Re: [CDNi] [E] Re: I-D Action: draft-ietf-cdni-https-delegation-subcerts-05.txt
"Mishra, Sanjay" <sanjay.mishra@verizon.com> Mon, 06 November 2023 16:11 UTC
Return-Path: <sanjay.mishra@verizon.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3B30C1B0320 for <cdni@ietfa.amsl.com>; Mon, 6 Nov 2023 08:11:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.923
X-Spam-Level:
X-Spam-Status: No, score=-3.923 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FUZZY_CREDIT=1.678, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_SORBS_WEB=1.5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verizon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BcY18mh8ustu for <cdni@ietfa.amsl.com>; Mon, 6 Nov 2023 08:11:24 -0800 (PST)
Received: from mx0a-0024a201.pphosted.com (mx0a-0024a201.pphosted.com [148.163.149.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5DCCC18FCAF for <cdni@ietf.org>; Mon, 6 Nov 2023 08:11:19 -0800 (PST)
Received: from pps.filterd (m0098392.ppops.net [127.0.0.1]) by mx0a-0024a201.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3A6CxcHe021401 for <cdni@ietf.org>; Mon, 6 Nov 2023 11:11:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizon.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=prodmail; bh=jjIeZTcvt7rQDK+BCb+QYnE/bkLhf6Al2laKHLudozs=; b=nYVe1EIKXwbnQPWIjSkPmwBrsB86+mpecWsPWreAjpCj9TFI88wqdQOSSR+7jEX3jTmy g9RQk0ZiFlMf6JljzOD39hr2+8OAg49tJWb8/tBZzeQAqO0UNrhMJFv49Pcdxmegwajk FtzGE3fzsHwiLGcUO17gE/4pysnNhfQ34l25SygCfpWLTQPjk7Di1jI5YWG1KIfcjDw5 HKsguetLCbEA+BWLund0orM5+XTMyksG5RvoQGXVxZeItlI+sUtjUEYbhX2fRetgppAg ux8B8n7BfyYkAlEU+oMsAmp9NCsHx01LF659OuNBtdQ1DE2Fry6hfonO+ANgxaB/vODE Eg==
Received: from mail-vs1-f71.google.com (mail-vs1-f71.google.com [209.85.217.71]) by mx0a-0024a201.pphosted.com (PPS) with ESMTPS id 3u5hh88wn5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <cdni@ietf.org>; Mon, 06 Nov 2023 11:11:18 -0500
Received: by mail-vs1-f71.google.com with SMTP id ada2fe7eead31-45efa2242d4so1654730137.0 for <cdni@ietf.org>; Mon, 06 Nov 2023 08:11:17 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699287076; x=1699891876; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jjIeZTcvt7rQDK+BCb+QYnE/bkLhf6Al2laKHLudozs=; b=kMk9yaxWRP5Ntbof0iK8DKf1HvJD3Ob2p5DucgMcLV9S/gItoSvLyg5f4kXzx67Xnd l4nmT36t5PG0NWcNZJqDrqYpvMHMttGnoAVD8/i74hOLXWulJdwZtEKx0ZEVao+PjBT/ frhtjX3l1BoV7xXYwniYpwkTo8dog/sZsGd8ifLRZxH1dAMCaYuPIOTMpdpvRhmpTW2f FpeJgWgP63c5RNXZ3mE5eX7BUeSc7/ePEGmPCOc1+4RZGkw/0k+MSI8UV0+hGMav3o/b KyiwUmkWhKvs68Zb34MI79WpBTG2TAt4NEJ2iinspRpDLsFW/hMUo0XTIqlliwBNaDiR peUw==
X-Gm-Message-State: AOJu0YyxHg5A654PR4pK5xdIAR//z4CYJEK9u9ePncvftVCeIbQZVjS1 TUOfV+QBej9yxaP+lVs+Ya15dWkdVmOYQ1FgBZYcIV57Tv2HwOd+6DkkTBDba0rM7m7wVoHWPOF /Kxu23DGOg40Yb/pAN5OfaNfwHUpj/BxEVBU=
X-Received: by 2002:a05:6102:1522:b0:457:c2e1:64c5 with SMTP id f34-20020a056102152200b00457c2e164c5mr6301656vsv.7.1699287075830; Mon, 06 Nov 2023 08:11:15 -0800 (PST)
X-Google-Smtp-Source: AGHT+IFoRpaUSnzIXK0zEjL7yWEtUgo4jMevB6SnnwgBbiLIco2wEUAcyQqcSoXOTvSARuN5A6kmH2G0LbJSeNPjYKs=
X-Received: by 2002:a05:6102:1522:b0:457:c2e1:64c5 with SMTP id f34-20020a056102152200b00457c2e164c5mr6301610vsv.7.1699287075251; Mon, 06 Nov 2023 08:11:15 -0800 (PST)
MIME-Version: 1.0
References: <169649242443.52233.18268073416166429524@ietfa.amsl.com> <PR3PR10MB415744B1DDE36FADA94A69D58FCAA@PR3PR10MB4157.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <PR3PR10MB415744B1DDE36FADA94A69D58FCAA@PR3PR10MB4157.EURPRD10.PROD.OUTLOOK.COM>
From: "Mishra, Sanjay" <sanjay.mishra@verizon.com>
Date: Mon, 06 Nov 2023 17:11:02 +0100
Message-ID: <CA+EbDtBaL3AVCnMc2Z=yOSMU9FOjOZrqS0W8YDef72a5vzpKWg@mail.gmail.com>
To: Christoph Neumann <Christoph.Neumann@broadpeak.tv>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007e00bd06097e1a8b"
X-mailroute: internal
X-Proofpoint-GUID: cVqpRMC_E9dH-iXrkuBeQpDiMw4mCVjG
X-Proofpoint-ORIG-GUID: cVqpRMC_E9dH-iXrkuBeQpDiMw4mCVjG
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/oNfgLdLSVs-SMqlyWn0T9d0ZhWs>
Subject: Re: [CDNi] [E] Re: I-D Action: draft-ietf-cdni-https-delegation-subcerts-05.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2023 16:11:28 -0000
