IETF Logo Mail Archive

Re: [CDNi] Review of draft-ietf-cdni-delegation-acme-00

Thomas Fossati <Thomas.Fossati@arm.com> Mon, 13 February 2023 18:31 UTC

Return-Path: <Thomas.Fossati@arm.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DDC3C18798E for <cdni@ietfa.amsl.com>; Mon, 13 Feb 2023 10:31:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="wettxxyw"; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b="wettxxyw"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yosvtrrL_wkp for <cdni@ietfa.amsl.com>; Mon, 13 Feb 2023 10:31:11 -0800 (PST)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on20622.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe12::622]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95421C14CF1B for <cdni@ietf.org>; Mon, 13 Feb 2023 10:31:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A/C0pXgf/s5DqqZ2KkQTfCtXdQyAoJOV9ULTTa7E8kA=; b=wettxxyweZjq2motP/1pADx6n/P3Wr/U+0lOxj9s1zC/I3J1zeTwkIdKZka0GAxBRP9jwlLRRe31H82ESIG7KECRhHDaZt5/yc6aavm3BZdSHc/pA40wZLSDDUlG/DoLAWq/U4occQBDXq5FlnmrOSdyMOaENuH8H7ZqvGIExAM=
Received: from AS9PR05CA0230.eurprd05.prod.outlook.com (2603:10a6:20b:494::17) by DU0PR08MB9901.eurprd08.prod.outlook.com (2603:10a6:10:479::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.23; Mon, 13 Feb 2023 18:31:05 +0000
Received: from AM7EUR03FT045.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:494:cafe::ca) by AS9PR05CA0230.outlook.office365.com (2603:10a6:20b:494::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24 via Frontend Transport; Mon, 13 Feb 2023 18:31:05 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; pr=C
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM7EUR03FT045.mail.protection.outlook.com (100.127.140.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24 via Frontend Transport; Mon, 13 Feb 2023 18:31:03 +0000
Received: ("Tessian outbound baf1b7a96f25:v132"); Mon, 13 Feb 2023 18:31:03 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 461750bcc87050dd
X-CR-MTA-TID: 64aa7808
Received: from 91c9f3d6d6e9.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 3264B767-0582-47A7-BCF2-FC3A8B8DEEB4.1; Mon, 13 Feb 2023 18:30:56 +0000
Received: from EUR04-HE1-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 91c9f3d6d6e9.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 13 Feb 2023 18:30:56 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ERusWv6wfmk0NXTn6LM181iZjOmuC2J6YwKLHjYnGMhLfrS4bvXn3IUNKS3HdCqP9G8BM9r5EI/nsQbf48zl/kjKdv6LWi0Z81KuogX2QW05KDDLzk0KMfqPriFUIwMj95cfaLhccyaI+wADG41dCSnjSuUB1LaIQIp9ly/1A+HJSDXnZrSDdA2tQRA/uT+2Nrjwvs4GqqRxdg7CEQ9EE6V8wec4fNq72q7msbOar4Z69xHuMT3jJvdD6kMUlnMEhMVuv02jebrCrsc6hjat1sZtD0B/ttIbLWxJnTMqd0W/FiYAwtYSGDItGv8EiLqGpqM9APaYMPeOBLpLbent0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=A/C0pXgf/s5DqqZ2KkQTfCtXdQyAoJOV9ULTTa7E8kA=; b=IL/MOFzTVrWGvR166CmkxXxyIddzLcvPbdnq6rz03VYldaNYVY/w3nN4qlJtTa2WEpFXIBbxGj3EefYxo8LectuAiQXUBTPojqu2pVCfWpEYekYcCCfLKDvClV5VghtZEe3a78CiUcwqM1wEQld0deaRQ+SqjkuHysqW8qIEWiDulDiXUfhHw96f7lqjQ+avzTLSa7tmG/dvmWcPpB7wdh217Y/Vq9lhl14kpwy37PPpfDXmj0AMhZBi2eDIr1NF0LzJcxIWebNVzQPVvkjGlTfdgNgDnbfYHVUc0XfjZReJ1n91R0TQ5InoOW2EytZ+Wn6nLW6vZdMA1JKbnpeihA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A/C0pXgf/s5DqqZ2KkQTfCtXdQyAoJOV9ULTTa7E8kA=; b=wettxxyweZjq2motP/1pADx6n/P3Wr/U+0lOxj9s1zC/I3J1zeTwkIdKZka0GAxBRP9jwlLRRe31H82ESIG7KECRhHDaZt5/yc6aavm3BZdSHc/pA40wZLSDDUlG/DoLAWq/U4occQBDXq5FlnmrOSdyMOaENuH8H7ZqvGIExAM=
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com (2603:10a6:10:251::8) by DB4PR08MB9285.eurprd08.prod.outlook.com (2603:10a6:10:3f2::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6086.24; Mon, 13 Feb 2023 18:30:54 +0000
Received: from DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::8295:3930:eca:1601]) by DB9PR08MB6524.eurprd08.prod.outlook.com ([fe80::8295:3930:eca:1601%3]) with mapi id 15.20.6086.024; Mon, 13 Feb 2023 18:30:54 +0000
From: Thomas Fossati <Thomas.Fossati@arm.com>
To: "frederic.fieau@orange.com" <frederic.fieau@orange.com>, "cdni@ietf.org" <cdni@ietf.org>
Thread-Topic: Review of draft-ietf-cdni-delegation-acme-00
Thread-Index: AQHZL9sihHzh/6lPL0CR8yx6Kxf1l66xIPkxgBeAvIOABK9rEg==
Date: Mon, 13 Feb 2023 18:30:31 +0000
