draft-ietf-cdni-https-delegation-subcerts-01.txt | draft-ietf-cdni-https-delegation-subcerts-02.txt | |||
---|---|---|---|---|
CDNI Working Group F. Fieau | CDNI Working Group F. Fieau | |||
Internet-Draft E. Stephan | Internet-Draft E. Stephan | |||
Intended status: Standards Track Orange | Intended status: Standards Track Orange | |||
Expires: 10 June 2023 G. Bichot | Expires: 8 December 2023 G. Bichot | |||
C. Neumann | C. Neumann | |||
Broadpeak | Broadpeak | |||
7 December 2022 | 7 March 2023 | |||
CDNI Metadata for Delegated Credentials | CDNI Metadata for Delegated Credentials | |||
draft-ietf-cdni-https-delegation-subcerts-01 | draft-ietf-cdni-https-delegation-subcerts-02 | |||
Abstract | Abstract | |||
The delivery of content over HTTPS involving multiple CDNs raises | The delivery of content over HTTPS involving multiple CDNs raises | |||
credential management issues. This document defines metadata in CDNI | credential management issues. This document defines metadata in CDNI | |||
Control and Metadata interface to setup HTTPS delegation using | Control and Metadata interface to setup HTTPS delegation using | |||
Delegated Credentials from an Upstream CDN (uCDN) to a Downstream CDN | Delegated Credentials from an Upstream CDN (uCDN) to a Downstream CDN | |||
(dCDN). | (dCDN). | |||
Status of this Memo | Status of this Memo | |||
skipping to change at page 1, line 37 ¶ | skipping to change at page 1, line 37 ¶ | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on 30 July 2022. | This Internet-Draft will expire on 8 December 2023. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
skipping to change at page 2, line 21 ¶ | skipping to change at page 2, line 21 ¶ | |||
Table of Contents | Table of Contents | |||
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Change Log . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
3. Known delegation methods . . . . . . . . . . . . . . . . . . . 4 | 3. Known delegation methods . . . . . . . . . . . . . . . . . . . 4 | |||
4. CDNI Footprint and Capabilities Advertisement interface | 4. CDNI Footprint and Capabilities Advertisement interface | |||
(FCI) for delegated credentials . . . . . . . . . . . . . . . 5 | (FCI) for delegated credentials . . . . . . . . . . . . . . . 5 | |||
4.1 FCI.DelegatedCredentials . . . . . . . . . . . . . . . . . 5 | 4.1 FCI.DelegatedCredentials . . . . . . . . . . . . . . . . . 5 | |||
4.2 Expected usage of FCI.DelegatedCredentials . . . . . . . . . 5 | 4.2 Expected usage of FCI.DelegatedCredentials . . . . . . . . . 6 | |||
5. CDNI Metadata interface (MI) for delegated credentials . . . . 6 | 5. CDNI Metadata interface (MI) for delegated credentials . . . . 6 | |||
6. Delegated credentials call flows . . . . . . . . . . . . . . . 7 | 6. Delegated credentials call flows . . . . . . . . . . . . . . . 8 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | |||
7.1 CDNI MI DelegatedCredentials Payload Type . . . . . . . . . 9 | 7.1 CDNI MI DelegatedCredentials Payload Type . . . . . . . . . 9 | |||
7.1 CDNI FCI DelegatedCredentials Payload Type . . . . . . . . 9 | 7.1 CDNI FCI DelegatedCredentials Payload Type . . . . . . . . 9 | |||
8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 10 | 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 10 | |||
10 References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 10 References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
10.1 Normative References . . . . . . . . . . . . . . . . . . . 10 | 10.1 Normative References . . . . . . . . . . . . . . . . . . . 10 | |||
10.2 Informative References . . . . . . . . . . . . . . . . . . 11 | 10.2 Informative References . . . . . . . . . . . . . . . . . . 11 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
INTERNET DRAFT <Document Title> <Issue Date> | INTERNET DRAFT <Document Title> <Issue Date> | |||
1 Introduction | 1 Introduction | |||
Content delivery over HTTPS using one or more CDNs along the path | Content delivery over HTTPS using one or more CDNs along the path | |||
requires credential management. This specifically applies when an | requires credential management. This specifically applies when an | |||
entity delegates to another trusted entity delivery of content via | entity delegates to another trusted entity delivery of content via | |||
HTTPS. | HTTPS. | |||
skipping to change at page 3, line 41 ¶ | skipping to change at page 3, line 41 ¶ | |||
2. Terminology | 2. Terminology | |||
