Re: [CDNi] [E] review of draft-ietf-cdni-interfaces-https-delegation-11
"Mishra, Sanjay" <sanjay.mishra@verizon.com> Fri, 26 August 2022 16:49 UTC
Return-Path: <sanjay.mishra@verizon.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B1A5C14CF1C for <cdni@ietfa.amsl.com>; Fri, 26 Aug 2022 09:49:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.004
X-Spam-Level:
X-Spam-Status: No, score=-7.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=verizon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PE__2Ud_qjMh for <cdni@ietfa.amsl.com>; Fri, 26 Aug 2022 09:49:20 -0700 (PDT)
Received: from mx0a-0024a201.pphosted.com (mx0a-0024a201.pphosted.com [148.163.149.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 210C1C14F741 for <cdni@ietf.org>; Fri, 26 Aug 2022 09:49:20 -0700 (PDT)
Received: from pps.filterd (m0114268.ppops.net [127.0.0.1]) by mx0a-0024a201.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 27QEdvwY034936 for <cdni@ietf.org>; Fri, 26 Aug 2022 12:49:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=corp; bh=zrsxyKlAWZyT+KgmdH3r2VifS19YrJ2BX1r+DepjuOk=; b=eoJgt3OJFS2ddFuXNl5KR8yRjnriAC+fAYhTzhPDqAjcx3aBImBUWf2A18b6PBXetBWW jSKn3npvkd+8gU1U9+Tf8G5x54NjXPhIYWzMHrwcanSCHTvFZAoP7wkkGjTQwk8Ivdh+ 2dwjmrSSyY5Q/KEkas3B3oSuIwjOCJ3ZpQg=
Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) by mx0a-0024a201.pphosted.com (PPS) with ESMTPS id 3j6xa1useg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <cdni@ietf.org>; Fri, 26 Aug 2022 12:49:19 -0400
Received: by mail-qk1-f199.google.com with SMTP id h8-20020a05620a284800b006b5c98f09fbso1683083qkp.21 for <cdni@ietf.org>; Fri, 26 Aug 2022 09:49:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=zrsxyKlAWZyT+KgmdH3r2VifS19YrJ2BX1r+DepjuOk=; b=uLuAitQAlt/zfctSNaTk1byfGmMxkMCfQ5nyAgiSsM9VUyrRy3FYEt9/pX03M0QPaK yrkF197d3yX0g5kQisFk40C9TpEnioWG1T7+1sC0G2WzbrAGa0Go/tmASLdrwA/6OxSm IMc8JmLYohFtvwenK/G6kGj3VuvhPFB1gphsg4jBarteOhQBwbKvoTh4lHQ0AGhN8m4k WH13fjmNPtXa8tXYAy09XRotjGZTkBCb/Vxmyt/cvCdkkZYH83BUSd/8DURrG2gr5yEG Eaf+veYNMsnuftRRl+jOHl2UGKcXBfjwTeNqR43gX9QdEgHjfvhTrvUv9PQiGODZLFZQ DEqA==
X-Gm-Message-State: ACgBeo3BeZWICTaaTSU44AdhABHLrImF4pZTuAvmdCk3cx7D2tPI0gMC tOu5KuhO1ITR/7djroLRx1dF7v9yTQtlVAFL4qvDnjV07BCjrhLacE8X0snPruSXXt86Hazbt3x 2YcIo/UCszE82JD99H58=
X-Received: by 2002:a05:620a:6018:b0:6bb:b0fd:d085 with SMTP id dw24-20020a05620a601800b006bbb0fdd085mr433355qkb.684.1661532557608; Fri, 26 Aug 2022 09:49:17 -0700 (PDT)
X-Google-Smtp-Source: AA6agR4XzLPzZnqYT8t8ERL8EjT0bcAp+o4KkWGFQvk35N0uu0EizS9TM0okzmtGr5h+4koQVnmAIyYsGF38iMhOVtU=
X-Received: by 2002:a05:620a:6018:b0:6bb:b0fd:d085 with SMTP id dw24-20020a05620a601800b006bbb0fdd085mr433331qkb.684.1661532557148; Fri, 26 Aug 2022 09:49:17 -0700 (PDT)
MIME-Version: 1.0
References: <DB9PR08MB652450D660029E7FD0B65BE59C729@DB9PR08MB6524.eurprd08.prod.outlook.com>
In-Reply-To: <DB9PR08MB652450D660029E7FD0B65BE59C729@DB9PR08MB6524.eurprd08.prod.outlook.com>
From: "Mishra, Sanjay" <sanjay.mishra@verizon.com>
Date: Fri, 26 Aug 2022 12:49:06 -0400
Message-ID: <CA+EbDtAtGvDHMmnbS1Gn1LbgrqcQEp-z8gPrmhHHew1nj_fjjQ@mail.gmail.com>
To: Thomas Fossati <Thomas.Fossati@arm.com>
Cc: "draft-ietf-cdni-interfaces-https-delegation@ietf.org" <draft-ietf-cdni-interfaces-https-delegation@ietf.org>, "cdni@ietf.org" <cdni@ietf.org>, "yaronf.ietf@gmail.com" <yaronf.ietf@gmail.com>, "diego.r.lopez@telefonica.com" <diego.r.lopez@telefonica.com>, "antonio.pastorperales@telefonica.com" <antonio.pastorperales@telefonica.com>
Content-Type: multipart/alternative; boundary="000000000000da12e105e727b1f6"
X-mailroute: internal
X-Proofpoint-ORIG-GUID: NyRv4aPP2-HZKyPsXYLu5luwP1e_FXlo
X-Proofpoint-GUID: NyRv4aPP2-HZKyPsXYLu5luwP1e_FXlo
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/XRMc8atuTY_fwlDDgyU5p8e1lk8>
Subject: Re: [CDNi] [E] review of draft-ietf-cdni-interfaces-https-delegation-11
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2022 16:49:24 -0000