Hi Christoph - Thank you for submitting an updated version 5. I have reviewed the document and I have following comments: 1. Section 2 Terminology. Reference to RFC8174 is missing, i.e. something like "...in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here....". If needed, you can refer to BCP14 ( https://www.rfc-editor.org/info/bcp14). 2. This document when referring to RFC8008 refers it as "CDNI Footprint and Capabilities interface", however, the RFC 8008, defines the document as "Footprint & Capabilities Advertisement interface (FCI)", suggest to make it consistent with the referred document 3. General: Document sometime refers to "Delegated Credentials" and sometime "Delegated Credential", suggest to use former throughout the document 4. Also check what is the correct usage you want to use throughout the document for lower case "delegated credentials" and "delegated credential" (In sec 7 both are used in the same context) 5. Sec 3: Use hyperlink for reference to RFC8008 6. Sec 3: "as shown in below example" -> "as shown in the example below:" 7. For the following text "There is also a need to announce additional parameters related to the number of credentials supported by the dCDN. For that purpose we introduce the FCI object FCI.DelegationCredentials." would it be helpful to give some context, for example, say something like, "This document also defines an object that announces to the delegating entity how many delegated credentials the downstream supports such that the delegating entity can provide corresponding number of delegated credentials". 8. Sec 3.1: Instead of using "linked with the number of servers in the dCDN", suggest something like, "corresponding to the number of servers designated by the dCDN to support delegated credentials" 9. Sec 3.1: "if ever such private keys are transmitted" -> "whenever the private keys are transmitted 10. Sec 3.2: Typo in the header "Expected usage of the propert number of supported delegated credentials" 11. Sec 3.2: "The dCDN uses the FCI.DelegatedCredentials object to announce the number of endpoints as the number of supported delegated credentials" -> The dCDN uses the FCI.DelegatedCredentials object to announce the number of servers that support delegated credentials". 12. Sec 3.2: "it can provide..." -> "it can issue...." 13. Sec 3.2: "of the dCDN" -> "to the dCDN" 14. Sec 3.2: The statement says "Once the uCDN has provided delegated credentials via the MI, uCDN SHOULD monitor the provided credentials and their expiry times. The uCDN SHOULD timely refresh dCDN credentials via the MI." - Since this is a SHOULD for the issuer of delegated credentials" (DC), how would dCDN handle when serving midstream the DC expires because the uCDN did not follow through? - Also suggest to use "MI object" rather than just MI 15. Sec 4: Suggest to maintain uniformity of naming the "designator", here is the document for the first time refers the designator or the uCDN issuing delegated credentials is "origin", and this term may be ambiguous as the "origin" can be other than the issuer of DC 16. Sec 4: "cred"? Typo? 17. Sec 4: "follows." -> "follows:" 18. Sec 4: "find an example" -> "see an example" & " object." -> "Object:" 19. Sec 5: "in CDNI" is not required in the sentence 20. Sec 5: Elsewhere this draft refers to "User Agent", but this section describes it as a "Client", suggesting use the same naming convention when identifying it 21. Sec 5: "This document requests the registration" -> "This document requests IANA the registration..." 22. Sec 6.1 "MI objects" or "MI Objects"? 23. Sec 7: "in the present document" -> "in the document" 24. Sec 7: "enable" -> "enables" 25. Sec 7: Where is this established that "The delegated credentials and associated private keys are short-lived"? 26. Sec 7: "Still, it is NOT RECOMMENDED to send private keys through the MI as omitting the private key" Suggest to add a "." after MI and then start a new sentence without "as". Thanks Sanjay On Thu, Oct 5, 2023 at 9:57 AM Christoph Neumann < Christoph.Neumann@broadpeak.tv> wrote: > Hi all, > > I submitted a new version of the internet draft related to delegated > credentials. > This update takes into account the secdir reviews of the previous draft. > The draft now specifies that, if used, the private key must be encrypted > using JWE, whereas the public key used for encryption can be announced in > the FCI.DelegatedCredentials. > > Christoph > > -----Original Message----- > From: CDNi <cdni-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org > Sent: Thursday, October 5, 2023 9:54 AM > To: i-d-announce@ietf.org > Cc: cdni@ietf.org > Subject: [CDNi] I-D Action: > draft-ietf-cdni-https-delegation-subcerts-05.txt > > Internet-Draft