This document uses terminology from CDNI framework documents: CDNI | This document uses terminology from CDNI framework documents: CDNI | |||
framework document [RFC7336], CDNI requirements [RFC7337] and CDNI | framework document [RFC7336], CDNI requirements [RFC7337] and CDNI | |||
interface specifications documents: CDNI Metadata interface [RFC8006] | interface specifications documents: CDNI Metadata interface [RFC8006] | |||
and CDNI Control interface / Triggers [RFC8007]. | and CDNI Control interface / Triggers [RFC8007]. | |||
2.1. Change Log | 2.1. Change Log | |||
draft-cdni-https-delegation-subcerts-02 | ||||
* minor typos and reformulation | ||||
draft-cdni-https-delegation-subcerts-01 | draft-cdni-https-delegation-subcerts-01 | |||
* Changed the semantics behind FCI.DelegatedCredentials: FCI object | * Changed the semantics behind FCI.DelegatedCredentials: FCI object | |||
allows the dCDN to announce the maximum number of delegated | allows the dCDN to announce the maximum number of delegated | |||
credentials supported. FCI object is not used to cope with expiry and | credentials supported. FCI object is not used to cope with expiry and | |||
renewal of delegated credential. Updated section 4.2 and section 6. | renewal of delegated credential. Updated section 4.2 and section 6. | |||
accordingly. * Name change of property: from number-delegated-certs- | accordingly. * Name change of property: from number-delegated-certs- | |||
needed to number-delegated-certs-supported | needed to number-delegated-certs-supported | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
draft-cdni-https-delegation-subcerts-00 | draft-cdni-https-delegation-subcerts-00 | |||
* Added object FCI.DelegatedCredentials allowing to announce the | * Added object FCI.DelegatedCredentials allowing to announce the | |||
number of credentials needed | number of credentials needed | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
* Removed object MI.ConfDelegatedCredentials | * Removed object MI.ConfDelegatedCredentials | |||
* MI.DelegatedCredentials changed: private key is now optional, | * MI.DelegatedCredentials changed: private key is now optional, | |||
arrays used to embed multiple delegated credentials within the | arrays used to embed multiple delegated credentials within the | |||
object. | object. | |||
* Added sections on privacy and security considerations | * Added sections on privacy and security considerations | |||
draft-fieau-interfaces-https-delegation-subcerts-01 | draft-fieau-interfaces-https-delegation-subcerts-01 | |||
skipping to change at page 4, line 50 ¶ | skipping to change at page 5, line 5 ¶ | |||
drafts to handle delegation of HTTPS delivery between entities. | drafts to handle delegation of HTTPS delivery between entities. | |||
[RFC8739] specifies the Support for Short-Term, Automatically Renewed | [RFC8739] specifies the Support for Short-Term, Automatically Renewed | |||
(STAR) Certificates in the Automated Certificate Management | (STAR) Certificates in the Automated Certificate Management | |||
Environment (ACME). [RFC9115] specifies the automatic generation of | Environment (ACME). [RFC9115] specifies the automatic generation of | |||
delegated certificates in ACME. Together these two RFCs allow | delegated certificates in ACME. Together these two RFCs allow | |||
managing short term delegated certificates with ACME. [I-D.ietf-cdni- | managing short term delegated certificates with ACME. [I-D.ietf-cdni- | |||
interfaces-https-delegation] specifies the HTTPS delegation between | interfaces-https-delegation] specifies the HTTPS delegation between | |||
the CDN entities using CDNI interfaces using the STAR/ACME delegation | the CDN entities using CDNI interfaces using the STAR/ACME delegation | |||
method. | method. | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
Instead of working with actual certificates, [I-D.ietf-tls-subcerts] | Instead of working with actual certificates, [I-D.ietf-tls-subcerts] | |||
proposes the use of delegated credentials. This Internet Draft (I-D) | proposes the use of delegated credentials. This Internet Draft (I-D) | |||
specifies the HTTPS delegation between the CDN entities using CDNI | specifies the HTTPS delegation between the CDN entities using CDNI | |||
interfaces by relying on the use of delegated credentials as a | interfaces by relying on the use of delegated credentials as a | |||
delegation method as defined in [I-D.ietf-tls-subcerts]. | delegation method as defined in [I-D.ietf-tls-subcerts]. | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
