bc44ba2b01bbe12f2eefede@orange.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Thu, 01 Dec 2022 00:00:58 -0500
Message-ID: <CAMrHYE0PKPxNZJNmZgA9OBZU=CdjdE6GB8FSAuusGemhqKmB8g@mail.gmail.com>
To: frederic.fieau@orange.com
Cc: "cdni@ietf.org" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fbd21405eebd1b66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/TzJSKCtPp7qLxOzPk6Psok4GfYg>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-12.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2022 05:01:15 -0000

Hi Frederic,

  I think it is fine to use the Link object instead of a Source object.

  Object type names are bumpy-case, but properties (i.e., object members)
are lower-case with hyphens.  "TimeWindow" is an object that has two
properties: "start" and "end" (not "Start" and "End"), where both
properties are of object type "Time".
https://www.rfc-editor.org/rfc/rfc8006.html#section-4.2.3.2

thanx.

--  Kevin J. Ma

On Sun, Nov 13, 2022 at 11:13 AM <frederic.fieau@orange.com> wrote:

> Kevin,
>
>
>
> “- ACME-delegation is defined as a Source object, but this just shows a
> URL string?  A Source object requires "endpoints" and "protocol".”
>
>
>
> I suggest to use the Link object but following RFC8006, I’m not sure
> whether we should explicitly indicate “href” or put the link directly.
>
>
>
>   "ACMEDelegation": {
>
>      href: https://acme.ucdn.example/delegation/wSi5
>
>     },
>
> or
>
>             "ACMEDelegation": “https://acme.ucdn.example/delegation/wSi5”
>
>
>
>
>
> “- "TimeWindow" property name should be "time-window"”
>
> Considering that the other properties have all uppercase, shouldn’t we put
> uppercase too on this one ? > “Time-Window”
>
>
>
>
>
> Regards,
>
> Frédéric
>
>
>
>
>
>
>
> *De :* CDNi <cdni-bounces@ietf.org> *De la part de* Kevin Ma
> *Envoyé :* vendredi 11 novembre 2022 05:34
> *À :* cdni@ietf.org
> *Objet :* Re: [CDNi] I-D Action:
> draft-ietf-cdni-interfaces-https-delegation-12.txt
>
>
>
> Hi Frederic,
>
>
>
>   Thanks for updating the draft.  I've reviewed it and provided some
> comments below.  Most are nits, but please note the section 3.2 and section
> 5 comments.
>
>
>
> thanx!
>
>
>
> --  Kevin J. Ma
>
>
>
> Abstract:
> - "RFC 9115 allows delegating entity" -> "RFC9115 allows delegating
> entities"
>
> section 1:
> - "In such case" -> "In such cases,"
>
> section 3:
> - "uCDN delegates a dCDN" -> "uCDN delegates to a dCDN"
>
> section 3.1:
> - I suggest changing the object name to just "ACMEDelegation"
> - "STAR and non-STAR delegation objects" -> "STAR and non-STAR delegation"
> - "several properties as shown below" -> "the properties shown below"
> - the Source object reference could point to section 4.2.1.1 of RFC8006
> - "TimeWindow" property name should be "time-window"
> - the TimeWindow object reference could point to section 4.2.3.2 of RFC8006
> - "TimeWindow is defined by defining \"start\" time of the window, and
> \"end\" time of the window" -> "TimeWindow is defined by a window \"start\"
> time and a window \"end\" time"
> - "In case of" -> "In the case of the" (in both places)
> - the Time object reference could point to section 4.3.4 of RFC8006 (in
> both places)
> - remove "In the case that the delegation is STAR-based, the following
> properties are mandatory to specify:", this statement is redundant, it's
> already stated in the Mandatory-to-Specify text
>
> section 3.2:
> - I suggest changing this to be section 3.1.1 to keep it with the metadata
> object specification
> - ACME-delegation is defined as a Source object, but this just shows a URL
> string?  A Source object requires "endpoints" and "protocol".
> - TimeWindow is defined as a TimeWindow object, where the start and end
> are Time objects (i.e., integer epoch values), but this uses ISO8601 time
> strings?
> - The HostMatch/HostMetadata example is superfluous
>
> section 4.1:
> - "Interface: MI" -> "Interface: MI/FCI"
>
> section 5:
> - The security considerations could do a better job explaining the the
> nature of the data held in the metadata object and what happens if it is
> compromised.  It currently just says the delegation objects are "critical",
> but I'm not sure what that means.  If an attacker get the information, what
> can they do with it, if anything?  I would ultimately expect a reference to
> section 8.3 of RFC8006, as that is what actually protects CDNI Metadata.
> - "Section 3are" -> "Section 3 are"
>
>
>
> On Sun, Oct 23, 2022 at 9:46 AM <internet-drafts@ietf.org> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Content Delivery Networks Interconnection
> WG of the IETF.
>
>         Title           : CDNI extensions for HTTPS delegation
>         Authors         : Frédéric Fieau
>                           Emile Stephan
>                           Sanjay Mishra
>   Filename        : draft-ietf-cdni-interfaces-https-delegation-12.txt
>   Pages           : 11
>   Date            : 2022-10-23
>
> Abstract:
>    This document defines metadata objects to support delegating the
>    delivery of HTTPS content between two or more interconnected CDNs.
>    Specifically, this document defines CDNI Metadata interface objects
>    to enable delegation of X.509 certificates leveraging delegation
>    schemes defined in RFC9115.  RFC 9115 allows delegating entity to
>    remain in full control of the delegation and be able to revoke it any
>    time and avoids the need to share private cryptographic key material
>    between the involved entities.
>
>
> The IETF datatracker status page for this draft is:
>
> https://datatracker.ietf.org/doc/draft-ietf-cdni-interfaces-https-delegation/
>
> There is also an HTML version available at:
>
> https://www.ietf.org/archive/id/draft-ietf-cdni-interfaces-https-delegation-12.html
>
> A diff from the previous version is available at:
>
> https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-interfaces-https-delegation-12
>
>
> Internet-Drafts are also available by rsync at rsync.ietf.org:
> :internet-drafts
>
>
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni
>
>
>
> Orange Restricted
>
> _________________________________________________________________________________________________________________________
>
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
>
>