Hi Thomas - Thank you for your detailed review. All your comments are extremely helpful and help add content and clarity. Fred can also move the document to Github so it may be easier to collaborate and yes certainly can use your help to make sure your points are accurately captured. Thank you Sanjay On Thu, Aug 25, 2022 at 5:05 PM Thomas Fossati <Thomas.Fossati@arm.com> wrote: > Hi Fred, Sanjay, Emil, > > > > I have reviewed draft-ietf-cdni-interfaces-https-delegation-11. I think > > the document is on the right track although there are still a few things > > that need to be ironed out before it's fully usable. I am happy to work > > with you on each of the points I've made below. > > > > BTW, I wanted to provide some of my comments as PRs but it doesn't look > > like the latest version is on GitHub [1]? > > > > [1] https://github.com/FredericFi/cdni-wg > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_FredericFi_cdni-2Dwg&d=DwQFAw&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=8IwOuTeIt9K2Rjg7nWR85NE4dSuX8KqyHTuYvoDbc1rxHDZO5cPzXPCiZEeZpl3A&s=Kh75YtdtIe8RWZpwRe_YQnOUQAiwXqnwTK9FCCxxuhM&e=> > > > > # Abstract > > > > Plural/singular mismatch: > > > > OLD > > a new Footprint and Capabilities metadata objects > > > > NEW > > new Footprint and Capabilities metadata objects > > > > --- > > > > You need to explain what you mean by "HTTPS delegation", e.g.: > > > > OLD > > to support HTTPS delegation between two or more interconnected CDNs. > > > > NEW > > to support delegating the delivery of HTTPS traffic between two or more > > interconnected CDNs. > > > > --- > > > > Maybe explain the advantages of using ACME Delegation over private key > > sharing, e.g.: > > > > OLD > > Specifically, this document outlines CDNI Metadata interface objects for > > delegation method as published in the ACME-STAR document [RFC9115]. > > > > NEW > > Specifically, this document outlines CDNI Metadata interface objects for > > HTTPS delegation based on the interfaces for obtaining delegated > > certificates defined by RFC9115. Using RFC9115-profiled ACME avoids the > > need to share private cryptographic key material between the involved > > entities, while also allowing the delegating CDN to remain in full > > control of the delegation and revoke it at any time. > > > > # §1. Introduction > > > > First para: You could be more explicit about the fact that the > > credential delegation is needed when DNS-based redirection is used. In > > fact, HTTP-based redirection has no special requirements in terms of > > credential management -- though it has higher TTFB. > > > > Second, third and fourth para may be condensed taking RFC9115 by > > reference and using pointers to its §1, §2.4, §5.1.2, §5.1.2.1. > > > > # §2. Terminology > > > > I think it's also worth pointing to §1.1 of 9115 and §1.2 of 8739 for > > ACME Delegation / STAR specific lingo. > > > > # §3. Advertising delegation metadata for CDNI through FCI > > > > OLD > > The FCI.Metadata object shall allow a dCDN to advertise the > > > > NEW > > The FCI.Metadata object is used by the dCDN to advertise the > > > > One thing that it's not fully clear to me is whether you want to only > > use STAR or you also allow non-STAR delegation? 9115 defines both flows > > (see §2.3.2 and §2.3.3, and also §2.3.6.1 and §2.3.6.2), whilst you only > > define a AcmeStarDelegationMethod. I think you need to be more explicit > > regarding which subset of 9115 you mean to leverage. > > > > (typo: AcmeStarDelegationDelegationMethod) > > > > # §4. ACME Delegation metadata for CDNI > > > > I am wondering what is the best way to reuse the material from §5.1.2.1 > > of 9115 (esp. Figure 11). Maybe you could just copy it over? In case > > you can find the source for the pics here [2], [3]. > > > > [2] > https://raw.githubusercontent.com/yaronf/I-D/main/STAR-Delegation/art/cdni-dns-redirection.ascii-art > <https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_yaronf_I-2DD_main_STAR-2DDelegation_art_cdni-2Ddns-2Dredirection.ascii-2Dart&d=DwQFAw&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=8IwOuTeIt9K2Rjg7nWR85NE4dSuX8KqyHTuYvoDbc1rxHDZO5cPzXPCiZEeZpl3A&s=Z4UzaQQwpZS-nhAZNc8f9JyWM7IbPaLz1vNeUi73MGc&e=> > > [3] > https://raw.githubusercontent.com/yaronf/I-D/main/STAR-Delegation/art/cdni-delegation.ascii-art > <https://urldefense.proofpoint.com/v2/url?u=https-3A__raw.githubusercontent.com_yaronf_I-2DD_main_STAR-2DDelegation_art_cdni-2Ddelegation.ascii-2Dart&d=DwQFAw&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=8IwOuTeIt9K2Rjg7nWR85NE4dSuX8KqyHTuYvoDbc1rxHDZO5cPzXPCiZEeZpl3A&s=tTwb2kOstEcCiccoff-YBFx6x3gpIXWss25RcLBnQOU&e=> > > > > I reckon Figure 1 provides a good overview of the overall process, but > > lacks a bit of detail to be really useful to an implementer / deployer. > > > > In general ISTM that there is some missing link-up to do with the > > relevant sections in 9115 here. I'd be more than happy to help closing > > the gap. > > > > Cheers, t > > > > --- > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. >
- [CDNi] review of draft-ietf-cdni-interfaces-https… Thomas Fossati
- Re: [CDNi] [E] review of draft-ietf-cdni-interfac… Mishra, Sanjay