Message-ID: <DB9PR08MB65244533DCB1DEF568D202139CDD9@DB9PR08MB6524.eurprd08.prod.outlook.com>
References: <DB9PR08MB65241A19DCF2D10FF4FAF7609CC99@DB9PR08MB6524.eurprd08.prod.outlook.com>, <DB9PR08MB6524DB623478E0F8640EECFB9CCF9@DB9PR08MB6524.eurprd08.prod.outlook.com> <30583_1676055350_63E69336_30583_99_1_dff74c34c2c847c3b769e75d0f4999e8@orange.com>
In-Reply-To: <30583_1676055350_63E69336_30583_99_1_dff74c34c2c847c3b769e75d0f4999e8@orange.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
x-ms-traffictypediagnostic: DB9PR08MB6524:EE_|DB4PR08MB9285:EE_|AM7EUR03FT045:EE_|DU0PR08MB9901:EE_
X-MS-Office365-Filtering-Correlation-Id: b54af528-73c5-4ca4-6f0d-08db0df076a3
x-checkrecipientrouted: true
nodisclaimer: true
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: FuEXPpk1H+Rhr8HgGJUTnLeUtbSYk/ZHcdZyp0xwWFLssuvScEik+qbQ9pUMu8pWWYdH38G0gglnKZO/zvHibKNjiUAneVu4ECyRM/AkG5l5YWJRpzdZaynSo6N4pSFeZPo71vQKAP5EDWUkVhwNoZlK5ubDHpjvzXVA0TdcKSvclXShOGoCrMG6XzwyRvPyLztijmUi3sUZRlo+KJjNKm4Cww69ac9oDWAvp9OeXM8uirzUF8jQFM3UIx2KAZXRfyowsDuZzfeAxMJASZBtgQm1DcGEI4BdwToBgTJEGHm+Lot5bo8OhP6qGizBt2bExTotXH/jAVeDHbzRqKnlLlzb4gbxqXKTpwJ6N21S/mi5lDNbU7vzp4SnNlmVDBcs2vyxs7XUUkCVGQEDEcV09NqI0zCsgNyserDpLjs2BNXhKXoYOA3p97RgxQpKeorqrDdDz13vxVXwQdOuQofitFs67wV46lfVencWKQO5FSZcWFQHzmp6ITbh4uiltZp2mL+NV6BuIv2Acb1pvp0Re9hdAfQsvWY+gB7kUPXdfUB7t3Ck5a8vwfDEqVUgTkTAqkuo9I1XlBHWO5n3L2LsqtkMKcqBK4Jod19vvhl0SHHTdVESgKhWB1puJJt1OsmLQCc6eNje4PnBIiLNEdtHx2nRV1jXbO5l2AKJtkFql0ZYeXPIzYOgx5l7OyOtd7fs3DN2uxURcW2dIL9SbmBu9J+z+yCcfZkEIZiqIA6aZOU=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR08MB6524.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(366004)(39860400002)(396003)(346002)(136003)(376002)(451199018)(316002)(110136005)(9326002)(8936002)(52536014)(6506007)(38070700005)(53546011)(26005)(6666004)(966005)(86362001)(478600001)(186003)(38100700002)(122000001)(166002)(83380400001)(5660300002)(55016003)(9686003)(2906002)(33656002)(71200400001)(7696005)(66446008)(64756008)(66476007)(66946007)(66556008)(76116006)(41300700001)(8676002)(91956017); DIR:OUT; SFP:1101;
Content-Type: multipart/alternative; boundary="_000_DB9PR08MB65244533DCB1DEF568D202139CDD9DB9PR08MB6524eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR08MB9285
Original-Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM7EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: e1760165-8fbc-44c3-9b3b-08db0df070e7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: bQWKKCK6Hj/In605fOS/TNcYfRJKVy59YlsoB5QTPXsyfmnh7ZmI6uNF7hcs/HOZ16wr1fiOMl5+RxS4qgW14rvnh461FsAvTI8ECQsZ59GbavVt6uCOZ8VMKEV2DjGcOVS0do+DxvnuZF6lKVCQjdLbDwPg5SFotzknZGRK4yRXyVOmBPCbHue9ghZO4o/Gda4vYKUO6UjC6nzDUf0VUohM5doeP2VbTKb400iPEP/x1rXJTfZlKves+6UF6BrmakcYKAiVsMQM7ec/poS/zbVPceCpa3EGbMR2lqSQqDCz1DkMV4kmzdwccvpluW1NW28EN2/aU4mbHSwyH4Wo0eNusRNqNv9sZP2KODhzImVvbG5Z7cxR5LC53hcx3D6ZPww1cZAM3ZU/DaPUc3ZqluBgEZ3rIgu5Dd6hf0X+TA8n+DeN/sYbL8ST5Mv2Ltg1civTJV5qj1pPNOKf7VBk/NHVsvbmNM6ipgFnR12cszTV/llPG4Dzv2mnmLjwZM0ILm8XCmY2fydgnohSPl8eePCqobtl4NQfq08X1c1zVxwyglB0C1nrjP+wE3mzTRuSu5xX8gWnDht93Ix1C5U4a4rUiqaD/u/wQxqZormKAH+fN61TmSkMye9ZmEndAP1mPx3aaQ5F5Wcunspvzlc9V5oDd0pFN0csL/A/ft14Cf8FLgFaAeTsRjai5ZAovyKAMzB/kOkj39FBOEVab4KTXjxdC+cyDqqW6lFKk1Awt3I=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(13230025)(4636009)(396003)(39860400002)(346002)(136003)(376002)(451199018)(46966006)(36840700001)(40470700004)(52536014)(9326002)(316002)(33656002)(2906002)(8936002)(5660300002)(86362001)(55016003)(8676002)(41300700001)(70206006)(70586007)(40480700001)(47076005)(7696005)(966005)(6666004)(83380400001)(33964004)(40460700003)(186003)(26005)(9686003)(6506007)(478600001)(336012)(53546011)(166002)(110136005)(356005)(36860700001)(82740400003)(81166007)(82310400005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Feb 2023 18:31:03.6010 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b54af528-73c5-4ca4-6f0d-08db0df076a3
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM7EUR03FT045.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR08MB9901
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/c_jHxfB9ZaC0F6xTxRp9FQgvOJw>
Subject: Re: [CDNi] Review of draft-ietf-cdni-delegation-acme-00
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2023 18:31:17 -0000

