Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-07.txt

[Guillaume Bichot <Guillaume.Bichot@broadpeak.tv>]

Frederic, all

Section 3:
One read the following: " This document only considers the Short-term, Automatically-Renewed   (STAR) certificates in Automated Certificate Management  Environment(ACME) [RFC8739]"
However I think, it looks like the  draft proposal is mostly  assume  RFC 9115.

section 4: 
There is an inversion between uCDN and dCDN. One should read: 
" In order for CDNs to negotiate on which methods are supported, the Footprint and Capabilities interface as defined in RFC8008, allows a  dCDN to send a FCI capability type objects, named  FCI.SupportedDelegationMethods, to uCDN.
Regarding the name of the FCI object, I suggest a name that is less ambiguous (delegation method refers to request routing). For instance: FCI.HttpsDelegation.
This said, I am not sure whether that new  FCI object is required. If it is  planned to define one MI object per HTTPS delegation method then FCI already informs the uCDN about the generic MI objects supported by the dCDN.  A new FCI object would be required if you need to communicate about options supported within a said HTTPS delegation method that is not the case in your draft.

Section 5:
It refers to a ACME/STAR API  as part of RFC8739 which does not define such API. 
The MI.AcmeStarDelegationMethod contains the property "credentials-location-uri" for which there is no explanation about how to use that property, neither in this draft  nor in  RFC 9115.
Basically it is unclear how the dCDN should proceed. Why a CSR template? The CSR template should be known in advance on both sides. Who decides about the delegated name ? is it the IdO (the uCDN) or the dCDN? In other words who builds the delegation configuration? In RFC 9115, it is assumed that before all, the uCDN gathers a delegation configuration applying for that dCDN gathering the necessary domain name mapping (e.g. cp.uCDN.com:cp.uCDN.dCDN.com) . 

All this process must be synchronized with the CDNi delegation process. When a uCDN configures the dCDN for streaming delegation, it must first ensure the dCDN is ready (configured) for certificate delegation. How is it guarantied? 

I think there should be a paragraph about whether such mechanism about delegated certificate mechanism applies to CDNi delegation based on HTTP redirect. 

Guillaume

-----Original Message-----
From: Guillaume Bichot 
Sent: Monday, October 11, 2021 4:17 PM
To: frederic.fieau@orange.com; cdni@ietf.org
Subject: RE: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

Frederic,
there is small mistake in your draft and may be missing registration tasks.

Section 5.1 Extension to HostMetadata object and section 5.2 Extension to PathMetadata object

Strictly speaking, you do not extend the HostMetadata or the PathMetadata object. Instead, you propose to create a new Generic Metadata object. Therefore, you do not need 5.1 or even 5.2 either. Both MI.HostMetatada and MI.PathMetadata objects have a property (metadata) that refers to a list (an array) of generic metadata objects (MI.GenericMetadata).

So instead you should just remove these subsections. I think they bring confusion as there is nothing specific regarding  5.1  versus 5.2.   As any other MI generic metadata object, the AcmeStarDelegationMethod configuration object can be attached to a host name or to host name + a path pattern. 

In you 5.1 example, you indicate "hostmetadata" as a property to the MI.HostMetadata object which does not exist indeed. The correct name is "metadata".

Your new object should be describe like this :

Following the example above, the MI.HostMetadata can be modeled 
           for ACMEStarDelegationMethod as:     

                   {    
               "metadata": [    
                       {        
                   "generic-metadata-type": "MI.AcmeStarDelegationMethod",      
                   "generic-metadata-value": {  
                      "star-proxy": "10.2.2.2", 
                      "acme-server" : "10.2.3.3",       
                      "credentials-location-uri": "https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ucdn.com_credentials&d=DwIFAw&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=XniVbishGiO2Ao9hKqSc-hTVIWCi3T-x6GdHR4ZTgoM&m=c_x5S7bwh6JWaEEwARG0xZ8OLIYNYAEkb0z-xR_XbLI&s=KTnh0aLbZNxM3zWC4ydGNFUzGBoWs7J-NDNl89xI8As&e= ",  
                      "periodicity": 36000,     
                      "CSR-template": Json/Text of the CSR template (see 4.2)   
                       }}]      
                   }

Section 8
I think you must also register a new FCI payload type as well as a new CDNI Supported Delegation Methods. 