draft-ietf-cdni-https-delegation-subcerts-05.txt is now > available. It is a work item of the Content Delivery Networks > Interconnection > (CDNI) WG of the IETF. > > Title: CDNI Metadata for Delegated Credentials > Authors: Frederic Fieau > Emile Stephan > Guillaume Bichot > Christoph Neumann > Name: draft-ietf-cdni-https-delegation-subcerts-05.txt > Pages: 12 > Dates: 2023-10-05 > > Abstract: > > The delivery of content over HTTPS involving multiple CDNs raises > credential management issues. This document defines metadata in the > CDNI Control and Metadata interface to setup HTTPS delegation using > Delegated Credentials from an Upstream CDN (uCDN) to a Downstream CDN > (dCDN). > > The IETF datatracker status page for this Internet-Draft is: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dcdni-2Dhttps-2Ddelegation-2Dsubcerts_&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=2OE4Zo9YZweaSYyOlNecmOEeHpfeRxtXKHAZ03MvTWa28qwZlDIcNgLItOTRAWYi&s=QjgYpkSYwF018CGQdB5D6OgaPA6JvV--xLnPG8AX5zs&e= > > There is also an HTMLized version available at: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_html_draft-2Dietf-2Dcdni-2Dhttps-2Ddelegation-2Dsubcerts-2D05&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=2OE4Zo9YZweaSYyOlNecmOEeHpfeRxtXKHAZ03MvTWa28qwZlDIcNgLItOTRAWYi&s=NnHNfxiTuAjX152dgmDVvSb59WYeZul6ahF7z3rHsn8&e= > > A diff from the previous version is available at: > > https://urldefense.proofpoint.com/v2/url?u=https-3A__author-2Dtools.ietf.org_iddiff-3Furl2-3Ddraft-2Dietf-2Dcdni-2Dhttps-2Ddelegation-2Dsubcerts-2D05&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=2OE4Zo9YZweaSYyOlNecmOEeHpfeRxtXKHAZ03MvTWa28qwZlDIcNgLItOTRAWYi&s=GSFYIUydwTDMwna16Fo6Ye56N0By16N71f3Zj3KoVv4&e= > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_cdni&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=2OE4Zo9YZweaSYyOlNecmOEeHpfeRxtXKHAZ03MvTWa28qwZlDIcNgLItOTRAWYi&s=FP0OVV1i-_EID9-3MAV-RDon2JT7oXWeuJxpBAq58Yg&e= > Broadpeak, S.A. Registered offices at 15 rue Claude Chappe, Zone des > Champs Blancs, 35510 Cesson-Sévigné, France | Rennes > Trade Register: 524 473 063 > This e-mail and its attachments contain confidential information from > Broadpeak S.A. and/or its affiliates (Broadpeak), which is intended only > for the person to whom it is addressed. > If you are not the intended recipient of this email, please notify > immediately the sender by phone or email and delete it. Any use of the > information contained herein in any way, including, but not limited to, > total or partial disclosure, reproduction, or dissemination, by persons > other than the intended recipient(s) is prohibited, unless expressly > authorized by Broadpeak. Broadpeak, S.A. and its affiliates respect privacy > laws, and is committed to the protection of personal data. Emails and/or > attachments thereof exchanged between us may include your personal data > which may be processed by Broadpeak and/or its affiliates according to > applicable privacy laws & regulations. > In compliance with Regulation (EU) 2016/679 (GDPR) and applicable > implementation in local legislations, you can exercise at any time your > rights of access, rectification or erasure of your personal data, as well > as your rights to restriction, portability or object to the processing. > For such purpose, or to know more about how Broadpeak processes your > personal data, you may contact Broadpeak by email privacy@broadpeak.tv. > Local authority : Commission Nationale Informatique et Libertés (CNIL): 3 > Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 or > https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cnil.fr_&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=2OE4Zo9YZweaSYyOlNecmOEeHpfeRxtXKHAZ03MvTWa28qwZlDIcNgLItOTRAWYi&s=rdM_eAM3u6idUBvqMtTIEdfhkoC5KGA1ygkVZZ45ce0&e= > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_cdni&d=DwIGaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=2OE4Zo9YZweaSYyOlNecmOEeHpfeRxtXKHAZ03MvTWa28qwZlDIcNgLItOTRAWYi&s=FP0OVV1i-_EID9-3MAV-RDon2JT7oXWeuJxpBAq58Yg&e= >
- [CDNi] I-D Action: draft-ietf-cdni-https-delegati… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-https-dele… Christoph Neumann
- Re: [CDNi] [E] Re: I-D Action: draft-ietf-cdni-ht… Mishra, Sanjay
- Re: [CDNi] I-D Action: draft-ietf-cdni-https-dele… Kevin Ma
- Re: [CDNi] [EXTERNAL] Re: I-D Action: draft-ietf-… Mike Ounsworth
- Re: [CDNi] [EXTERNAL] Re: I-D Action: draft-ietf-… Kevin J. Ma