4. CDNI Footprint and Capabilities Advertisement interface (FCI) for | 4. CDNI Footprint and Capabilities Advertisement interface (FCI) for | |||
delegated credentials | delegated credentials | |||
A dCDN should advertise its supported delegation methods using the | A dCDN should advertise its supported delegation methods using the | |||
Footprint and Capabilities interface (FCI) as defined in RFC8008. | Footprint and Capabilities interface (FCI) as defined in RFC8008. | |||
With FCI, the dCDN informs the uCDN about its capabilities and the MI | With FCI, the dCDN informs the uCDN about its capabilities and the MI | |||
objects supported by the dCDN. Accordingly, to announce the support | objects supported by the dCDN. Accordingly, to announce the support | |||
for delegated credentials, the dCDN should announce the support of | for delegated credentials, the dCDN should announce the support of | |||
MI.DelegatedCredentials. | MI.DelegatedCredentials. | |||
skipping to change at page 5, line 49 ¶ | skipping to change at page 6, line 4 ¶ | |||
{ | { | |||
"capabilities": [ | "capabilities": [ | |||
{ | { | |||
"capability-type": "FCI.DelegatedCredentials", | "capability-type": "FCI.DelegatedCredentials", | |||
"capability-value": { | "capability-value": { | |||
"number-delegated-certs-supported": 10 | "number-delegated-certs-supported": 10 | |||
} | } | |||
"footprints": [ | "footprints": [ | |||
<Footprint objects> | <Footprint objects> | |||
] | ] | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
} | } | |||
] | ] | |||
} | } | |||
4.2 Expected usage of FCI.DelegatedCredentials | 4.2 Expected usage of FCI.DelegatedCredentials | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
The dCDN uses the FCI.DelegatedCredentials to announce the number of | The dCDN uses the FCI.DelegatedCredentials to announce the number of | |||
endpoints as the number of supported delegated credentials. | endpoints as the number of supported delegated credentials. | |||
When uCDN queries and retrieves the FCI object it can push the | When uCDN queries and retrieves the FCI object it can push the | |||
supported number of delegated credentials to the dCDN. When | supported number of delegated credentials to the dCDN. When | |||
configuring the dCDN, the uCDN may decide to provide less than the | configuring the dCDN, the uCDN may decide to provide less than the | |||
maximum supported delegated credentials of the dCDN. Note that, | maximum supported delegated credentials of the dCDN. Note that, | |||
within a dCDN different deployment possibilities of the delegated | within a dCDN different deployment possibilities of the delegated | |||
credentials on the endpoints exist. The dCDN may use one single | credentials on the endpoints exist. The dCDN may use one single | |||
delegated credential and deploy it on multiple endpoints. | delegated credential and deploy it on multiple endpoints. | |||
Alternatively, the dCDN may deploy a different delegated credential | Alternatively, the dCDN may deploy a different delegated credential | |||
for each endpoint (provided that the uCDN delivers enough different | for each endpoint (provided that the uCDN delivers enough different | |||
delegated credentials). This choice depends on the number of | delegated credentials). This choice depends on the number of | |||
delegated credentials provided by the uCDN. | delegated credentials provided by the uCDN. | |||
FCI.DelegationCredentials is not used to cope with expiry and renewal | FCI.DelegationCredentials is not used to cope with expiry and renewal | |||
of delegated credentials. Once the dCDN has provided delegated | of delegated credentials. Once the uCDN has provided delegated | |||
credentials via the MI interface, uCDN must remember and keep track | credentials via the MI interface, uCDN must remember and keep track | |||
of the provided credentials and their expiry times. The uCDN knowing | of the provided credentials and their expiry times. The uCDN knowing | |||
the expiry times, it is up to the uCDN to refresh and provision on | the expiry times, it is up to the uCDN to refresh and provision on | |||
time the dCDN with new credentials through MI interface according to | time the dCDN with new credentials through MI interface according to | |||
the dCDN capability. | the dCDN capability. | |||
5. CDNI Metadata interface (MI) for delegated credentials | 5. CDNI Metadata interface (MI) for delegated credentials | |||
