Internet DRAFT - draft-cdni-https-delegation-subcerts

draft-cdni-https-delegation-subcerts



 



CDNI Working Group                                              F. Fieau
Internet-Draft                                                E. Stephan
Intended status: Standards Track                                  Orange
Expires: 9 January 2023                                        G. Bichot
                                                              C. Neumann
                                                               Broadpeak
                                                             8 July 2022


                CDNI Metadata for Delegated Credentials
                draft-cdni-https-delegation-subcerts-00


Abstract

   The delivery of content over HTTPS involving multiple CDNs raises
   credential management issues.  This document defines metadata in CDNI
   Control and Metadata interface to setup HTTPS delegation using
   Delegated Credentials from an Upstream CDN (uCDN) to a Downstream CDN
   (dCDN).


Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 30 July 2022.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
 


<Author>                 Expires <Expiry Date>                  [Page 1]

INTERNET DRAFT              <Document Title>                <Issue Date>


   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.




Table of Contents

   1  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     2.1.  Change Log . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Known delegation methods . . . . . . . . . . . . . . . . . . .  4
   4.  CDNI Footprint and Capabilities Advertisement interface 
       (FCI) for delegated credentials  . . . . . . . . . . . . . . .  4
     4.1   FCI.DelegatedCredentials . . . . . . . . . . . . . . . . .  5
     4.2 Expected usage of FCI.DelegatedCredentials . . . . . . . . .  5
   5.  CDNI Metadata interface (MI) for delegated credentials . . . .  6
   6.  Delegated credentials call flows . . . . . . . . . . . . . . .  7
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  9
     7.1  CDNI MI DelegatedCredentials Payload Type . . . . . . . . .  9
     7.1  CDNI FCI DelegatedCredentials Payload Type  . . . . . . . .  9
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 10
   9.  Privacy Considerations . . . . . . . . . . . . . . . . . . . . 10
   10  References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     10.1  Normative References . . . . . . . . . . . . . . . . . . . 10
     10.2  Informative References . . . . . . . . . . . . . . . . . . 11
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 12



















 


<Author>                 Expires <Expiry Date>                  [Page 2]

INTERNET DRAFT              <Document Title>                <Issue Date>


1  Introduction

   Content delivery over HTTPS using one or more CDNs along the path
   requires credential management.  This specifically applies when an
   entity delegates to another trusted entity delivery of content via
   HTTPS.

   Several delegation methods are currently proposed within different
   IETF working groups.  They specify different methods for provisioning
   HTTPS delivery credentials.

   This document defines the CDNI Metadata interface to setup HTTPS
   delegation using Delegated Credentials between an upstream CDN (uCDN)
   and downstream CDN (dCDN).  Furthermore, it includes a proposal of
   IANA registry to enable adding of new methods.

   Section 2 is about terminology used in this document.  Section 3
   presents delegation methods specified at the IETF.  Section 4
   specifies the CDNI Footprint and Capabilities Advertisement interface
   (FCI) for delegated credentials. Section 5 specifies the CDNI
   Metadata interface (MI) for delegated credentials. Section 6 provides
   overall call-flows for delegated credentials. Section 7 addresses
   IANA registry for delegation methods. Section 8 discusses Security
   Considerations. Section 9 discusses Privacy Considerations.

2.  Terminology

   This document uses terminology from CDNI framework documents: CDNI
   framework document [RFC7336], CDNI requirements [RFC7337] and CDNI
   interface specifications documents: CDNI Metadata interface [RFC8006]
   and CDNI Control interface / Triggers [RFC8007].


2.1.  Change Log

   draft-cdni-https-delegation-subcerts-00

   * Added object FCI.DelegatedCredentials allowing to announce the
   number of credentials needed

   * Removed object MI.ConfDelegatedCredentials 

   * MI.DelegatedCredentials changed: private key is now optional,
   arrays used to embed multiple delegated credentials within the
   object.