Guillaume

Guillaume Bichot
Principal Engineer, Head of Exploration
broadpeak
m: +33 685 597 666    p: +33 222 740 350 guillaume.bichot@broadpeak.tv

Broadpeak, S.A.S.|Registered offices at 15 rue Claude Chappe, Zone des Champs Blancs, 35510 Cesson-Sévigné, France | Rennes Trade Register: 524 473 063 This e-mail and its attachments contain confidential information from Broadpeak S.A.S and/or its affiliates (Broadpeak),  which is intended only for the person to whom it is addressed. If you are not the intended recipient of this email, please notify immediately the sender by phone or email and delete it. Any use of the information contained herein in any way, including, but not limited to, total or partial disclosure, reproduction, or dissemination, by persons other than the intended recipient(s) is prohibited, unless expressly authorized by Broadpeak. Broadpeak, S.A.S. and its affiliates respect privacy laws, and is committed to the protection of personal data. Emails and/or attachments thereof exchanged between us may include your personal data which may be processed by Broadpeak and/or its affiliates according to applicable privacy laws & regulations. In compliance with Regulation (EU) 2016/679 (GDPR) and applicable implementation in local legislations, you can exercise at any time your rights of access, rectification or erasure of your personal data, as well as your rights to restriction, portability or object to the processing.
For such purpose, or to know more about how Broadpeak processes your personal data, you may contact Broadpeak by mail (Headquarters address listed here) or by email (privacy@broadpeak.tv).
Local authority :  Commission Nationale Informatique et Libertés (CNIL): 3 Place de Fontenoy - TSA 80715 - 75334 PARIS CEDEX 07 or www.cnil.fr



-----Original Message-----
From: CDNi <cdni-bounces@ietf.org> On Behalf Of frederic.fieau@orange.com
Sent: Wednesday, October 6, 2021 5:40 PM
To: FIEAU Frédéric INNOV/NET <frederic.fieau@orange.com>; cdni@ietf.org
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

Hi all,

A quick recap of the main changes:
- Removed sections related to the "Delegated Credentials" delegation method
- Added FCI meta data to sync CDNs on the delegation methods that are supported
- Added a HostMatch pattern to trigger a delegation method


Regards,
Frederic

-----Message d'origine-----
De : CDNi [mailto:cdni-bounces@ietf.org] De la part de frederic.fieau@orange.com Envoyé : mercredi 15 septembre 2021 16:08 À : cdni@ietf.org Objet : Re: [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt

Hi all,

I posted a new version of the draft-ietf-cdni-interfaces-https-delegation. 
This last version only includes support for the ACME-STAR method for now and adds FCI metadata for delegation methods negotiation between CDNs.

Please feel free to review and comments.

Regards,
Frederic



-----Message d'origine-----
De : CDNi [mailto:cdni-bounces@ietf.org] De la part de internet-drafts@ietf.org Envoyé : vendredi 10 septembre 2021 16:01 À : i-d-announce@ietf.org Cc : cdni@ietf.org Objet : [CDNi] I-D Action: draft-ietf-cdni-interfaces-https-delegation-06.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Content Delivery Networks Interconnection WG of the IETF.

        Title           : CDNI extensions for HTTPS delegation
        Authors         : Frederic Fieau
                          Emile Stephan
                          Sanjay Mishra
	Filename        : draft-ietf-cdni-interfaces-https-delegation-06.txt
	Pages           : 10
	Date            : 2021-09-10

Abstract:
   The delivery of content over HTTPS involving multiple CDNs raises
   credential management issues.  This document proposes extensions in
   CDNI Control and Metadata interfaces to setup HTTPS delegation from
   an Upstream CDN (uCDN) to a Downstream CDN (dCDN).


The IETF datatracker status page for this draft is:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-cdni-interfaces-https-delegation%2F&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=BHhqMqIpAXerqLsl%2B7LZXOrFdYUkpCcdmkuerx0RTdQ%3D&amp;reserved=0

There is also an HTML version available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-ietf-cdni-interfaces-https-delegation-06.html&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=zhCZArN81bLaL8K7Q226vnNTGCR8Q%2Fb0CAnM8rMEmpE%3D&amp;reserved=0

A diff from the previous version is available at:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Frfcdiff%3Furl2%3Ddraft-ietf-cdni-interfaces-https-delegation-06&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=4QAiMS2XZMJrM69hHR1mkmDv3UpcBoDlSRAGPl9CgFE%3D&amp;reserved=0


Internet-Drafts are also available by anonymous FTP at:
https://eur02.safelinks.protection.outlook.com/?url=ftp%3A%2F%2Fftp.ietf.org%2Finternet-drafts%2F&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=GcL79D%2BP86q%2F6HUya2HoF5o4AyUv7kBntEqr%2FpQ%2BNo0%3D&amp;reserved=0


_______________________________________________
CDNi mailing list
CDNi@ietf.org
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UYyQ0zXCnhLnBNmUsjPooYwJKTLDH63%2FcmSGlDMW%2FtU%3D&amp;reserved=0

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
CDNi mailing list
CDNi@ietf.org
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UYyQ0zXCnhLnBNmUsjPooYwJKTLDH63%2FcmSGlDMW%2FtU%3D&amp;reserved=0

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_______________________________________________
CDNi mailing list
CDNi@ietf.org
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fcdni&amp;data=04%7C01%7Cguillaume.bichot%40broadpeak.tv%7Ce4f35d52b7d94482923f08d988df8abc%7C0ebe44eac9c9438da0407e699f358ed4%7C0%7C0%7C637691315957921384%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UYyQ0zXCnhLnBNmUsjPooYwJKTLDH63%2FcmSGlDMW%2FtU%3D&amp;reserved=0