As expressed in [I-D.ietf-tls-subcerts], when an origin has set a | As expressed in [I-D.ietf-tls-subcerts], when an origin has set a | |||
delegation to a downstream entity such as a downstream CDN (i.e. | delegation to a downstream entity such as a downstream CDN (i.e. | |||
skipping to change at page 6, line 47 ¶ | skipping to change at page 7, line 5 ¶ | |||
DelegatedCredential.cred [I-D.ietf-tls-subcerts]. This allows the end | DelegatedCredential.cred [I-D.ietf-tls-subcerts]. This allows the end | |||
user client to verify the signature in CertificateVerify message sent | user client to verify the signature in CertificateVerify message sent | |||
and signed by the dCDN. | and signed by the dCDN. | |||
This section defines the object, MI.DelegatedCredentials containing | This section defines the object, MI.DelegatedCredentials containing | |||
an array of delegated credentials and optionally the corresponding | an array of delegated credentials and optionally the corresponding | |||
private keys. The CDNI Metadata Interface [RFC8006] describes the | private keys. The CDNI Metadata Interface [RFC8006] describes the | |||
CDNI metadata distribution mechanisms according to which a dCDN can | CDNI metadata distribution mechanisms according to which a dCDN can | |||
retrieve the MI.DelegatedCredentials object from the uCDN. | retrieve the MI.DelegatedCredentials object from the uCDN. | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
The properties of the MI.DelegatedCredentials object are as follows. | The properties of the MI.DelegatedCredentials object are as follows. | |||
Property: delegated-credentials | Property: delegated-credentials | |||
Description: Array of delegated credentials | Description: Array of delegated credentials | |||
Type: array | Type: array | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
Mandatory-to-Specify: Yes | Mandatory-to-Specify: Yes | |||
Each item of the array of the property delegated-credentials is | Each item of the array of the property delegated-credentials is | |||
composed of the following two properties: | composed of the following two properties: | |||
Property: delegated-credential | Property: delegated-credential | |||
Description: Hex-encoded delegated credential structure | Description: Hex-encoded delegated credential structure | |||
DelegatedCredential as defined in [I-D.ietf-tls-subcerts] | DelegatedCredential as defined in [I-D.ietf-tls-subcerts] | |||
skipping to change at page 7, line 47 ¶ | skipping to change at page 8, line 4 ¶ | |||
{"delegated-credential": | {"delegated-credential": | |||
"70105f9bc28aea93f3fed7602b279dc0... | "70105f9bc28aea93f3fed7602b279dc0... | |||
8970822009b330cd11f052c8dc16b451"}, | 8970822009b330cd11f052c8dc16b451"}, | |||
{"delegated-credential": | {"delegated-credential": | |||
"e29c881ad8c5772b35fbdcbfe2c4bf16... | "e29c881ad8c5772b35fbdcbfe2c4bf16... | |||
27e87d967458ff18268bae512c62a847"}, | 27e87d967458ff18268bae512c62a847"}, | |||
{"delegated-credential": | {"delegated-credential": | |||
"e8f5853b4836017bd46942d72ce6dc54... | "e8f5853b4836017bd46942d72ce6dc54... | |||
1d7a25753fea698082344c8273c24cd8"} | 1d7a25753fea698082344c8273c24cd8"} | |||
] | ] | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
} | } | |||
} | } | |||
6. Delegated credentials call flows | 6. Delegated credentials call flows | |||
An example call-flow using delegated credentials in CDNI is depicted | An example call-flow using delegated credentials in CDNI is depicted | |||
in Figure 1. | in Figure 1. | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
1. We suppose that the uCDN has been provisioned and configured with | 1. We suppose that the uCDN has been provisioned and configured with | |||
a certificate. Note that it is out of scope of CDNI and the present | a certificate. Note that it is out of scope of CDNI and the present | |||
document how and from where (e.g. CSP) the uCDN acquired its | document how and from where (e.g. CSP) the uCDN acquired its | |||
certificate. | certificate. | |||
2. The uCDN generates a set of delegated credentials (here we suppose | 2. The uCDN generates a set of delegated credentials (here we suppose | |||
that public keys of the dCDN are known). Note, that the uCDN may | that public keys of the dCDN are known). Note, that the uCDN may | |||
generate this material at different points in time, e.g. in advance | generate this material at different points in time, e.g. in advance | |||