   * Added sections on privacy and security considerations

 


<Author>                 Expires <Expiry Date>                  [Page 3]

INTERNET DRAFT              <Document Title>                <Issue Date>


   draft-fieau-interfaces-https-delegation-subcerts-01

   * added section CDNI Footprint and Capabilities Advertisement
   interface (FCI) that describes how to announce support of delegated
   credentials

   * moved to two different MI objects: MI.ConfDelegatedCredentials and
   MI.DelegatedCredentials. The former provides an URI that allows to
   download a MI.DelegatedCredentials object that contains the delegated
   credential and a private key.

   * Added precision on the cryptographic material required by the dCDN
   in order to be able to use delegated credentials

   * Added precision on the expected behavior when fetching a delegated
   credential using credentials-location-uri

   * completed and simplified call-flow figure (figure 1) and moved it
   to a separate section and added descriptive text

   * Minor text improvements

3.  Known delegation methods

   The TLS and ACME working groups specified a set of RFCs and Internet
   drafts to handle delegation of HTTPS delivery between entities.
   [RFC8739] specifies the Support for Short-Term, Automatically Renewed
   (STAR) Certificates in the Automated Certificate Management
   Environment (ACME). [RFC9115] specifies the automatic generation of
   delegated certificates in ACME. Together these two RFCs allow
   managing short term delegated certificates with ACME. [I-D.ietf-cdni-
   interfaces-https-delegation] specifies the HTTPS delegation between
   the CDN entities using CDNI interfaces using the STAR/ACME delegation
   method.

   Instead of working with actual certificates, [I-D.ietf-tls-subcerts]
   proposes the use of delegated credentials. This Internet Draft (I-D)
   specifies the HTTPS delegation between the CDN entities using CDNI
   interfaces by relying on the use of delegated credentials as a
   delegation method as defined in [I-D.ietf-tls-subcerts].

4.  CDNI Footprint and Capabilities Advertisement interface (FCI) for
   delegated credentials

   A dCDN should advertise its supported delegation methods using the
   Footprint and Capabilities interface (FCI) as defined in RFC8008.
   With FCI, the dCDN informs the uCDN about its capabilities and the MI
   objects supported by the dCDN. Accordingly, to announce the support
 


<Author>                 Expires <Expiry Date>                  [Page 4]

INTERNET DRAFT              <Document Title>                <Issue Date>


   for delegated credentials, the dCDN should announce the support of
   MI.DelegatedCredentials . 

   There is also a need to announce parameters, i.e., the number of
   delegated credentials needed by the dCDN in order to work properly.
   For that purpose we introduce the FCI object
   FCI.DelegationCredentials.

4.1   FCI.DelegatedCredentials

   The FCI.DelegationCredentials object allows to announce support for
   delegated credentials and to announce the number of delegated
   credentials needed.

      Property: number-delegated-certs-needed

          Description: Number of delegated credentials needed by the 
          dCDN.

          Type: integer

          Mandatory-to-Specify: Yes.

   The following is an example of the FCI.DelegatedCredentials.

          {
            "capabilities": [
              {
               "capability-type": "FCI.DelegatedCredentials",
               "capability-value": {
                  "number-delegated-certs-needed": 10
                 }
               "footprints": [
                  <Footprint objects>
                 ]
              }
            ]
          }


4.2 Expected usage of FCI.DelegatedCredentials

   At the first announcement of FCI.DelegatedCredentials to an uCDN, the
   dCDN may announce the number of endpoints as the number of required
   delegated credentials. When configuring the dCDN, the uCDN may decide
   to provide only a subset of the requested delegated credentials. Note
   that, within a dCDN different deployment possibilities of the
   delegated credentials on the endpoints exist. The dCDN may use one
 


<Author>                 Expires <Expiry Date>                  [Page 5]

INTERNET DRAFT              <Document Title>                <Issue Date>


   single delegated credential and deploy it on multiple endpoints.
   Alternatively, the dCDN may deploy a different delegated credential
   for each endpoint. (provided that the uCDN delivers enough different
   delegated credentials). This choice depends of course on the number
   of delegated credentials provided by the uCDN.