Hi Fred,

Thanks very much for addressing my comments.

The last suggestion I have is to change the “lifetime” and “lifetime-adjust” attributes to “star-lifetime” and “star-lifetime-adjust”.
This makes it is visually evident when a delegation is STAR vs non-STAR.
(Of course this is a non-blocking & completely debatable piece of advice 😊)

Cheers, t

PS: I’ve left a PR on your repo with a couple of typographic fixes.



On 10/02/2023, 18:56, "frederic.fieau@orange.com" <frederic.fieau@orange.com> wrote:


Hi Thomas,



Thank you for your review and comments.

I made the following changes on the Github https://github.com/FredericFi/cdni-wg/blob/main/draft-ietf-cdni-delegation-acme.md

If no further remarks, I will post the draft in the next days.



Thanks!

Frederic




> I just realised I had another comment that got lost in the translation

> between my notes and the email... which is: the lifetime-adjust property

> should be optional rather than mandatory, to mirror the STAR definitions

> in Section 3.1.1 [1].



Done



> ## abstract

>

> * why plural "metadata objects"?  Suggestion:

>

> OLD

>

> Specifically, this document defines CDNI Metadata interface objects to

> enable delegation of X.509 certificates leveraging delegation schemes

> defined in RFC9115.

>

> NEW

>

> Specifically, this document defines a CDNI Metadata interface object

> to enable delegation of X.509 certificates leveraging delegation

> schemes defined in RFC9115.

>

>



Done



> * expand FCI on first use:

>

>  Section 2 presents delegation metadata for the FCI interface.



Done




> * typo (extra “to”)

>

>   When a uCDN delegates to a dCDN to deliver HTTPS traffic using DNS

>   Redirection [RFC7975],

>

>   When a uCDN delegates a dCDN to delivery of HTTPS traffic using DNS

>   Redirection [RFC7975],

>

>



Done



> * typo (missing parentheses):

>

> OLD

>

>    The ACMEDelegationMethod applies to both ACME STAR delegation,

>    which provides a delegation model based on short-term certificates

>    with automatic renewal Section 2.3.2 of [RFC9115], and non-STAR

>    delegation, which allows delegation between CDNs using long-term

>    certificates Section 2.3.3 of [RFC9115].

>

> NEW

>

>    The ACMEDelegationMethod applies to both ACME STAR delegation,

>    which provides a delegation model based on short-term certificates

>    with automatic renewal (Section 2.3.2 of [RFC9115]), and non-STAR

>    delegation, which allows delegation between CDNs using long-term

>    certificates (Section 2.3.3 of [RFC9115]).

>



Done



> ## §3.1

>

> * this seems to suggest that the consumer can tell STAR and non-STAR

>   based on "delegation certificate validity", but it's not clear to me

>   what that means.

>

>    The ACMEDelegationMethod object allows a uCDN to both define STAR

>    and non-STAR delegation depending on the delegation certificate

>    validity.

>

>   From the following examples (§3.1.1) I gather there's an implicit

>   way to distinguish based on the presence/absence of the lifetime*

>   properties.  Is that what was intended?  If so, it should be

>   clarified.



Done





_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email