to have a pool of delegated credentials or on-demand when dCDN | to have a pool of delegated credentials or on-pupose when dCDN | |||
requires new delegated credentials. | announces its maximum number of required delegated crednetials. | |||
3. Using CDNI Footprint and Capabilities interface [RFC8008], the | 3. Using CDNI Footprint and Capabilities interface [RFC8008], the | |||
dCDN advertises MI.DelegatedCredentials capabilities to the uCDN. The | dCDN advertises MI.DelegatedCredentials capabilities to the uCDN. The | |||
dCDN further uses FCI.DelegatedCredentials to inform on the maximum | dCDN further uses FCI.DelegatedCredentials to inform on the maximum | |||
number of supported delegated credentials. | number of supported delegated credentials. | |||
4. Using CDNI the Metadata interface [RFC8006], the dCDN acquires the | 4. Using CDNI the Metadata interface [RFC8006], the dCDN acquires the | |||
MI.DelegatedCredentials, therefore retrieving an array of delegated | MI.DelegatedCredentials, therefore retrieving an array of delegated | |||
credentials. | credentials. | |||
skipping to change at page 8, line 46 ¶ | skipping to change at page 9, line 4 ¶ | |||
| | | | | | | | |||
| | [1.uCDN acquires its certificate | | | [1.uCDN acquires its certificate | |||
| | out of scope of CDNI] | | | out of scope of CDNI] | |||
| | | | | | | | |||
| | [2.generation of | | | [2.generation of | |||
| | delegated credentials] | | | delegated credentials] | |||
| | | | | | | | |||
| 3. CDNI FCI interface used to | | 3. CDNI FCI interface used to | |||
| advertise support of MI.DelegatedCredentials | | advertise support of MI.DelegatedCredentials | |||
| and announce number of delegated credentials | | and announce number of delegated credentials | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
| supported using FCI.DelegatedCredentials | | supported using FCI.DelegatedCredentials | |||
| |-------------------->+ | | |-------------------->+ | |||
| | | | | | | | |||
| 4. CDNI Metadata interface used to | | 4. CDNI Metadata interface used to | |||
| provide the MI.DelegatedCredential object | | provide the MI.DelegatedCredential object | |||
| |<--------------------+ | | |<--------------------+ | |||
| | | | | | | | |||
| | | | | | | | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
[5. TLS handshake according | | [5. TLS handshake according | | |||
to [I-D.ietf-tls-subcerts]] | | to [I-D.ietf-tls-subcerts]] | | |||
|<------------------->| | | |<------------------->| | | |||
| | | | | | | | |||
| 6.Some delegated credentials about to expire. | | 6.Some delegated credentials about to expire. | |||
| CDNI Metadata interface used to | | CDNI Metadata interface used to | |||
| provide new MI.DelegatedCredential object | | provide new MI.DelegatedCredential object | |||
| |<--------------------+ | | |<--------------------+ | |||
| | | | | | | | |||
Figure 1: Example call-flow of Delegated credentials in CDNI | Figure 1: Example call-flow of Delegated credentials in CDNI | |||
skipping to change at page 9, line 44 ¶ | skipping to change at page 10, line 4 ¶ | |||
7.1 CDNI MI DelegatedCredentials Payload Type | 7.1 CDNI MI DelegatedCredentials Payload Type | |||
Purpose: The purpose of this Payload Type is to distinguish Delegated | Purpose: The purpose of this Payload Type is to distinguish Delegated | |||
Credentials MI objects (and any associated capability advertisement) | Credentials MI objects (and any associated capability advertisement) | |||
Interface: MI/FCI | Interface: MI/FCI | |||
Encoding: see corresponding section | Encoding: see corresponding section | |||
7.1 CDNI FCI DelegatedCredentials Payload Type | 7.1 CDNI FCI DelegatedCredentials Payload Type | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
Purpose: The purpose of this Payload Type is to advertise the number | Purpose: The purpose of this Payload Type is to advertise the number | |||
of delegated credentials needed (and any associated capability | of delegated credentials needed (and any associated capability | |||
advertisement) | advertisement) | |||
Interface: FCI | Interface: FCI | |||
Encoding: see corresponding section | Encoding: see corresponding section | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
8. Security Considerations | 8. Security Considerations | |||
The extensions defined in the present document allow to provide | The extensions defined in the present document allow to provide | |||
delegated credentials to dCDNs. The delegated credentials themselves | delegated credentials to dCDNs. The delegated credentials themselves | |||