   Once the dCDN has been configured with delegated credentials and a
   set of delegated credentials have been deployed on endpoints, the
   dCDN monitors the number of credentials that are about to expires
   (e.g. within one day), and ask for new ones by announcing this number
   of required delegated credentials via the FCI.DelegatedCredentials
   object.

   When uCDN queries and retrieves the FCI object it can push the
   required number of delegated credentials to the dCDN.

5.  CDNI Metadata interface (MI) for delegated credentials

   As expressed in [I-D.ietf-tls-subcerts], when an origin has set a
   delegation to a downstream entity such as a downstream CDN (i.e.
   dCDN), the dCDN should present the "delegated_credential" during the
   TLS handshake [RFC8446] to the end-user client application, instead
   of its own certificate. The dCDN must further be in the possession of
   the private key corresponding to the public key in
   DelegatedCredential.cred [I-D.ietf-tls-subcerts]. This allows the end
   user client to verify the signature in CertificateVerify message sent
   and signed by the dCDN.

   This section defines the object, MI.DelegatedCredentials containing
   an array of delegated credentials and optionally the corresponding
   private keys. The CDNI Metadata Interface [RFC8006] describes the
   CDNI metadata distribution mechanisms according to which a dCDN can
   retrieve the MI.DelegatedCredentials object from the uCDN.

   The properties of the MI.DelegatedCredentials object are as follows.

      Property: delegated-credentials

         Description: Array of delegated credentials.

         Type: array

         Mandatory-to-Specify: Yes

   Each item of the array of the property delegated-credentials is
   composed of the following two properties:

      Property: delegated-credential
 


<Author>                 Expires <Expiry Date>                  [Page 6]

INTERNET DRAFT              <Document Title>                <Issue Date>


         Description: Hex-encoded delegated credential structure
         DelegatedCredential as defined in [I-D.ietf-tls-subcerts].

         Mandatory-to-Specify: Yes

      Property: private-key

         Description: private key corresponding to the public key 
         contained in the DelegatedCredential. 

         Mandatory-to-Specify: No

   The private-key property is not mandatory. If not used we suppose
   that the dCDN generated the public-private key pair for the delegated
   credential itself and provided the public key information with a
   mechanism outside of this specification to the uCDN.

   Find below an example MI.DelegatedCredential object.

      {
        "generic-metadata-type": "MI.DelegatedCredentials",
        "generic-metadata-value": {
          "delegated-credentials": [
               {"delegated-credential": 	
                   "70105f9bc28aea93f3fed7602b279dc0...
                    8970822009b330cd11f052c8dc16b451"},
               {"delegated-credential": 	
                   "e29c881ad8c5772b35fbdcbfe2c4bf16...
                    27e87d967458ff18268bae512c62a847"},
               {"delegated-credential": 	
                   "e8f5853b4836017bd46942d72ce6dc54...
                    1d7a25753fea698082344c8273c24cd8"}
           ]
         }
      }

6.  Delegated credentials call flows

   An example call-flow using delegated credentials in CDNI is depicted
   in Figure 1.

   1. We suppose that the uCDN has been provisioned and configured with
   a certificate. Note that it is out of scope of CDNI and the present
   document how and from where (e.g. CSP) the uCDN acquired its
   certificate.

   2. The uCDN generates a set of delegated credentials (here we suppose
   that public keys of the dCDN are known). Note, that the uCDN may
 


<Author>                 Expires <Expiry Date>                  [Page 7]

INTERNET DRAFT              <Document Title>                <Issue Date>


   generate this material at different points in time, e.g. in advance
   to have a pool of delegated credentials or on-demand when dCDN
   request new delegated credentials.

   3. Using CDNI Footprint and Capabilities interface [RFC8008], the
   dCDN advertises MI.DelegatedCredentials capabilities to the uCDN. The
   dCDN further uses FCI.DelegatedCredentials to ask for a certain
   number of delegated credentials.

   4. Using CDNI the Metadata interface [RFC8006], the dCDN acquires the
   MI.DelegatedCredentials, therefore retrieving an array of delegated
   credentials.

   5. The client establishes a TLS connection with an endpoint of the
   dCDN according to [I-D.ietf-tls-subcerts] using the delegated
   credentials retrieved in step 4.

   6. Some delegated credentials are about to expire. The dCDN uses
   FCI.DelegatedCredentials to announce the number of delegated
   credentials needed.

   7. Using CDNI the Metadata interface [RFC8006], the dCDN acquires the
   MI.DelegatedCredentials, therefore retrieving an new array of
   delegated credentials.


      Client                  dCDN                 uCDN                 
         |                     |                     |                  
         |                     |      [1.uCDN acquires its certificate
         |                     |            out of scope of CDNI]
         |                     |                     |    
         |                     |             [2.generation of 
         |                     |          delegated credentials]
         |                     |                     |
         |                  3. CDNI FCI interface used to
         |              advertise support of MI.DelegatedCredentials
         |              and announce number of delegated credentials
         |                 needed using FCI.DelegatedCredentials
         |                     |-------------------->+          
         |                     |                     |                    
         |                 4. CDNI Metadata interface used to
         |             provide the MI.DelegatedCredential object  
         |                     |<--------------------+      
         |                     |                     |    
         |                     |                     |    
        [5. TLS handshake according                  |
         to [I-D.ietf-tls-subcerts]]                 | 
         |<------------------->|                     |
 


<Author>                 Expires <Expiry Date>                  [Page 8]

INTERNET DRAFT              <Document Title>                <Issue Date>


         |                     |                     |
         |              6.Some delegated credentials about to expire.
         |               CDNI FCI interface used to announce number 
         |                  of delegated credentials needed
         |                    using FCI.DelegatedCredentials
         |                     +-------------------->| 
         |                     |                     |                    
         |                 7. CDNI Metadata interface used to
         |             provide the MI.DelegatedCredential object  
         |                     |<--------------------+    
         |                     |                     |  
        Figure 1: Example call-flow of Delegated credentials in CDNI

7.  IANA Considerations

   This document requests the registration of the following entries
   under the "CDNI Payload Types" registry hosted by IANA regarding
   "CDNI delegation":

      +-------------------------------+---------------+
      | Payload Type                  | Specification |
      +-------------------------------+---------------+
      | FCI.DelegatedCredentials      | RFCthis       |
      | MI.DelegatedCredentials       | RFCthis       |
      +-------------------------------+---------------+

   [RFC Editor: Please replace RFCthis with the published RFC number for
     this document.]

7.1  CDNI MI DelegatedCredentials Payload Type


   Purpose: The purpose of this Payload Type is to distinguish Delegated
   Credentials MI objects (and any associated capability advertisement)

   Interface: MI/FCI

   Encoding: see corresponding section


7.1  CDNI FCI DelegatedCredentials Payload Type

   Purpose: The purpose of this Payload Type is to advertise the number
   of delegated credentials needed (and any associated capability
   advertisement)

   Interface: FCI

 


<Author>                 Expires <Expiry Date>                  [Page 9]

INTERNET DRAFT              <Document Title>                <Issue Date>


   Encoding: see corresponding section

8.  Security Considerations

   The extensions defined in the present document allow to provide
   delegated credentials to dCDNs. The delegated credentials themselves
   are short-lived and as such a single leaked delegated credential
   represents a limited security risk. However, it is important to
   ensure that an attacker is not able to systematically retrieve a more
   important number of delegated credentials. Such an attack would allow
   the attacker to systematically impersonate dCDN nodes.

   The FCI and MI objects defined in the present document are
   transferred via the interfaces defined in CDNI [RFC8006]. [RFC8006]
   describes how to secure these interfaces, protecting the integrity,
   confidentiality and ensuring the authenticity of the dCDN and uCDN.
   The security provide by [RFC8006] should therefore address the above
   security concerns.

9.  Privacy Considerations

   The information, FCI and MI objects defined in the present document
   do not contain any personally identifiable information (PII). As such
   this document does not change or alter the Confidentiality and
   Privacy Consideration outlined in the CDNI Metadata and Footprint and
   Capabilities RFCs [RFC8006].

10  References

10.1  Normative References

   [I-D.ietf-tls-subcerts] Barnes, R., Iyengar, S., Sullivan, N., and E.
              Rescorla, "Delegated Credentials for TLS", Work in
              Progress, Internet-Draft, draft-ietf-tls-subcerts-15, 15
              June 2022, <https://datatracker.ietf.org/doc/html/draft-
              ietf-tls-subcerts-15>.

   [RFC9115] Sheffer, Y., Lopez, D., Pastor Perales, A., and T. Fossati,
              "An Automatic Certificate Management Environment (ACME)
              Profile for Generating Delegated Certificates", RFC 9115,
              DOI 10.17487/RFC9115, September 2021, <https://www.rfc-
              editor.org/info/rfc9115>.

   [RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor
              Perales, A., and T. Fossati, "Support for Short-Term,
              Automatically Renewed (STAR) Certificates in the Automated
              Certificate Management Environment (ACME)", RFC 8739, DOI
              10.17487/RFC8739, March 2020, <https://www.rfc-
 


<Author>                 Expires <Expiry Date>                 [Page 10]

INTERNET DRAFT              <Document Title>                <Issue Date>


              editor.org/info/rfc9115>.

   [RFC8006]  Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
              "Content Delivery Network Interconnection (CDNI)
              Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016,
              <https://www.rfc-editor.org/info/rfc8006>.

   [RFC8007]  Murray, R. and B. Niven-Jenkins, "Content Delivery Network
              Interconnection (CDNI) Control Interface / Triggers", RFC
              8007, DOI 10.17487/RFC8007, December 2016,
              <https://www.rfc-editor.org/info/rfc8739>.

   [RFC8008]  Seedorf, J., Peterson, J., Previdi, S., van Brandenburg,
              R., and K. Ma, "Content Delivery Network Interconnection
              (CDNI) Request Routing: Footprint and Capabilities
              Semantics", RFC 8008, DOI 10.17487/RFC8008, December 2016,
              <https://www.rfc-editor.org/info/rfc8008>.

   [I-D.ietf-cdni-interfaces-https-delegation] Fieau, F., Stephan, E.,
              and S. Mishra, "CDNI extensions for HTTPS delegation",
              Work in Progress, Internet-Draft, draft-ietf-cdni-
              interfaces-https-delegation-08, 7 March 2022,
              <https://datatracker.ietf.org/doc/html/draft-ietf-cdni-
              interfaces-https-delegation-08>.

10.2  Informative References

   [RFC7336]  Peterson, L., Davie, B., and R. van Brandenburg, Ed.,
              "Framework for Content Distribution Network
              Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336,
              August 2014, <https://www.rfc-editor.org/info/rfc7336>.

   [RFC7337]  Leung, K., Ed. and Y. Lee, Ed., "Content Distribution
              Network Interconnection (CDNI) Requirements", RFC 7337,
              DOI 10.17487/RFC7337, August 2014, <https://www.rfc-
              editor.org/info/rfc7337>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
              <https://www.rfc-editor.org/info/rfc8446>.








 


<Author>                 Expires <Expiry Date>                 [Page 11]

INTERNET DRAFT              <Document Title>                <Issue Date>


Authors' Addresses


                 Frederic Fieau
                 Orange
                 40-48, avenue de la Republique
                 92320 Chatillon
                 France

                 Email: frederic.fieau@orange.com


                 Emile Stephan
                 Orange
                 2, avenue Pierre Marzin
                 22300 Lannion
                 France

                 Email: emile.stephan@orange.com


                 Guillaume Bichot
                 Broadpeak
                 15, rue Claude Chappe
                 35510 Cesson-Sevigne
                 France

                 Email: guillaume.bichot@broadpeak.tv


                 Christoph Neumann
                 Broadpeak
                 15, rue Claude Chappe
                 35510 Cesson-Sevigne
                 France

                 Email: christoph.neumann@broadpeak.tv














<Author>                 Expires <Expiry Date>                 [Page 12]