are short-lived and as such a single leaked delegated credential | are short-lived and as such a single leaked delegated credential | |||
represents a limited security risk. However, it is important to | represents a limited security risk. However, it is important to | |||
ensure that an attacker is not able to systematically retrieve a more | ensure that an attacker is not able to systematically retrieve a more | |||
important number of delegated credentials. Such an attack would allow | important number of delegated credentials. Such an attack would allow | |||
the attacker to systematically impersonate dCDN nodes. | the attacker to systematically impersonate dCDN nodes. | |||
skipping to change at page 10, line 48 ¶ | skipping to change at page 11, line 5 ¶ | |||
Progress, Internet-Draft, draft-ietf-tls-subcerts-15, 15 | Progress, Internet-Draft, draft-ietf-tls-subcerts-15, 15 | |||
June 2022, <https://datatracker.ietf.org/doc/html/draft- | June 2022, <https://datatracker.ietf.org/doc/html/draft- | |||
ietf-tls-subcerts-15>. | ietf-tls-subcerts-15>. | |||
[RFC9115] Sheffer, Y., Lopez, D., Pastor Perales, A., and T. Fossati, | [RFC9115] Sheffer, Y., Lopez, D., Pastor Perales, A., and T. Fossati, | |||
"An Automatic Certificate Management Environment (ACME) | "An Automatic Certificate Management Environment (ACME) | |||
Profile for Generating Delegated Certificates", RFC 9115, | Profile for Generating Delegated Certificates", RFC 9115, | |||
DOI 10.17487/RFC9115, September 2021, <https://www.rfc- | DOI 10.17487/RFC9115, September 2021, <https://www.rfc- | |||
editor.org/info/rfc9115>. | editor.org/info/rfc9115>. | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
[RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor | [RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor | |||
Perales, A., and T. Fossati, "Support for Short-Term, | Perales, A., and T. Fossati, "Support for Short-Term, | |||
Automatically Renewed (STAR) Certificates in the Automated | Automatically Renewed (STAR) Certificates in the Automated | |||
Certificate Management Environment (ACME)", RFC 8739, DOI | Certificate Management Environment (ACME)", RFC 8739, DOI | |||
10.17487/RFC8739, March 2020, <https://www.rfc- | 10.17487/RFC8739, March 2020, <https://www.rfc- | |||
editor.org/info/rfc9115>. | editor.org/info/rfc9115>. | |||
INTERNET DRAFT <Document Title> <Issue Date> | ||||
[RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, | [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, | |||
"Content Delivery Network Interconnection (CDNI) | "Content Delivery Network Interconnection (CDNI) | |||
Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, | Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, | |||
<https://www.rfc-editor.org/info/rfc8006>. | <https://www.rfc-editor.org/info/rfc8006>. | |||
[RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network | [RFC8007] Murray, R. and B. Niven-Jenkins, "Content Delivery Network | |||
Interconnection (CDNI) Control Interface / Triggers", RFC | Interconnection (CDNI) Control Interface / Triggers", RFC | |||
8007, DOI 10.17487/RFC8007, December 2016, | 8007, DOI 10.17487/RFC8007, December 2016, | |||
<https://www.rfc-editor.org/info/rfc8739>. | <https://www.rfc-editor.org/info/rfc8739>. | |||
skipping to change at page 11, line 46 ¶ | skipping to change at page 12, line 5 ¶ | |||
[RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution | [RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution | |||
Network Interconnection (CDNI) Requirements", RFC 7337, | Network Interconnection (CDNI) Requirements", RFC 7337, | |||
DOI 10.17487/RFC7337, August 2014, <https://www.rfc- | DOI 10.17487/RFC7337, August 2014, <https://www.rfc- | |||
editor.org/info/rfc7337>. | editor.org/info/rfc7337>. | |||
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
<https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
Authors' Addresses | ||||
INTERNET DRAFT <Document Title> <Issue Date> | INTERNET DRAFT <Document Title> <Issue Date> | |||
Authors' Addresses | ||||
Frederic Fieau | Frederic Fieau | |||
Orange | Orange | |||
40-48, avenue de la Republique | 40-48, avenue de la Republique | |||
92320 Chatillon | 92320 Chatillon | |||
France | France | |||
Email: frederic.fieau@orange.com | Email: frederic.fieau@orange.com | |||
Emile Stephan | Emile Stephan | |||
Orange | Orange | |||
End of changes. 28 change blocks. | ||||
27 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |