<?xmlversion='1.0' encoding='utf-8'?>version="1.0" encoding="UTF-8"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3"category="std" consensus="true"docName="draft-ietf-acme-star-delegation-09"indexInclude="true"ipr="trust200902" indexInclude="true" number="9115" prepTime="2021-06-11T11:25:00" scripts="Common,Latin"sortRefs="true"submissionType="IETF" updates="" obsoletes="" category="std" consensus="true" symRefs="true" sortRefs="true" tocDepth="3" tocInclude="true" xml:lang="en"> <!-- xml2rfc v2v3 conversion 3.4.0 --> <front> <title abbrev="ACME Delegation">AnACMEAutomatic Certificate Management Environment (ACME) Profile for Generating Delegated Certificates</title> <seriesInfoname="Internet-Draft" value="draft-ietf-acme-star-delegation-09" stream="IETF"/>name="RFC" value="9115"/> <author initials="Y." surname="Sheffer" fullname="Yaron Sheffer"> <organization showOnFrontPage="true">Intuit</organization> <address> <email>yaronf.ietf@gmail.com</email> </address> </author> <author initials="D." surname="López" fullname="Diego López"> <organization showOnFrontPage="true">Telefonica I+D</organization> <address> <email>diego.r.lopez@telefonica.com</email> </address> </author> <author initials="A." surname="Pastor Perales" fullname="Antonio Agustín Pastor Perales"> <organization showOnFrontPage="true">Telefonica I+D</organization> <address> <email>antonio.pastorperales@telefonica.com</email> </address> </author> <author initials="T." surname="Fossati" fullname="Thomas Fossati"> <organization showOnFrontPage="true">ARM</organization> <address> <email>thomas.fossati@arm.com</email> </address> </author> <datemonth="06" year="2021" day="11"/>month="September" year="2021"/> <area>Security</area> <workgroup>ACME</workgroup><keyword>Internet-Draft</keyword><keyword>Content Delivery Network</keyword> <keyword>CDN</keyword> <abstract pn="section-abstract"> <t indent="0" pn="section-abstract-1">This document defines a profile of the Automatic Certificate Management Environment (ACME) protocol by which the holder of an identifier (e.g., a domain name) can allow a third party to obtain an X.509 certificate such that the certificate subject is the delegated identifier while the certified public key corresponds to a private key controlled by the third party. A primary use case is that of a Content Delivery Network(CDN,(CDN), the thirdparty)party, terminating TLS sessions on behalf of a content provider (the holder of a domain name). The presented mechanism allows the holder of the identifier to retain control over the delegation and revoke it at any time. Importantly, this mechanism does not require any modification to the deployed TLS clients and servers.</t> </abstract> <boilerplate> <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1"> <name slugifiedName="name-status-of-this-memo">Status of This Memo</name> <t indent="0" pn="section-boilerplate.1-1"> ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79.an Internet Standards Track document. </t> <t indent="0" pn="section-boilerplate.1-2">Internet-Drafts are working documentsThis document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet-Draftsthe IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards isat <eref target="https://datatracker.ietf.org/drafts/current/" brackets="none"/>.available in Section 2 of RFC 7841. </t> <t indent="0" pn="section-boilerplate.1-3">Internet-Drafts are draft documents valid for a maximumInformation about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." </t> <t indent="0" pn="section-boilerplate.1-4"> This Internet-Draft will expire on 13 December 2021.<eref target="http://www.rfc-editor.org/info/rfc9115" brackets="none"/>. </t> </section> <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2"> <name slugifiedName="name-copyright-notice">Copyright Notice</name> <t indent="0" pn="section-boilerplate.2-1"> Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. </t> <t indent="0" pn="section-boilerplate.2-2"> This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. </t> </section> </boilerplate> <toc> <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1"> <name slugifiedName="name-table-of-contents">Table of Contents</name> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1"> <li pn="section-toc.1-1.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.1.2"> <li pn="section-toc.1-1.1.2.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.1.1"><xref derivedContent="1.1" format="counter" sectionFormat="of" target="section-1.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-terminology">Terminology</xref></t> </li> <li pn="section-toc.1-1.1.2.2"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.2.2.1"><xref derivedContent="1.2" format="counter" sectionFormat="of" target="section-1.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-conventions-used-in-this-do">ConventionsusedUsed inthis document</xref></t>This Document</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.2"> <t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-protocol-flow">Protocol Flow</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2"> <li pn="section-toc.1-1.2.2.1"> <t indent="0" pn="section-toc.1-1.2.2.1.1"><xref derivedContent="2.1" format="counter" sectionFormat="of" target="section-2.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-preconditions">Preconditions</xref></t> </li> <li pn="section-toc.1-1.2.2.2"> <t indent="0" pn="section-toc.1-1.2.2.2.1"><xref derivedContent="2.2" format="counter" sectionFormat="of" target="section-2.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-overview">Overview</xref></t> </li> <li pn="section-toc.1-1.2.2.3"> <t indent="0" pn="section-toc.1-1.2.2.3.1"><xref derivedContent="2.3" format="counter" sectionFormat="of" target="section-2.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-delegated-identity-profile">Delegated Identity Profile</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2.3.2"> <li pn="section-toc.1-1.2.2.3.2.1"> <t indent="0" pn="section-toc.1-1.2.2.3.2.1.1"><xref derivedContent="2.3.1" format="counter" sectionFormat="of" target="section-2.3.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-delegation-configuration">Delegation Configuration</xref></t> </li> <li pn="section-toc.1-1.2.2.3.2.2"> <t indent="0" pn="section-toc.1-1.2.2.3.2.2.1"><xref derivedContent="2.3.2" format="counter" sectionFormat="of" target="section-2.3.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-order-object-transmitted-fr">Order Object Transmitted from NDC to IdO and to ACME Server(STAR)</xref></t>(for STAR)</xref></t> </li> <li pn="section-toc.1-1.2.2.3.2.3"> <t indent="0" pn="section-toc.1-1.2.2.3.2.3.1"><xref derivedContent="2.3.3" format="counter" sectionFormat="of" target="section-2.3.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-order-object-transmitted-fro">Order Object Transmitted from NDC to IdO and to ACME Server(non-STAR)</xref></t>(for Non-STAR)</xref></t> </li> <li pn="section-toc.1-1.2.2.3.2.4"> <t indent="0" pn="section-toc.1-1.2.2.3.2.4.1"><xref derivedContent="2.3.4" format="counter" sectionFormat="of" target="section-2.3.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-capability-discovery">Capability Discovery</xref></t> </li> <li pn="section-toc.1-1.2.2.3.2.5"> <t indent="0" pn="section-toc.1-1.2.2.3.2.5.1"><xref derivedContent="2.3.5" format="counter" sectionFormat="of" target="section-2.3.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-negotiating-an-unauthentica">Negotiating an Unauthenticated GET</xref></t> </li> <li pn="section-toc.1-1.2.2.3.2.6"> <t indent="0" pn="section-toc.1-1.2.2.3.2.6.1"><xref derivedContent="2.3.6" format="counter" sectionFormat="of" target="section-2.3.6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-terminating-the-delegation">Terminating the Delegation</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.2.2.4"> <t indent="0" pn="section-toc.1-1.2.2.4.1"><xref derivedContent="2.4" format="counter" sectionFormat="of" target="section-2.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-proxy-behavior">Proxy Behavior</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.3"> <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-ca-behavior">CA Behavior</xref></t> </li> <li pn="section-toc.1-1.4"> <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-csr-template">CSR Template</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.4.2"> <li pn="section-toc.1-1.4.2.1"> <t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent="4.1" format="counter" sectionFormat="of" target="section-4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-template-syntax">Template Syntax</xref></t> </li> <li pn="section-toc.1-1.4.2.2"> <t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent="4.2" format="counter" sectionFormat="of" target="section-4.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-example">Example</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5"> <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-further-use-cases">Further Use Cases</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2"> <li pn="section-toc.1-1.5.2.1"> <t indent="0" pn="section-toc.1-1.5.2.1.1"><xref derivedContent="5.1" format="counter" sectionFormat="of" target="section-5.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-cdn-interconnection-cdni">CDN Interconnection (CDNI)</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.5.2.1.2"> <li pn="section-toc.1-1.5.2.1.2.1"> <t indent="0" pn="section-toc.1-1.5.2.1.2.1.1"><xref derivedContent="5.1.1" format="counter" sectionFormat="of" target="section-5.1.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-multiple-parallel-delegates">Multiple Parallel Delegates</xref></t> </li> <li pn="section-toc.1-1.5.2.1.2.2"> <t indent="0" pn="section-toc.1-1.5.2.1.2.2.1"><xref derivedContent="5.1.2" format="counter" sectionFormat="of" target="section-5.1.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-chained-delegation">Chained Delegation</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5.2.2"> <t indent="0" pn="section-toc.1-1.5.2.2.1"><xref derivedContent="5.2" format="counter" sectionFormat="of" target="section-5.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-secure-telephone-identity-r">Secure Telephone Identity Revisited (STIR)</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.6"> <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.6.2"> <li pn="section-toc.1-1.6.2.1"> <t indent="0" pn="section-toc.1-1.6.2.1.1"><xref derivedContent="6.1" format="counter" sectionFormat="of" target="section-6.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-fields-in-the-meta-obje">New Fields in the "meta" Object within a Directory Object</xref></t> </li> <li pn="section-toc.1-1.6.2.2"> <t indent="0" pn="section-toc.1-1.6.2.2.1"><xref derivedContent="6.2" format="counter" sectionFormat="of" target="section-6.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-fields-in-the-order-obj">New Fields in the Order Object</xref></t> </li> <li pn="section-toc.1-1.6.2.3"> <t indent="0" pn="section-toc.1-1.6.2.3.1"><xref derivedContent="6.3" format="counter" sectionFormat="of" target="section-6.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-fields-in-the-account-o">New Fields in the Account Object</xref></t> </li> <li pn="section-toc.1-1.6.2.4"> <t indent="0" pn="section-toc.1-1.6.2.4.1"><xref derivedContent="6.4" format="counter" sectionFormat="of" target="section-6.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-error-types">New Error Types</xref></t> </li> <li pn="section-toc.1-1.6.2.5"> <t indent="0" pn="section-toc.1-1.6.2.5.1"><xref derivedContent="6.5" format="counter" sectionFormat="of" target="section-6.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-csr-template-extensions">CSR Template Extensions</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.7"> <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2"> <li pn="section-toc.1-1.7.2.1"> <t indent="0" pn="section-toc.1-1.7.2.1.1"><xref derivedContent="7.1" format="counter" sectionFormat="of" target="section-7.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-trust-model">Trust Model</xref></t> </li> <li pn="section-toc.1-1.7.2.2"> <t indent="0" pn="section-toc.1-1.7.2.2.1"><xref derivedContent="7.2" format="counter" sectionFormat="of" target="section-7.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-delegation-security-goal">Delegation Security Goal</xref></t> </li> <li pn="section-toc.1-1.7.2.3"> <t indent="0" pn="section-toc.1-1.7.2.3.1"><xref derivedContent="7.3" format="counter" sectionFormat="of" target="section-7.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-acme-channels">New ACME Channels</xref></t> </li> <li pn="section-toc.1-1.7.2.4"> <t indent="0" pn="section-toc.1-1.7.2.4.1"><xref derivedContent="7.4" format="counter" sectionFormat="of" target="section-7.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-restricting-cdns-to-the-del">Restricting CDNs to the Delegation Mechanism</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.8"> <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>. <xref derivedContent="" format="title" sectionFormat="of"target="name-acknowledgments">Acknowledgments</xref></t> </li> <li pn="section-toc.1-1.9"> <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="9" format="counter" sectionFormat="of" target="section-9"/>. <xref derivedContent="" format="title" sectionFormat="of"target="name-references">References</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact"pn="section-toc.1-1.9.2">pn="section-toc.1-1.8.2"> <lipn="section-toc.1-1.9.2.1">pn="section-toc.1-1.8.2.1"> <t indent="0"pn="section-toc.1-1.9.2.1.1"><xref derivedContent="9.1"pn="section-toc.1-1.8.2.1.1"><xref derivedContent="8.1" format="counter" sectionFormat="of"target="section-9.1"/>. <xreftarget="section-8.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t> </li> <lipn="section-toc.1-1.9.2.2">pn="section-toc.1-1.8.2.2"> <t indent="0"pn="section-toc.1-1.9.2.2.1"><xref derivedContent="9.2"pn="section-toc.1-1.8.2.2.1"><xref derivedContent="8.2" format="counter" sectionFormat="of"target="section-9.2"/>. <xreftarget="section-8.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t> </li> </ul> </li> <lipn="section-toc.1-1.10">pn="section-toc.1-1.11"> <t indent="0"pn="section-toc.1-1.10.1"><xrefpn="section-toc.1-1.11.1"><xref derivedContent="Appendix A" format="default" sectionFormat="of" target="section-appendix.a"/>. <xref derivedContent="" format="title" sectionFormat="of"target="name-document-history">Document History</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.10.2"> <li pn="section-toc.1-1.10.2.1"> <t indent="0" pn="section-toc.1-1.10.2.1.1"><xref derivedContent="A.1" format="counter" sectionFormat="of" target="section-a.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-ietf-acme-star-delega">draft-ietf-acme-star-delegation-09</xref></t>target="name-csr-template-cddl">CSR Template: CDDL</xref></t> </li> <lipn="section-toc.1-1.10.2.2">pn="section-toc.1-1.12"> <t indent="0"pn="section-toc.1-1.10.2.2.1"><xref derivedContent="A.2" format="counter"pn="section-toc.1-1.12.1"><xref derivedContent="Appendix B" format="default" sectionFormat="of"target="section-a.2"/>. <xreftarget="section-appendix.b"/>. <xref derivedContent="" format="title" sectionFormat="of"target="name-draft-ietf-acme-star-delegat">draft-ietf-acme-star-delegation-08</xref></t>target="name-csr-template-json-schema">CSR Template: JSON Schema</xref></t> </li> <lipn="section-toc.1-1.10.2.3">pn="section-toc.1-1.13"> <t indent="0"pn="section-toc.1-1.10.2.3.1"><xref derivedContent="A.3" format="counter" sectionFormat="of" target="section-a.3"/>. <xrefpn="section-toc.1-1.13.1"><xref derivedContent=""format="title" sectionFormat="of" target="name-draft-ietf-acme-star-delegati">draft-ietf-acme-star-delegation-07</xref></t> </li> <li pn="section-toc.1-1.10.2.4"> <t indent="0" pn="section-toc.1-1.10.2.4.1"><xref derivedContent="A.4" format="counter"format="none" sectionFormat="of"target="section-a.4"/>. <xreftarget="section-appendix.c"/>. <xref derivedContent="" format="title" sectionFormat="of"target="name-draft-ietf-acme-star-delegatio">draft-ietf-acme-star-delegation-06</xref></t>target="name-acknowledgements">Acknowledgements</xref></t> </li> <lipn="section-toc.1-1.10.2.5">pn="section-toc.1-1.14"> <t indent="0"pn="section-toc.1-1.10.2.5.1"><xref derivedContent="A.5" format="counter"pn="section-toc.1-1.14.1"><xref derivedContent="" format="none" sectionFormat="of"target="section-a.5"/>. <xreftarget="section-appendix.d"/><xref derivedContent="" format="title" sectionFormat="of"target="name-draft-ietf-acme-star-delegation">draft-ietf-acme-star-delegation-05</xref></t>target="name-authors-addresses">Authors' Addresses</xref></t> </li><li pn="section-toc.1-1.10.2.6"></ul> </section> </toc> </front> <middle> <section anchor="introduction" numbered="true" toc="include" removeInRFC="false" pn="section-1"> <name slugifiedName="name-introduction">Introduction</name> <t indent="0"pn="section-toc.1-1.10.2.6.1"><xref derivedContent="A.6" format="counter"pn="section-1-1">This document is related to <xref target="RFC8739" format="default" sectionFormat="of"target="section-a.6"/>. <xref derivedContent="" format="title"derivedContent="RFC8739"/>, in that some important use cases require both documents to be implemented. To avoid duplication, we give here a bare-bones description of the motivation for this solution. For more details, please refer to the introductory sections of <xref target="RFC8739" format="default" sectionFormat="of"target="name-draft-ietf-acme-star-delegation-">draft-ietf-acme-star-delegation-04</xref></t> </li> <li pn="section-toc.1-1.10.2.7"> <t indent="0" pn="section-toc.1-1.10.2.7.1"><xref derivedContent="A.7" format="counter" sectionFormat="of" target="section-a.7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-ietf-acme-star-delegation-0">draft-ietf-acme-star-delegation-03</xref></t> </li> <li pn="section-toc.1-1.10.2.8"> <t indent="0" pn="section-toc.1-1.10.2.8.1"><xref derivedContent="A.8" format="counter" sectionFormat="of" target="section-a.8"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-ietf-acme-star-delegation-02">draft-ietf-acme-star-delegation-02</xref></t> </li> <li pn="section-toc.1-1.10.2.9"> <t indent="0" pn="section-toc.1-1.10.2.9.1"><xref derivedContent="A.9" format="counter" sectionFormat="of" target="section-a.9"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-ietf-acme-star-delegation-01">draft-ietf-acme-star-delegation-01</xref></t> </li> <li pn="section-toc.1-1.10.2.10"> <t indent="0" pn="section-toc.1-1.10.2.10.1"><xref derivedContent="A.10" format="counter" sectionFormat="of" target="section-a.10"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-ietf-acme-star-delegation-00">draft-ietf-acme-star-delegation-00</xref></t> </li> <li pn="section-toc.1-1.10.2.11"> <t indent="0" pn="section-toc.1-1.10.2.11.1"><xref derivedContent="A.11" format="counter" sectionFormat="of" target="section-a.11"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-sheffer-acme-star-del">draft-sheffer-acme-star-delegation-01</xref></t> </li> <li pn="section-toc.1-1.10.2.12"> <t indent="0" pn="section-toc.1-1.10.2.12.1"><xref derivedContent="A.12" format="counter" sectionFormat="of" target="section-a.12"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-draft-sheffer-acme-star-dele">draft-sheffer-acme-star-delegation-00</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.11"> <t indent="0" pn="section-toc.1-1.11.1"><xref derivedContent="Appendix B" format="default" sectionFormat="of" target="section-appendix.b"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-csr-template-cddl">CSR Template: CDDL</xref></t> </li> <li pn="section-toc.1-1.12"> <t indent="0" pn="section-toc.1-1.12.1"><xref derivedContent="Appendix C" format="default" sectionFormat="of" target="section-appendix.c"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-csr-template-json-schema">CSR Template: JSON Schema</xref></t> </li> <li pn="section-toc.1-1.13"> <t indent="0" pn="section-toc.1-1.13.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.d"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t> </li> </ul> </section> </toc> </front> <middle> <section anchor="introduction" numbered="true" toc="include" removeInRFC="false" pn="section-1"> <name slugifiedName="name-introduction">Introduction</name> <t indent="0" pn="section-1-1">This document is related to <xref target="RFC8739" format="default" sectionFormat="of" derivedContent="RFC8739"/>, in that some important use cases require both documents to be implemented. To avoid duplication, we give here a bare-bones description of the motivation for this solution. For more details, please refer to the introductory sections of <xref target="RFC8739" format="default" sectionFormat="of" derivedContent="RFC8739"/>.</t>derivedContent="RFC8739"/>.</t> <t indent="0" pn="section-1-2">An Identifier Owner (IdO) has agreements in place with one or moreNDC (NameName DelegationConsumer)Consumer (NDC) to use and attest its identity.</t> <t indent="0" pn="section-1-3">In the primary usecasecase, the IdO is a content provider, and we consider a Content Delivery Network (CDN) provider contracted to serve the content over HTTPS. The CDN terminates the HTTPS connection at one of its edge cache servers and needs to present its clients (browsers, mobile apps,set-top-boxes)set-top boxes) a certificate whose name matches the domain name of the URL that is requested, i.e., that of the IdO. Understandably, some IdOs may balk at sharing their long-term private keys with anotherorganization and,organization; equally, delegates would rather not have to handle other parties' long-term secrets. Other relevant use cases are discussed in <xref target="further-use-cases" format="default" sectionFormat="of" derivedContent="Section 5"/>.</t> <t indent="0" pn="section-1-4">This document describes a profile of the ACME protocol <xref target="RFC8555" format="default" sectionFormat="of" derivedContent="RFC8555"/> that allows the NDC to request from the IdO, acting as a profiled ACME server, a certificate for a delegated identity--- i.e., one belonging to the IdO. The IdO then uses the ACME protocol (with the extensions described in <xref target="RFC8739" format="default" sectionFormat="of" derivedContent="RFC8739"/>) to request issuance of a Short-Term, Automatically Renewed (STAR) certificate for the same delegated identity. The generated short-term certificate is automatically renewed by the ACME Certification Authority (CA), is periodically fetched by theNDCNDC, and is used to terminate HTTPS connections in lieu of the IdO. The IdO can end the delegation at any time by simply instructing the CA to stop the automatic renewal and letting the certificate expire shortly thereafter.</t> <t indent="0" pn="section-1-5">While the primary use case we address is a delegation of STAR certificates, the mechanism proposed hereaccommodatesalso accommodates long-lived certificates managed with the ACME protocol. The most noticeable difference between long-lived and STAR certificates is the way the termination of the delegation is managed. In the case of long-lived certificates, the IdO uses therevokeCert<tt>revokeCert</tt> URL exposed by the CA and waits for the explicit revocation based on the Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) to propagate to the relying parties.</t> <t indent="0" pn="section-1-6">In case the delegated identity is a domain name, this document also provides a way for the NDC to inform the IdO about the CNAME mappings that need to be installed in the IdO's DNS zone to enable the aliasing of the delegated name, thus allowing the complete name delegation workflow to be handled using a single interface.</t> <t indent="0" pn="section-1-7">We note that other standardization efforts address the problem of certificate delegation for TLS connections, specifically <xref target="I-D.ietf-tls-subcerts" format="default" sectionFormat="of" derivedContent="I-D.ietf-tls-subcerts"/> and <xref target="I-D.mglt-lurk-tls13" format="default" sectionFormat="of" derivedContent="I-D.mglt-lurk-tls13"/>. The former extends the TLS certificate chain with a customer-owned signing certificate; the latter separates the server's private key into a dedicated,more securemore-secure component. Compared to these other approaches, the current document does not require changes to the TLS network stack of the client or the server, nor does it introduce additional latency to the TLS connection.</t> <section anchor="terminology" numbered="true" toc="include" removeInRFC="false" pn="section-1.1"> <name slugifiedName="name-terminology">Terminology</name> <dlindent="3"indent="8" newline="false" spacing="normal" pn="section-1.1-1"> <dtpn="section-1.1-1.1"> IdO </dt>pn="section-1.1-1.1">IdO</dt> <dd pn="section-1.1-1.2"> <t indent="0" pn="section-1.1-1.2.1">Identifier Owner, the holder (current owner) of an identifier (e.g., a domain name) that needs to be delegated. Depending on the context, the term IdO may also be used to designate the (profiled) ACME server deployed by the Identifier Owner or the ACME client used by the Identifier Owner to interact with the CA.</t> </dd> <dtpn="section-1.1-1.3"> NDC </dt>pn="section-1.1-1.3">NDC</dt> <dd pn="section-1.1-1.4"> <t indent="0" pn="section-1.1-1.4.1">Name Delegation Consumer, the entity to which the domain name is delegated for a limited time. This is a CDN in the primary use case (in fact, readers may note the similarity of the twoacronyms).abbreviations). Depending on the context, the term NDC may also be used to designate the (profiled) ACME client used by the Name Delegation Consumer.</t> </dd> <dtpn="section-1.1-1.5"> CDN </dt>pn="section-1.1-1.5">CDN</dt> <dd pn="section-1.1-1.6"> <t indent="0" pn="section-1.1-1.6.1">Content Delivery Network, a widely distributed network that serves the domain's web content to a wide audience at high performance.</t> </dd> <dtpn="section-1.1-1.7"> STAR </dt>pn="section-1.1-1.7">STAR</dt> <dd pn="section-1.1-1.8"> <t indent="0" pn="section-1.1-1.8.1">Short-Term, AutomaticallyRenewedRenewed, as applied to X.509 certificates.</t> </dd> <dtpn="section-1.1-1.9"> ACME </dt>pn="section-1.1-1.9">ACME</dt> <dd pn="section-1.1-1.10"> <t indent="0" pn="section-1.1-1.10.1">Automated Certificate Management Environment, a certificate management protocol <xref target="RFC8555" format="default" sectionFormat="of" derivedContent="RFC8555"/>.</t> </dd> <dtpn="section-1.1-1.11"> CA </dt>pn="section-1.1-1.11">CA</dt> <dd pn="section-1.1-1.12"> <t indent="0"pn="section-1.1-1.12.1">A Certification Authoritypn="section-1.1-1.12.1">Certification Authority, specifically one that implements the ACME protocol. In this document, the term is synonymous with "ACME server deployed by the Certification Authority".</t> </dd> <dtpn="section-1.1-1.13"> CSR </dt>pn="section-1.1-1.13">CSR</dt> <dd pn="section-1.1-1.14"> <t indent="0"pn="section-1.1-1.14.1">Apn="section-1.1-1.14.1">Certificate Signing Request, specifically a PKCS#10 <xref target="RFC2986" format="default" sectionFormat="of" derivedContent="RFC2986"/> Certificate Signing Request, as supported by ACME.</t> </dd> <dtpn="section-1.1-1.15"> FQDN </dt>pn="section-1.1-1.15">FQDN</dt> <dd pn="section-1.1-1.16"> <t indent="0" pn="section-1.1-1.16.1">Fully Qualified Domain Name.</t> </dd> </dl> </section> <section anchor="conventions-used-in-this-document" numbered="true" toc="include" removeInRFC="false" pn="section-1.2"> <name slugifiedName="name-conventions-used-in-this-do">ConventionsusedUsed inthis document</name>This Document</name> <t indent="0"pn="section-1.2-1">Thepn="section-1.2-1"> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> </section> </section> <section anchor="sec-protocol-flow" numbered="true" toc="include" removeInRFC="false" pn="section-2"> <name slugifiedName="name-protocol-flow">Protocol Flow</name> <t indent="0" pn="section-2-1">This section presents the protocol flow. For completeness, we include the ACME profile proposed in this document as well as the ACME STAR protocol described in <xref target="RFC8739" format="default" sectionFormat="of" derivedContent="RFC8739"/>.</t> <section anchor="proto-preconditions" numbered="true" toc="include" removeInRFC="false" pn="section-2.1"> <name slugifiedName="name-preconditions">Preconditions</name> <t indent="0" pn="section-2.1-1">The protocol assumes the following preconditions are met:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.1-2"> <li pn="section-2.1-2.1">The IdO exposes an ACME server interface to the NDC(s) comprising the account managementinterface;</li>interface.</li> <li pn="section-2.1-2.2">The NDC has registered an ACME account with theIdO;</li>IdO.</li> <lipn="section-2.1-2.3">NDCpn="section-2.1-2.3">The NDC and IdO have agreed on a "CSR template" to use, including at a minimum: subject name (e.g., <tt>abc.ido.example</tt>), requested algorithms and key length, key usage, and extensions. The NDC will use this template for every CSR created under the samedelegation;</li>delegation.</li> <lipn="section-2.1-2.4">IdOpn="section-2.1-2.4">The IdO has registered an ACME account with the Certification Authority(CA)</li>(CA).</li> </ul> <t indent="0" pn="section-2.1-3">Note that even if the IdO implements the ACME server role, it is not acting as aCA:CA; in fact, from the point of view of the certificate issuance process, the IdO only works as a "policing" forwarder of the NDC'skey-pairkey pair and is responsible for completing the identity verification process towards the CA.</t> </section> <section anchor="overview" numbered="true" toc="include" removeInRFC="false" pn="section-2.2"> <name slugifiedName="name-overview">Overview</name> <t indent="0" pn="section-2.2-1">For clarity, the protocol overview presented here covers the main use case of this protocol, namely delegation of STAR certificates. Protocol behavior for non-STAR certificates is similar, and the detailed differences are listed in the following sections.</t> <t indent="0" pn="section-2.2-2">The interaction between the NDC and the IdO is governed by the profiled ACME workflow detailed in <xref target="sec-profile" format="default" sectionFormat="of" derivedContent="Section 2.3"/>. The interaction between the IdO and the CA is ruled by ACME <xref target="RFC8555" format="default" sectionFormat="of" derivedContent="RFC8555"/>, ACME STAR <xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/> as well asderivedContent="RFC8739"/>, and any other ACME extension that applies (e.g., <xref target="I-D.ietf-acme-authority-token-tnauthlist" format="default" sectionFormat="of" derivedContent="I-D.ietf-acme-authority-token-tnauthlist"/> forSTIR).</t>Secure Telephone Identity Revisited (STIR)).</t> <t indent="0" pn="section-2.2-3">The outline of the combined protocol for STAR certificates is asfollowfollows (<xref target="fig-endtoend" format="default" sectionFormat="of" derivedContent="Figure 1"/>):</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.2-4"> <li pn="section-2.2-4.1">NDC sends anorderOrder1 for the delegated identifier toIdO;</li>IdO.</li> <li pn="section-2.2-4.2">IdO creates an Order1 resource in state <tt>ready</tt> with a <tt>finalize</tt>URL;</li>URL.</li> <li pn="section-2.2-4.3">NDC immediately sends afinalize<tt>finalize</tt> request (which includes the CSR) to theIdO;</li>IdO.</li> <li pn="section-2.2-4.4">IdO verifies the CSR according to the agreed upon CSRtemplate;</li>template.</li> <li pn="section-2.2-4.5">If the CSR verification fails, Order1 is moved to an <tt>invalid</tt> state and everythingstops;</li>stops.</li> <li pn="section-2.2-4.6">If the CSR verification is successful, IdO moves Order1 to state<tt>processing</tt>,<tt>processing</tt> and sends a new Order2 (using its own account) for the delegated identifier to theCA;</li>CA.</li> <li pn="section-2.2-4.7">If the ACME STAR protocol fails, Order2 moves to<tt>invalid</tt><tt>invalid</tt>, and the same state is reflected in Order1 (i.e., the NDCOrder);</li>Order).</li> <li pn="section-2.2-4.8">If the ACME STAR run is successful (i.e., Order2 is <tt>valid</tt>), IdO copies the <tt>star-certificate</tt> URL from Order2 to Order1 and updates the Order1 state to <tt>valid</tt>.</li> </ul> <t indent="0" pn="section-2.2-5">The NDC can now download,installinstall, and use the short-term certificate bearing the name delegated by the IdO.This can continue until theThe STAR certificateexpires orcan be used until it expires, at which time theIdO decidesNDC is guaranteed tocancel thefind a new certificate it can download, install, and use. This continues with subsequent certificates until either Order1 expires or the IdO decides to cancel the automatic renewal process with the CA.</t> <t indent="0" pn="section-2.2-6">Note that the interactive identifier authorization phase described inSection 7.5 of<xref target="RFC8555" format="default" sectionFormat="of"derivedContent="RFC8555"/>derivedContent="RFC8555" section="7.5"/> is suppressed on the NDC-IdO side because the delegated identity contained in the CSR presented to the IdO is validated against the configured CSR template (<xref target="sec-csr-template-syntax" format="default" sectionFormat="of" derivedContent="Section 4.1"/>). Therefore, the NDC sends thefinalize<tt>finalize</tt> request, including the CSR, to the IdO immediately after Order1 has been acknowledged. The IdOSHALL<bcp14>SHALL</bcp14> buffer a (valid) CSR until the Validation phase completes successfully.</t> <t indent="0" pn="section-2.2-7">Also note that the successful negotiation of the"unauthenticated GET" (Section 3.4 of <xrefunauthenticated GET (<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>)derivedContent="RFC8739" section="3.4"/>) is required in order to allow the NDC to access the <tt>star-certificate</tt> URL on the CA.</t> <figure anchor="fig-endtoend" align="left" suppress-title="false" pn="figure-1"> <nameslugifiedName="name-end-to-end-star-delegation-">End to endslugifiedName="name-end-to-end-star-delegation-">End-to-End STARdelegation flow</name>Delegation Flow</name> <artset pn="section-2.2-8.1"> <artwork type="svg" name="" align="left" alt="" pn="section-2.2-8.1.1"><svg xmlns="http://www.w3.org/2000/svg" class="diagram" version="1.1"height="841" width="480"viewBox="0 0480.0720.0 841.0"> <g transform="translate(8,16)"> <path d="M 16,16 L 56,16" fill="none" stroke="black"/> <path d="M 176,16 L 288,16" fill="none" stroke="black"/> <path d="M 408,16 L 448,16" fill="none" stroke="black"/> <path d="M 0,48 L 72,48" fill="none" stroke="black"/> <path d="M 160,48 L 232,48" fill="none" stroke="black"/> <path d="M 232,48 L 304,48" fill="none" stroke="black"/> <path d="M 392,48 L 464,48" fill="none" stroke="black"/> <path d="M 0,80 L 32,80" fill="none" stroke="black"/> <path d="M 32,80 L 72,80" fill="none" stroke="black"/> <path d="M 160,80 L 200,80" fill="none" stroke="black"/> <path d="M 200,80 L 232,80" fill="none" stroke="black"/> <path d="M 232,80 L 264,80" fill="none" stroke="black"/> <path d="M 264,80 L 304,80" fill="none" stroke="black"/> <path d="M 392,80 L 432,80" fill="none" stroke="black"/> <path d="M 432,80 L 464,80" fill="none" stroke="black"/> <path d="M 32,144 L 192,144" fill="none" stroke="black"/> <path d="M 32,272 L 192,272" fill="none" stroke="black"/> <path d="M 40,304 L 200,304" fill="none" stroke="black"/> <path d="M 264,320 L 424,320" fill="none" stroke="black"/> <path d="M 272,368 L 432,368" fill="none" stroke="black"/> <path d="M 264,416 L 424,416" fill="none" stroke="black"/> <path d="M 264,512 L 424,512" fill="none" stroke="black"/> <path d="M 272,544 L 432,544" fill="none" stroke="black"/> <path d="M 32,624 L 424,624" fill="none" stroke="black"/> <path d="M 40,656 L 432,656" fill="none" stroke="black"/> <path d="M 32,688 L 424,688" fill="none" stroke="black"/> <path d="M 40,720 L 432,720" fill="none" stroke="black"/> <path d="M 32,768 L 424,768" fill="none" stroke="black"/> <path d="M 40,800 L 432,800" fill="none" stroke="black"/> <path d="M 0,32 L 0,48" fill="none" stroke="black"/> <path d="M 0,48 L 0,80" fill="none" stroke="black"/> <path d="M 32,80 L 32,144" fill="none" stroke="black"/> <path d="M 32,144 L 32,272" fill="none" stroke="black"/> <path d="M 32,272 L 32,624" fill="none" stroke="black"/> <path d="M 32,624 L 32,688" fill="none" stroke="black"/> <path d="M 32,688 L 32,768" fill="none" stroke="black"/> <path d="M 32,768 L 32,800" fill="none" stroke="black"/> <path d="M 72,32 L 72,48" fill="none" stroke="black"/> <path d="M 72,48 L 72,80" fill="none" stroke="black"/> <path d="M 160,32 L 160,48" fill="none" stroke="black"/> <path d="M 160,48 L 160,80" fill="none" stroke="black"/> <path d="M 200,80 L 200,304" fill="none" stroke="black"/> <path d="M 200,304 L 200,576" fill="none" stroke="black"/> <path d="M 232,48 L 232,80" fill="none" stroke="black"/> <path d="M 264,80 L 264,320" fill="none" stroke="black"/> <path d="M 264,320 L 264,416" fill="none" stroke="black"/> <path d="M 264,416 L 264,512" fill="none" stroke="black"/> <path d="M 264,512 L 264,576" fill="none" stroke="black"/> <path d="M 304,32 L 304,48" fill="none" stroke="black"/> <path d="M 304,48 L 304,80" fill="none" stroke="black"/> <path d="M 392,32 L 392,48" fill="none" stroke="black"/> <path d="M 392,48 L 392,80" fill="none" stroke="black"/> <path d="M 432,80 L 432,368" fill="none" stroke="black"/> <path d="M 432,368 L 432,544" fill="none" stroke="black"/> <path d="M 432,544 L 432,656" fill="none" stroke="black"/> <path d="M 432,656 L 432,720" fill="none" stroke="black"/> <path d="M 432,720 L 432,800" fill="none" stroke="black"/> <path d="M 464,32 L 464,48" fill="none" stroke="black"/> <path d="M 464,48 L 464,80" fill="none" stroke="black"/> <polygon points="48.000000,304.000000 36.000000,298.399994 36.000000,309.600006" transform="rotate(180.000000, 40.000000, 304.000000)" fill="black"/> <polygon points="48.000000,656.000000 36.000000,650.400024 36.000000,661.599976" transform="rotate(180.000000, 40.000000, 656.000000)" fill="black"/> <polygon points="48.000000,720.000000 36.000000,714.400024 36.000000,725.599976" transform="rotate(180.000000, 40.000000, 720.000000)" fill="black"/> <polygon points="48.000000,800.000000 36.000000,794.400024 36.000000,805.599976" transform="rotate(180.000000, 40.000000, 800.000000)" fill="black"/> <polygon points="200.000000,144.000000 188.000000,138.399994 188.000000,149.600006" transform="rotate(0.000000, 192.000000, 144.000000)" fill="black"/> <polygon points="200.000000,272.000000 188.000000,266.399994 188.000000,277.600006" transform="rotate(0.000000, 192.000000, 272.000000)" fill="black"/> <polygon points="280.000000,368.000000 268.000000,362.399994 268.000000,373.600006" transform="rotate(180.000000, 272.000000, 368.000000)" fill="black"/> <polygon points="280.000000,544.000000 268.000000,538.400024 268.000000,549.599976" transform="rotate(180.000000, 272.000000, 544.000000)" fill="black"/> <polygon points="432.000000,320.000000 420.000000,314.399994 420.000000,325.600006" transform="rotate(0.000000, 424.000000, 320.000000)" fill="black"/> <polygon points="432.000000,416.000000 420.000000,410.399994 420.000000,421.600006" transform="rotate(0.000000, 424.000000, 416.000000)" fill="black"/> <polygon points="432.000000,512.000000 420.000000,506.399994 420.000000,517.599976" transform="rotate(0.000000, 424.000000, 512.000000)" fill="black"/> <polygon points="432.000000,624.000000 420.000000,618.400024 420.000000,629.599976" transform="rotate(0.000000, 424.000000, 624.000000)" fill="black"/> <polygon points="432.000000,688.000000 420.000000,682.400024 420.000000,693.599976" transform="rotate(0.000000, 424.000000, 688.000000)" fill="black"/> <polygon points="432.000000,768.000000 420.000000,762.400024 420.000000,773.599976" transform="rotate(0.000000, 424.000000, 768.000000)" fill="black"/> <path d="M 16,16 A 16,16 0 0,0 0,32" fill="none" stroke="black"/> <path d="M 56,16 A 16,16 0 0,1 72,32" fill="none" stroke="black"/> <path d="M 176,16 A 16,16 0 0,0 160,32" fill="none" stroke="black"/> <path d="M 288,16 A 16,16 0 0,1 304,32" fill="none" stroke="black"/> <path d="M 408,16 A 16,16 0 0,0 392,32" fill="none" stroke="black"/> <path d="M 448,16 A 16,16 0 0,1 464,32" fill="none" stroke="black"/> <circle cx="32" cy="144" r="6" fill="white" stroke="black"/> <circle cx="32" cy="272" r="6" fill="white" stroke="black"/> <circle cx="32" cy="624" r="6" fill="white" stroke="black"/> <circle cx="32" cy="688" r="6" fill="white" stroke="black"/> <circle cx="32" cy="768" r="6" fill="white" stroke="black"/> <circle cx="200" cy="304" r="6" fill="white" stroke="black"/> <circle cx="264" cy="320" r="6" fill="white" stroke="black"/> <circle cx="264" cy="416" r="6" fill="white" stroke="black"/> <circle cx="264" cy="512" r="6" fill="white" stroke="black"/> <circle cx="432" cy="368" r="6" fill="white" stroke="black"/> <circle cx="432" cy="544" r="6" fill="white" stroke="black"/> <circle cx="432" cy="656" r="6" fill="white" stroke="black"/> <circle cx="432" cy="720" r="6" fill="white" stroke="black"/> <circle cx="432" cy="800" r="6" fill="white" stroke="black"/> <text text-anchor="middle" font-family="monospace" x="184" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="136" y="212" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="328" y="404" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="320" y="532" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="280" y="788" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="224" y="36" fill="black" font-size="1em">I</text> <text text-anchor="middle" font-family="monospace" x="248" y="68" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="104" y="212" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="160" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="304" y="484" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="80" y="580" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="176" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="280" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="40" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="312" y="676" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="192" y="644" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="304" y="308" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="336" y="356" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="328" y="532" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="88" y="580" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="120" y="612" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="112" y="756" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="176" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="64" y="132" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="144" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="240" y="612" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="208" y="676" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="248" y="708" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="24" y="36" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="256" y="68" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="440" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="96" y="292" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="304" y="500" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="392" y="532" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="320" y="676" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="152" y="756" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="56" y="68" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="104" y="180" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="72" y="212" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="312" y="356" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="328" y="452" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="160" y="612" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="200" y="676" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="416" y="36" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="304" y="676" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="104" y="756" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="296" y="532" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="104" y="292" fill="black" font-size="1em">w</text> <text text-anchor="middle" font-family="monospace" x="344" y="340" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="304" y="532" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="376" y="532" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="88" y="260" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="320" y="404" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="344" y="500" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="136" y="612" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="200" y="756" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="224" y="756" fill="black" font-size="1em">G</text> <text text-anchor="middle" font-family="monospace" x="168" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="416" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="224" y="676" fill="black" font-size="1em">G</text> <text text-anchor="middle" font-family="monospace" x="80" y="756" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="184" y="212" fill="black" font-size="1em">]</text> <text text-anchor="middle" font-family="monospace" x="128" y="612" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="216" y="644" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="80" y="676" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="112" y="676" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="320" y="756" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="184" y="180" fill="black" font-size="1em">]</text> <text text-anchor="middle" font-family="monospace" x="328" y="356" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="344" y="388" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="312" y="500" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="232" y="612" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="264" y="612" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="328" y="676" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="64" y="292" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="408" y="532" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="352" y="676" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="296" y="756" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="48" y="212" fill="black" font-size="1em">[</text> <text text-anchor="middle" font-family="monospace" x="144" y="180" fill="black" font-size="1em">y</text> <text text-anchor="middle" font-family="monospace" x="48" y="196" fill="black" font-size="1em">[</text> <text text-anchor="middle" font-family="monospace" x="120" y="260" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="72" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="320" y="452" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="192" y="580" fill="black" font-size="1em">></text> <text text-anchor="middle" font-family="monospace" x="112" y="180" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="352" y="356" fill="black" font-size="1em">z</text> <text text-anchor="middle" font-family="monospace" x="384" y="580" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="272" y="676" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="160" y="756" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="224" y="788" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="448" y="68" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="160" y="212" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="304" y="388" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="104" y="676" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="144" y="676" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="232" y="676" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="264" y="68" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="168" y="212" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="80" y="292" fill="black" font-size="1em">k</text> <text text-anchor="middle" font-family="monospace" x="312" y="388" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="360" y="404" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="200" y="644" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="256" y="708" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="352" y="756" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="72" y="116" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="328" y="308" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="360" y="340" fill="black" font-size="1em">q</text> <text text-anchor="middle" font-family="monospace" x="352" y="500" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="128" y="580" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="144" y="612" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="32" y="36" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="144" y="212" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="64" y="260" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="80" y="260" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="384" y="356" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="344" y="580" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="272" y="644" fill="black" font-size="1em">#</text> <text text-anchor="middle" font-family="monospace" x="240" y="756" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="184" y="196" fill="black" font-size="1em">]</text> <text text-anchor="middle" font-family="monospace" x="248" y="788" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="296" y="484" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="192" y="676" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="216" y="740" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="280" y="756" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="72" y="196" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="64" y="212" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="400" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="104" y="612" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="256" y="676" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="240" y="788" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="136" y="180" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="104" y="196" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="120" y="212" fill="black" font-size="1em">z</text> <text text-anchor="middle" font-family="monospace" x="368" y="580" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="328" y="756" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="208" y="788" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="80" y="116" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="72" y="180" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="136" y="292" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="272" y="452" fill="black" font-size="1em"><</text> <text text-anchor="middle" font-family="monospace" x="80" y="612" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="320" y="612" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="376" y="756" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="40" y="36" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="352" y="388" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="296" y="500" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="336" y="676" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="72" y="260" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="304" y="404" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="336" y="532" fill="black" font-size="1em">w</text> <text text-anchor="middle" font-family="monospace" x="352" y="532" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="280" y="612" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="216" y="788" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="152" y="292" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="312" y="452" fill="black" font-size="1em">V</text> <text text-anchor="middle" font-family="monospace" x="240" y="676" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="256" y="756" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="312" y="404" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="416" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="312" y="580" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="360" y="580" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="360" y="612" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="368" y="676" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="120" y="756" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="416" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="88" y="212" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="72" y="244" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="352" y="452" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="256" y="612" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="424" y="36" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="128" y="212" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="112" y="260" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="360" y="356" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="296" y="404" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="64" y="580" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="96" y="612" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="328" y="612" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="64" y="196" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="304" y="756" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="200" y="708" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="160" y="196" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="168" y="196" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="64" y="244" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="360" y="388" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="336" y="452" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="160" y="580" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="392" y="580" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="128" y="180" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="240" y="644" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="400" y="340" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="192" y="612" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="104" y="116" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="88" y="612" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="248" y="644" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="144" y="580" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="128" y="260" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="304" y="292" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="368" y="340" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="48" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="168" y="580" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="64" y="180" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="96" y="132" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="88" y="180" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="336" y="308" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="392" y="356" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="96" y="580" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="88" y="676" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="128" y="676" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="16" y="68" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="144" y="756" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="240" y="708" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="320" y="308" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="296" y="388" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="368" y="452" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="424" y="452" fill="black" font-size="1em">></text> <text text-anchor="middle" font-family="monospace" x="184" y="580" fill="black" font-size="1em">-</text> <text text-anchor="middle" font-family="monospace" x="272" y="580" fill="black" font-size="1em"><</text> <text text-anchor="middle" font-family="monospace" x="264" y="676" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="120" y="180" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="80" y="244" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="312" y="292" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="384" y="340" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="352" y="404" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="40" y="580" fill="black" font-size="1em"><</text> <text text-anchor="middle" font-family="monospace" x="224" y="708" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="136" y="196" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="216" y="68" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="296" y="356" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="120" y="676" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="176" y="68" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="32" y="68" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="88" y="116" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="112" y="132" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="320" y="500" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="312" y="756" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="440" y="36" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="336" y="388" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="296" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="408" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="168" y="676" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="184" y="676" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="208" y="740" fill="black" font-size="1em">[</text> <text text-anchor="middle" font-family="monospace" x="288" y="68" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="80" y="132" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="120" y="196" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="120" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="344" y="532" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="112" y="580" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="120" y="580" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="192" y="788" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="64" y="116" fill="black" font-size="1em">O</text> <text text-anchor="middle" font-family="monospace" x="200" y="788" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="152" y="580" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="296" y="580" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="344" y="676" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="232" y="708" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="168" y="756" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="344" y="756" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="328" y="388" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="96" y="196" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="112" y="196" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="376" y="340" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="56" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="24" y="68" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="88" y="196" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="400" y="356" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="112" y="612" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="216" y="708" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="88" y="756" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="80" y="196" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="96" y="260" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="280" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="304" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="296" y="612" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="304" y="612" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="368" y="612" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="176" y="676" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="112" y="212" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="136" y="756" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="408" y="68" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="120" y="132" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="352" y="308" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="360" y="308" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="352" y="340" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="376" y="612" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="96" y="676" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="192" y="68" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="272" y="708" fill="black" font-size="1em">#</text> <text text-anchor="middle" font-family="monospace" x="136" y="676" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="376" y="356" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="312" y="612" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="280" y="676" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="256" y="788" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="96" y="116" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="72" y="132" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="128" y="132" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="112" y="292" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="176" y="644" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="224" y="740" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="264" y="756" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="48" y="68" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="296" y="292" fill="black" font-size="1em">O</text> <text text-anchor="middle" font-family="monospace" x="296" y="308" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="328" y="500" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="88" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="376" y="580" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="256" y="644" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="360" y="676" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="368" y="356" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="336" y="292" fill="black" font-size="1em">2</text> <text text-anchor="middle" font-family="monospace" x="384" y="532" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="400" y="580" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="208" y="644" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="128" y="756" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="96" y="212" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="360" y="452" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="360" y="500" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="152" y="212" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="80" y="212" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="344" y="452" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="168" y="612" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="208" y="612" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="184" y="708" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="96" y="756" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="48" y="180" fill="black" font-size="1em">[</text> <text text-anchor="middle" font-family="monospace" x="312" y="532" fill="black" font-size="1em">k</text> <text text-anchor="middle" font-family="monospace" x="136" y="580" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="288" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="432" y="68" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="104" y="132" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="128" y="196" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="320" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="328" y="292" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="384" y="452" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="208" y="708" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="272" y="756" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="240" y="36" fill="black" font-size="1em">O</text> <text text-anchor="middle" font-family="monospace" x="368" y="756" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="96" y="180" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="128" y="292" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="408" y="580" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="152" y="612" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="224" y="612" fill="black" font-size="1em">G</text> <text text-anchor="middle" font-family="monospace" x="352" y="612" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="376" y="676" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="200" y="68" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="184" y="756" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="344" y="404" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="72" y="580" fill="black" font-size="1em">w</text> <text text-anchor="middle" font-family="monospace" x="304" y="580" fill="black" font-size="1em">w</text> <text text-anchor="middle" font-family="monospace" x="208" y="756" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="344" y="356" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="424" y="68" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="152" y="196" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="376" y="452" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="184" y="612" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="152" y="676" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="232" y="740" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="232" y="36" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="176" y="788" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="176" y="756" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="88" y="132" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="304" y="356" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="320" y="580" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="328" y="580" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="336" y="612" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="280" y="644" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="160" y="676" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="432" y="36" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="296" y="676" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="104" y="260" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="352" y="580" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="176" y="612" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="344" y="612" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="224" y="644" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="176" y="708" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="280" y="708" fill="black" font-size="1em">2</text> <text text-anchor="middle" font-family="monospace" x="280" y="68" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="288" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="312" y="484" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="368" y="532" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="184" y="644" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="192" y="708" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="336" y="404" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="400" y="532" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="272" y="788" fill="black" font-size="1em">#</text> <text text-anchor="middle" font-family="monospace" x="320" y="388" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="312" y="308" fill="black" font-size="1em">g</text> <text text-anchor="middle" font-family="monospace" x="344" y="308" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="392" y="340" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="336" y="500" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="200" y="612" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="272" y="612" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="192" y="756" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="272" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="184" y="788" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="360" y="756" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="320" y="356" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="392" y="452" fill="black" font-size="1em">~</text> <text text-anchor="middle" font-family="monospace" x="360" y="532" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="424" y="580" fill="black" font-size="1em">></text> <text text-anchor="middle" font-family="monospace" x="232" y="644" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="240" y="740" fill="black" font-size="1em">]</text> <text text-anchor="middle" font-family="monospace" x="232" y="756" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="208" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="232" y="788" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="336" y="756" fill="black" font-size="1em">f</text> </g> </svg> </artwork> <artwork type="ascii-art" name="" align="left" alt="" pn="section-2.2-8.1.2"><![CDATA[ .------. .---------------. .------. | NDC | | IdO | | ACME | +--------+ +--------+--------+ +--------+ | Client | | Server | Client | | Server | '---+----' '----+---+---+----' '----+---' | | | | | Order1 | | | | Signature | | | o------------------->| | | | | | | | [ No identity ] | | | | [ validation via ] | | | | [ authorizations ] | | | | | | | | CSR | | | | Signature | | | o------------------->| | | | Acknowledgement | | Order2 | |<-------------------o | Signature | | | o------------------->| | | | Required | | | | Authorizations | | | |<-------------------o | | | Responses | | | | Signature | | | o------------------->| | | | | | | |<~~~~Validation~~~~>| | | | | | | | CSR | | | | Signature | | | o------------------->| | | | Acknowledgement | | | |<-------------------o | | | | |<~~Await issuance~->| |<~~Await issuance~~>| | | | (unauthenticated) GET STAR certificate | o------------------------------------------------>| | Certificate #1 | |<------------------------------------------------o | (unauthenticated) GET STAR certificate | o------------------------------------------------>| | Certificate #2 | |<------------------------------------------------o | [...] | | (unauthenticated) GET STAR certificate | o------------------------------------------------>| | Certificate #n | |<------------------------------------------------o ]]></artwork> </artset> </figure> </section> <section anchor="sec-profile" numbered="true" toc="include" removeInRFC="false" pn="section-2.3"> <name slugifiedName="name-delegated-identity-profile">Delegated Identity Profile</name> <t indent="0" pn="section-2.3-1">This section defines a profile of the ACMEprotocol,protocol to be used between the NDC and IdO.</t> <section anchor="sec-profile-dele-config" numbered="true" toc="include" removeInRFC="false" pn="section-2.3.1"> <name slugifiedName="name-delegation-configuration">Delegation Configuration</name> <t indent="0" pn="section-2.3.1-1">The IdO must be preconfigured to recognize one or moreNDCs,NDCs and present them with details about certificate delegations that apply to each one.</t> <section anchor="account-object-extensions" numbered="true" toc="exclude" removeInRFC="false" pn="section-2.3.1.1"> <name slugifiedName="name-account-object-extensions">Account Object Extensions</name> <t indent="0" pn="section-2.3.1.1-1">An NDC identifies itself to the IdO as an ACME account. The IdO can delegate multiple names toaan NDC, and these configurations are described through <tt>delegation</tt> objects associated with the NDC'sAccountaccount object on the IdO.</t> <t indent="0" pn="section-2.3.1.1-2">As shown in <xref target="fig-account-object" format="default" sectionFormat="of" derivedContent="Figure 2"/>, the ACME account resource on the IdO is extended with a new <tt>delegations</tt> attribute:</t><ul spacing="compact" bare="false" empty="false" indent="3"<dl newline="false" spacing="normal" pn="section-2.3.1.1-3"><li<dt pn="section-2.3.1.1-3.1">delegations (required,string): Astring):</dt> <dd>A URL from which a list of delegations configured for this account (<xref target="sec-delegation-objects" format="default" sectionFormat="of" derivedContent="Section 2.3.1.3"/>) can be fetched via a POST-as-GETrequest.</li> </ul>request.</dd> </dl> <figure anchor="fig-account-object" align="left" suppress-title="false" pn="figure-2"> <name slugifiedName="name-example-account-object-with">Example AccountobjectObject withdelegations</name>Delegations</name> <artwork name="" type="" align="left" alt="" pn="section-2.3.1.1-4.1"><![CDATA[ { "status": "valid", "contact": [ "mailto:delegation-admin@ido.example" ], "termsOfServiceAgreed": true, "orders": "https://example.com/acme/orders/saHpfB", "delegations": "https://acme.ido.example/acme/delegations/adFqoz" } ]]></artwork> </figure> </section> <section anchor="delegation-lists" numbered="true" toc="exclude" removeInRFC="false" pn="section-2.3.1.2"> <name slugifiedName="name-delegation-lists">Delegation Lists</name> <t indent="0" pn="section-2.3.1.2-1">Each account object includes a <tt>delegations</tt> URL from which a list of delegation configurations created by the IdO can be fetched via a POST-as-GET request. The result of the requestMUST<bcp14>MUST</bcp14> be a JSON object whose <tt>delegations</tt> field is an array of URLs, each identifying a delegation configuration made available to the NDC account (<xref target="sec-delegation-objects" format="default" sectionFormat="of" derivedContent="Section 2.3.1.3"/>). The serverMAY<bcp14>MAY</bcp14> return an incomplete list, along with aLink<tt>Link</tt> header field with a <tt>next</tt> link relation indicating where further entries can be acquired.</t><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.1.2-2"><![CDATA[ HTTP/1.1 200 OK Content-Type: application/json Link: <https://acme.ido.example/acme/directory>;rel="index" Link:<https://acme.ido.example/acme/delegations/adFqoz?cursor=2>;rel="next"<https://acme.ido.example/acme/delegations/adFqoz?/ cursor=2>;rel="next" { "delegations": [ "https://acme.ido.example/acme/delegation/ogfr8EcolOT", "https://acme.ido.example/acme/delegation/wSi5Lbb61E4", /* more URLs not shown for example brevity */ "https://acme.ido.example/acme/delegation/gm0wfLYHBen" ] }]]></artwork>]]></sourcecode> <t>Note that in the figure above, https://acme.ido.example/acme/delegations/adFqoz?cursor=2 includes a line break for the sake of presentation.</t> </section> <section anchor="sec-delegation-objects" numbered="true" toc="exclude" removeInRFC="false" pn="section-2.3.1.3"> <name slugifiedName="name-delegation-objects">Delegation Objects</name> <t indent="0" pn="section-2.3.1.3-1">This profile extends the ACME resource model with a new read-onlydelegation<tt>delegation</tt> object that represents a delegation configuration that applies to a given NDC.</t> <t indent="0" pn="section-2.3.1.3-2">Adelegation<tt>delegation</tt> object contains the CSR template (see <xref target="sec-csr-template" format="default" sectionFormat="of" derivedContent="Section 4"/>) that applies to thatdelegation, and optionallydelegation and, optionally, any related CNAME mapping for the delegated identifiers. Its structure is as follows:</t><ul spacing="compact" bare="false" empty="false"<dl spacing="normal" newline="false" indent="3" pn="section-2.3.1.3-3"><li<dt pn="section-2.3.1.3-3.1">csr-template (required,object): CSR templateobject):</dt> <dd>CSR template, as defined in <xref target="sec-csr-template" format="default" sectionFormat="of" derivedContent="Section4"/>.</li> <li4"/>.</dd> <dt pn="section-2.3.1.3-3.2">cname-map (optional,object): aobject):</dt> <dd>A map of FQDN pairs. In each pair, the name is the delegatedidentifier,identifier; the value is the corresponding NDC name that is aliased in the IdO's zone file to redirect the resolvers to the delegated entity. Both names and valuesMUST<bcp14>MUST</bcp14> be FQDNs with a terminating '.'. This field is only meaningful for identifiers of type<tt>dns</tt>.</li> </ul><tt>dns</tt>.</dd> </dl> <t indent="0" pn="section-2.3.1.3-4">An exampledelegation<tt>delegation</tt> object in JSON format is shown in <xref target="fig-configuration-object" format="default" sectionFormat="of" derivedContent="Figure 3"/>.</t> <figure anchor="fig-configuration-object" align="left" suppress-title="false" pn="figure-3"> <name slugifiedName="name-example-delegation-configur">Example Delegation Configurationobject</name> <artworkObject</name> <sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.1.3-5.1"><![CDATA[ { "csr-template": { "keyTypes": [ { "PublicKeyType": "id-ecPublicKey", "namedCurve": "secp256r1", "SignatureType": "ecdsa-with-SHA256" } ], "subject": { "country": "CA", "stateOrProvince": "**", "locality": "**" }, "extensions": { "subjectAltName": { "DNS": [ "abc.ido.example" ] }, "keyUsage": [ "digitalSignature" ], "extendedKeyUsage": [ "serverAuth" ] } }, "cname-map": { "abc.ido.example.": "abc.ndc.example." } }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.1.3-6">In order to indicate which specific delegation applies to the requestedcertificatecertificate, a new <tt>delegation</tt> attribute is added to therequestorder object on the NDC-IdO side (see Figures <xref target="fig-star-ndc-neworder"format="default"format="counter" sectionFormat="of" derivedContent="Figure 4"/> and <xref target="fig-non-star-ndc-neworder"format="default"format="counter" sectionFormat="of" derivedContent="Figure 7"/>). The value of this attribute is the URL pointing to the delegation configuration object that is to be used for this certificate request. If the <tt>delegation</tt> attribute in theOrderorder object contains a URL that does not correspond to a configuration available to the requesting ACME account, the IdOMUST<bcp14>MUST</bcp14> return an error response with status code 403 (Forbidden), providing a problem document <xref target="RFC7807" format="default" sectionFormat="of" derivedContent="RFC7807"/> with type <tt>urn:ietf:params:acme:error:unknownDelegation</tt>.</t> </section> </section> <section anchor="sec-profile-star-order-journey" numbered="true" toc="include" removeInRFC="false" pn="section-2.3.2"> <name slugifiedName="name-order-object-transmitted-fr">Order Object Transmitted from NDC to IdO and to ACME Server (STAR)</name> <t indent="0" pn="section-2.3.2-1">If the delegation is for a STAR certificate, the request object created by the NDC:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.2-2"> <lipn="section-2.3.2-2.1">MUSTpn="section-2.3.2-2.1"><bcp14>MUST</bcp14> have a <tt>delegation</tt> attribute indicating the preconfigured delegation that applies to this Order;</li> <lipn="section-2.3.2-2.2">MUSTpn="section-2.3.2-2.2"><bcp14>MUST</bcp14> have entries in the <tt>identifiers</tt> field for each delegated name present in the configuration;</li> <lipn="section-2.3.2-2.3">MUST NOTpn="section-2.3.2-2.3"><bcp14>MUST NOT</bcp14> contain the <tt>notBefore</tt> and <tt>notAfter</tt>fields;</li>fields; and</li> <lipn="section-2.3.2-2.4">MUSTpn="section-2.3.2-2.4"><bcp14>MUST</bcp14> contain an <tt>auto-renewal</tt> objectandand, inside it, the fields listed inSection 3.1.1 of<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>.derivedContent="RFC8739" section="3.1.1"/>. In particular, the <tt>allow-certificate-get</tt> attributeMUST<bcp14>MUST</bcp14> be present and set to true.</li> </ul> <figure anchor="fig-star-ndc-neworder" align="left" suppress-title="false" pn="figure-4"> <name slugifiedName="name-new-star-order-from-ndc">New STAR Order from NDC</name><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.2-3.1"><![CDATA[ POST /acme/new-order HTTP/1.1 Host: acme.ido.example Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://acme.ido.example/acme/acct/evOfKhNU60wg", "nonce": "Alc00Ap6Rt7GMkEl3L1JX5", "url": "https://acme.ido.example/acme/new-order" }), "payload": base64url({ "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "auto-renewal": { "end-date": "2021-04-20T00:00:00Z", "lifetime": 345600, // 4 days "allow-certificate-get": true }, "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen" }), "signature": "g454e3hdBlkT4AEw...nKePnUyZTjGtXZ6H" }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.2-4">TheOrderorder object that is created on the IdO:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.2-5"> <lipn="section-2.3.2-5.1">MUSTpn="section-2.3.2-5.1"><bcp14>MUST</bcp14> start in the <tt>ready</tt> state;</li> <lipn="section-2.3.2-5.2">MUSTpn="section-2.3.2-5.2"><bcp14>MUST</bcp14> contain an <tt>authorizations</tt> array with zero elements;</li> <lipn="section-2.3.2-5.3">MUSTpn="section-2.3.2-5.3"><bcp14>MUST</bcp14> contain the indicated <tt>delegation</tt> configuration;</li> <lipn="section-2.3.2-5.4">MUSTpn="section-2.3.2-5.4"><bcp14>MUST</bcp14> contain the indicated <tt>auto-renewal</tt>settings;</li>settings; and</li> <lipn="section-2.3.2-5.5">MUST NOTpn="section-2.3.2-5.5"><bcp14>MUST NOT</bcp14> contain the <tt>notBefore</tt> and <tt>notAfter</tt> fields.</li> </ul> <figure anchor="fig-star-ido-order-resource-created" align="left" suppress-title="false" pn="figure-5"> <name slugifiedName="name-star-order-resource-created">STAR Order Resource Created on IdO</name><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.2-6.1"><![CDATA[ { "status": "ready", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "auto-renewal": { "end-date": "2021-04-20T00:00:00Z", "lifetime": 345600, "allow-certificate-get": true }, "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "authorizations": [], "finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize" }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.2-7">The Order is then finalized by the NDC supplying the CSR containing the delegated identifiers. The IdO checks the provided CSR against the template contained in thedelegation<tt>delegation</tt> object that applies to this request, as described in <xref target="sec-csr-template-syntax" format="default" sectionFormat="of" derivedContent="Section 4.1"/>. If the CSR fails validation for any of the identifiers, the IdOMUST<bcp14>MUST</bcp14> return an error response with status code 403 (Forbidden) and an appropriate type, e.g., <tt>rejectedIdentifier</tt> or <tt>badCSR</tt>. The error responseSHOULD<bcp14>SHOULD</bcp14> contain subproblems(Section 6.7.1 of <xref(<xref target="RFC8555" format="default" sectionFormat="of"derivedContent="RFC8555"/>)derivedContent="RFC8555" section="6.7.1"/>) for each failed identifier. If the CSR is successfully validated, theOrderorder object status moves to <tt>processing</tt> and the twin ACME protocol instance is initiated on the IdO-CA side.</t> <t indent="0" pn="section-2.3.2-8">The request object created by the IdO:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.2-9"> <lipn="section-2.3.2-9.1">MUSTpn="section-2.3.2-9.1"><bcp14>MUST</bcp14> copy the identifiers sent by the NDC;</li> <lipn="section-2.3.2-9.2">MUSTpn="section-2.3.2-9.2"><bcp14>MUST</bcp14> strip the <tt>delegation</tt>attribute;</li>attribute; and</li> <lipn="section-2.3.2-9.3">MUSTpn="section-2.3.2-9.3"><bcp14>MUST</bcp14> carry a copy of the <tt>auto-renewal</tt> object sent by the NDC.</li> </ul> <t indent="0" pn="section-2.3.2-10">When the identifiers' authorization has been successfully completed and the certificate has been issued by the CA, the IdO:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.2-11"> <lipn="section-2.3.2-11.1">MUSTpn="section-2.3.2-11.1"><bcp14>MUST</bcp14> move its Order resource status to<tt>valid</tt>;</li><tt>valid</tt> and</li> <lipn="section-2.3.2-11.2">MUSTpn="section-2.3.2-11.2"><bcp14>MUST</bcp14> copy the <tt>star-certificate</tt> field from the STAR Order returned by the CA into its Order resource. When dereferenced, the <tt>star-certificate</tt> URL includes (via theCert-Not-Before<tt>Cert-Not-Before</tt> andCert-Not-After<tt>Cert-Not-After</tt> HTTP header fields) the renewal timers needed by the NDC to inform its certificate reload logic.</li> </ul> <figure anchor="fig-star-ido-order-resource-updated" align="left" suppress-title="false" pn="figure-6"> <name slugifiedName="name-star-order-resource-updated">STAR Order Resource Updated on IdO</name><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.2-12.1"><![CDATA[ { "status": "valid", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "auto-renewal": { "end-date": "2021-04-20T00:00:00Z", "lifetime": 345600, "allow-certificate-get": true }, "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "authorizations": [], "finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize", "star-certificate": "https://acme.ca.example/acme/order/yTr23sSDg9" }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.2-13">This delegation protocol is predicated on the NDC being able to fetch certificates periodically using an unauthenticated HTTP GET,sincesince, ingeneralgeneral, the NDC does not possess an account on theCA and thereforeCA; as a consequence, it cannot issue the standard POST-as-GET ACME request. Therefore, before forwarding the Order request to the CA, the IdOSHOULD<bcp14>SHOULD</bcp14> ensure that the selected CA supports"unauthenticated GET"unauthenticated GET by inspecting the relevant settings in the CA's<tt>directory</tt>directory object, as perSection 3.4 of<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>.derivedContent="RFC8739" section="3.4"/>. If the CA does not support"unauthenticated GET"unauthenticated GET of STAR certificates, the IdOMUST NOT<bcp14>MUST NOT</bcp14> forward the Order request. Instead, itMUST<bcp14>MUST</bcp14> move the Order status to <tt>invalid</tt> and set the <tt>allow-certificate-get</tt> in the <tt>auto-renewal</tt> object to <tt>false</tt>. The same occurs in case the Order request is forwarded and the CA does not reflect the <tt>allow-certificate-get</tt> setting in its Order resource. The combination of <tt>invalid</tt> status and denied <tt>allow-certificate-get</tt> in the Order resource at the IdO provides an unambiguous (asynchronous) signal to the NDC about the failure reason.</t> <section anchor="sec-cname-installation" numbered="true" toc="exclude" removeInRFC="false" pn="section-2.3.2.1"> <name slugifiedName="name-cname-installation">CNAME Installation</name> <t indent="0" pn="section-2.3.2.1-1">Ifan identifier objectone of the objects in the <tt>identifiers</tt> list is of type<tt>dns</tt> was included,<tt>dns</tt>, the IdO can add the CNAME records specified in thedelegation<tt>delegation</tt> object to its zone,e.g.:</t>for example:</t> <artwork name="" type="" align="left" alt="" pn="section-2.3.2.1-2"><![CDATA[ abc.ido.example. CNAME abc.ndc.example. ]]></artwork> </section> </section> <section anchor="sec-profile-non-star-order-journey" numbered="true" toc="include" removeInRFC="false" pn="section-2.3.3"> <name slugifiedName="name-order-object-transmitted-fro">Order Object Transmitted from NDC to IdO and to ACME Server(non-STAR)</name>(Non-STAR)</name> <t indent="0" pn="section-2.3.3-1">If the delegation is for a non-STAR certificate, the request object created by the NDC:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.3-2"> <lipn="section-2.3.3-2.1">MUSTpn="section-2.3.3-2.1"><bcp14>MUST</bcp14> have a <tt>delegation</tt> attribute indicating the preconfigured delegation that applies to this Order;</li> <lipn="section-2.3.3-2.2">MUSTpn="section-2.3.3-2.2"><bcp14>MUST</bcp14> have entries in the <tt>identifiers</tt> field for each delegated name present in theconfiguration;</li>configuration; and</li> <lipn="section-2.3.3-2.3">MUSTpn="section-2.3.3-2.3"><bcp14>MUST</bcp14> have the <tt>allow-certificate-get</tt> attribute set to true.</li> </ul> <figure anchor="fig-non-star-ndc-neworder" align="left" suppress-title="false" pn="figure-7"> <name slugifiedName="name-new-non-star-order-from-ndc">New Non-STAR Order from NDC</name><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.3-3.1"><![CDATA[ POST /acme/new-order HTTP/1.1 Host: acme.ido.example Content-Type: application/jose+json { "protected": base64url({ "alg": "ES256", "kid": "https://acme.ido.example/acme/acct/evOfKhNU60wg", "nonce": "IYBkoQfaCS80UcCn9qH8Gt", "url": "https://acme.ido.example/acme/new-order" }), "payload": base64url({ "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "allow-certificate-get": true }), "signature": "j9JBUvMigi4zodud...acYkEKaa8gqWyZ6H" }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.3-4">TheOrderorder object that is created on the IdO:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.3-5"> <lipn="section-2.3.3-5.1">MUSTpn="section-2.3.3-5.1"><bcp14>MUST</bcp14> start in the <tt>ready</tt> state;</li> <lipn="section-2.3.3-5.2">MUSTpn="section-2.3.3-5.2"><bcp14>MUST</bcp14> contain an <tt>authorizations</tt> array with zero elements;</li> <lipn="section-2.3.3-5.3">MUSTpn="section-2.3.3-5.3"><bcp14>MUST</bcp14> contain the indicated <tt>delegation</tt>configuration;</li>configuration; and</li> <lipn="section-2.3.3-5.4">MUSTpn="section-2.3.3-5.4"><bcp14>MUST</bcp14> contain the indicated <tt>allow-certificate-get</tt> setting.</li> </ul> <figure anchor="fig-non-star-ido-order-resource-created" align="left" suppress-title="false" pn="figure-8"> <name slugifiedName="name-non-star-order-resource-cre">Non-STAR Order Resource Created on IdO</name><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.3-6.1"><![CDATA[ { "status": "ready", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "allow-certificate-get": true, "authorizations": [], "finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize" }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.3-7">The Order finalization by the NDC and the subsequent validation of the CSR by the IdO proceed in the same way as for the STAR case. If the CSR is successfully validated, theOrderorder object status moves to <tt>processing</tt> and the twin ACME protocol instance is initiated on the IdO-CA side.</t> <t indent="0" pn="section-2.3.3-8">The request object created by the IdO:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.3-9"> <lipn="section-2.3.3-9.1">MUSTpn="section-2.3.3-9.1"><bcp14>MUST</bcp14> copy the identifiers sent by the NDC;</li> <lipn="section-2.3.3-9.2">MUSTpn="section-2.3.3-9.2"><bcp14>MUST</bcp14> strip the <tt>delegation</tt>attribute;</li>attribute; and</li> <lipn="section-2.3.3-9.3">MUSTpn="section-2.3.3-9.3"><bcp14>MUST</bcp14> copy the <tt>allow-certificate-get</tt> attribute.</li> </ul> <t indent="0" pn="section-2.3.3-10">When the identifiers' authorization has been successfully completed and the certificate has been issued by the CA, the IdO:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-2.3.3-11"> <lipn="section-2.3.3-11.1">MUSTpn="section-2.3.3-11.1"><bcp14>MUST</bcp14> move its Order resource status to<tt>valid</tt>;</li><tt>valid</tt> and</li> <lipn="section-2.3.3-11.2">MUSTpn="section-2.3.3-11.2"><bcp14>MUST</bcp14> copy the <tt>certificate</tt> field from the Order returned by the CA into its Order resource, as well as <tt>notBefore</tt> and <tt>notAfter</tt> if these fields exist.</li> </ul> <figure anchor="fig-non-star-ido-order-resource-updated" align="left" suppress-title="false" pn="figure-9"> <name slugifiedName="name-non-star-order-resource-upd">Non-STAR Order Resource Updated on IdO</name><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-2.3.3-12.1"><![CDATA[ { "status": "valid", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "allow-certificate-get": true, "authorizations": [], "finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize", "certificate": "https://acme.ca.example/acme/order/YtR23SsdG9" }]]></artwork>]]></sourcecode> </figure> <t indent="0" pn="section-2.3.3-13">At this point of the protocol flow, the same considerations as in <xref target="sec-cname-installation" format="default" sectionFormat="of" derivedContent="Section 2.3.2.1"/> apply.</t> <t indent="0" pn="section-2.3.3-14">Before forwarding the Order request to the CA, the IdOSHOULD<bcp14>SHOULD</bcp14> ensure that the selected CA supports"unauthenticated GET"unauthenticated GET by inspecting the relevant settings in the CA's<tt>directory</tt>directory object, as per <xref target="sec-nego-allow-cert-get" format="default" sectionFormat="of" derivedContent="Section 2.3.5"/>. If the CA does not support"unauthenticated GET"unauthenticated GET of certificate resources, the IdOMUST NOT<bcp14>MUST NOT</bcp14> forward the Order request. Instead, itMUST<bcp14>MUST</bcp14> move the Order status to <tt>invalid</tt> and set the <tt>allow-certificate-get</tt> attribute to <tt>false</tt>. The same occurs in case the Order request is forwarded and the CA does not reflect the <tt>allow-certificate-get</tt> setting in its Order resource. The combination of <tt>invalid</tt> status and denied <tt>allow-certificate-get</tt> in the Order resource at the IdO provides an unambiguous (asynchronous) signal to the NDC about the failure reason.</t> </section> <section anchor="capability-discovery" numbered="true" toc="include" removeInRFC="false" pn="section-2.3.4"> <name slugifiedName="name-capability-discovery">Capability Discovery</name> <t indent="0" pn="section-2.3.4-1">In order to help a clienttodiscover support for this profile, the directory object of an ACME server (typically, one deployed by the IdO) contains the following attribute in the <tt>meta</tt> field:</t><ul<dl spacing="compact"bare="false" empty="false"newline="false" indent="3" pn="section-2.3.4-2"><li<dt pn="section-2.3.4-2.1">delegation-enabled (optional,boolean): Booleanboolean):</dt> <dd>Boolean flag indicating support for the profile specified in this memo. An ACME server that supports this delegation profileMUST<bcp14>MUST</bcp14> include thiskey,key andMUST<bcp14>MUST</bcp14> set it totrue.</li> </ul>true.</dd> </dl> <t indent="0" pn="section-2.3.4-3">The IdOMUST<bcp14>MUST</bcp14> declare its support for delegation using <tt>delegation-enabled</tt> regardless of whether it supports delegation of STAR certificates, non-STARcertificatescertificates, or both.</t> <t indent="0" pn="section-2.3.4-4">In order to help a clienttodiscover support for certificate fetching using unauthenticated HTTP GET, the directory object of an ACME server (typically, one deployed by the CA) contains the following attribute in the <tt>meta</tt> field:</t><ul<dl spacing="compact"bare="false" empty="false"newline="false" indent="3" pn="section-2.3.4-5"><li<dt pn="section-2.3.4-5.1">allow-certificate-get (optional,boolean): Seeboolean):</dt> <dd>See <xref target="sec-nego-allow-cert-get" format="default" sectionFormat="of" derivedContent="Section2.3.5"/>.</li> </ul>2.3.5"/>.</dd> </dl> </section> <section anchor="sec-nego-allow-cert-get" numbered="true" toc="include" removeInRFC="false" pn="section-2.3.5"> <name slugifiedName="name-negotiating-an-unauthentica">Negotiating an Unauthenticated GET</name> <t indent="0" pn="section-2.3.5-1">In order to enable the name delegation of non-STAR certificates, this document defines a mechanism that allows a server to advertise support for accessing certificate resources via unauthenticated GET (in addition toPOST-as-GET),POST-as-GET) and a client to enable this service with per-Order granularity.</t> <t indent="0" pn="section-2.3.5-2">It is worth pointing out that the protocol elements described in this section have the same names and semantics as those introduced inSection 3.4 of<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>derivedContent="RFC8739" section="3.4"/> for the STAR use case (except, of course, they apply to the certificate resource rather than the star-certificate resource). However, they differ in terms of their position in the directory meta and orderobjects:objects; rather than being wrapped in anauto-renewal sub-object<tt>auto-renewal</tt> subobject, they are located at thetop-level.</t>top level.</t> <t anchor="capability-metadata" indent="0" pn="section-2.3.5-3">A server states its availability to grant unauthenticated access to a client's Order certificate by setting the <tt>allow-certificate-get</tt> attribute to <tt>true</tt> in the <tt>meta</tt> field inside the directory object:</t><ul<dl spacing="compact"bare="false" empty="false"newline="false" indent="3" pn="section-2.3.5-4"><li<dt pn="section-2.3.5-4.1">allow-certificate-get (optional,boolean): Ifboolean):</dt> <dd>If this field is present and set to <tt>true</tt>, the server allows GET (and HEAD) requests to certificateURLs.</li> </ul>URLs.</dd> </dl> <t indent="0" pn="section-2.3.5-5">A client states its desire to access the issued certificate via unauthenticated GET by adding an <tt>allow-certificate-get</tt> attribute to the payload of its newOrder request and setting it to <tt>true</tt>.</t><ul<dl spacing="compact"bare="false" empty="false"newline="false" indent="3" pn="section-2.3.5-6"><li<dt pn="section-2.3.5-6.1">allow-certificate-get (optional,boolean): Ifboolean):</dt> <dd>If this field is present and set to <tt>true</tt>, the client requests the server to allow unauthenticated GET (and HEAD) to the certificate associated with thisOrder.</li> </ul>Order.</dd> </dl> <t indent="0" pn="section-2.3.5-7">If the server accepts the request, itMUST<bcp14>MUST</bcp14> reflect the attribute setting in the resulting order object.</t> <t indent="0" pn="section-2.3.5-8">Note that even when the use of unauthenticated GET has been agreed upon, the serverMUST<bcp14>MUST</bcp14> also allow POST-as-GET requests to the certificate resource.</t> </section> <section anchor="terminating-the-delegation" numbered="true" toc="include" removeInRFC="false" pn="section-2.3.6"> <name slugifiedName="name-terminating-the-delegation">Terminating the Delegation</name> <t indent="0" pn="section-2.3.6-1">Identity delegation is terminated differently depending on whether or not this is a STARcertificate or not.</t>certificate.</t> <section anchor="by-cancellation-star" numbered="true" toc="exclude" removeInRFC="false" pn="section-2.3.6.1"> <name slugifiedName="name-by-cancellation-star">By Cancellation (STAR)</name> <t indent="0" pn="section-2.3.6.1-1">The IdO can terminate the delegation of a STAR certificate by requesting its cancellation (seeSection 3.1.2 of<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>).</t>derivedContent="RFC8739" section="3.1.2"/>).</t> <t indent="0" pn="section-2.3.6.1-2">Cancellation of the ACME STAR certificate is a prerogative of the IdO. The NDC does not own the relevant account key on theCA, thereforeCA; therefore, it can't issue a cancellation request for the STAR certificate. Potentially, since it holds the STAR certificate's private key, it could request the revocation of a single STAR certificate. However, STAR explicitly disables the revokeCert interface.</t> <t indent="0" pn="section-2.3.6.1-3">Shortly after the automatic renewal process is stopped by the IdO, the last issued STAR certificate expires and the delegation terminates.</t> </section> <section anchor="by-revocation-non-star" numbered="true" toc="exclude" removeInRFC="false" pn="section-2.3.6.2"> <name slugifiedName="name-by-revocation-non-star">By Revocation(non-STAR)</name>(Non-STAR)</name> <t indent="0" pn="section-2.3.6.2-1">The IdO can terminate the delegation of a non-STAR certificate by requesting it to be revoked using therevokeCert<tt>revokeCert</tt> URL exposed by the CA.</t> <t indent="0" pn="section-2.3.6.2-2">According toSection 7.6 of<xref target="RFC8555" format="default" sectionFormat="of"derivedContent="RFC8555"/>,derivedContent="RFC8555" section="7.6"/>, the revocation endpoint can be used with either the accountkeypair,key pair or the certificatekeypair.key pair. In other words, an NDC that learns therevokeCert<tt>revokeCert</tt> URL of the CA (which is publicly available via the CA'sDirectorydirectory object) would be able to revoke the certificate using the associated private key. However, given the trust relationship between the NDC and IdO expected by the delegation trust model (<xref target="sec-trust-model" format="default" sectionFormat="of" derivedContent="Section 7.1"/>), as well as the lack of incentives for the NDC to prematurely terminate the delegation, this does not represent a significant security risk.</t> </section> </section> </section> <section anchor="proxy-behavior" numbered="true" toc="include" removeInRFC="false" pn="section-2.4"> <name slugifiedName="name-proxy-behavior">Proxy Behavior</name> <t indent="0" pn="section-2.4-1">There are cases where the ACME Delegation flow should be proxied, such as the use case described in <xref target="sec-cdni-dele" format="default" sectionFormat="of" derivedContent="Section 5.1.2"/>. This section describes the behavior of such proxies.</t> <t indent="0" pn="section-2.4-2">An entity implementing the IdO server role--- an "ACME Delegation server"--- may behave, on a per-identity case, either as a proxy into another ACME Delegationserver,server orit may behaveas an IdO and obtain a certificate directly. The determining factor is whether it can successfully be authorized by the next-hop ACME server for the identity associated with the certificate request.</t> <t indent="0" pn="section-2.4-3">The identities supported by each server and the disposition for each of them are preconfigured.</t> <t indent="0" pn="section-2.4-4">Following is the proxy's behavior for each of the messages exchanged in the ACME Delegation process:</t><ul<dl spacing="compact"bare="false" empty="false"newline="true" indent="3" pn="section-2.4-5"><li pn="section-2.4-5.1"> <t indent="0" pn="section-2.4-5.1.1">New-order request: </t><dt pn="section-2.4-5.1">New-order request:</dt> <dd> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-2.4-5.1.2"> <li pn="section-2.4-5.1.2.1">The complete <tt>identifiers</tt>object MUSTattribute <bcp14>MUST</bcp14> be copiedas-is.</li>as is.</li> <li pn="section-2.4-5.1.2.2">Similarly, the <tt>auto-renewal</tt> objectMUST<bcp14>MUST</bcp14> be copiedas-is.</li>as is.</li> </ul></li> <li pn="section-2.4-5.2"> <t indent="0" pn="section-2.4-5.2.1">New-order response: </t></dd> <dt pn="section-2.4-5.2">New-order response:</dt> <dd> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-2.4-5.2.2"> <li pn="section-2.4-5.2.2.1">The <tt>status</tt>, <tt>expires</tt>, <tt>authorizations</tt>,<tt>identifiers</tt><tt>identifiers</tt>, and <tt>auto-renewal</tt> attributes/objectsMUST<bcp14>MUST</bcp14> be copiedas-is.</li>as is.</li> <li pn="section-2.4-5.2.2.2">The <tt>finalize</tt> URL isrewritten,rewritten so that the <tt>finalize</tt> request will be made to the proxy.</li> <li pn="section-2.4-5.2.2.3">Similarly, the <tt>Location</tt> headerMUST<bcp14>MUST</bcp14> be rewritten to point to anOrderorder object on the proxy.</li> <li pn="section-2.4-5.2.2.4">Any <tt>Link</tt> relationsMUST<bcp14>MUST</bcp14> be rewritten to point to the proxy.</li> </ul></li> <li pn="section-2.4-5.3"> <t indent="0" pn="section-2.4-5.3.1">Get</dd> <dt pn="section-2.4-5.3">Get Orderresponse: </t>response:</dt> <dd> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-2.4-5.3.2"> <li pn="section-2.4-5.3.2.1">The <tt>status</tt>, <tt>expires</tt>, <tt>authorizations</tt>,<tt>identifiers</tt><tt>identifiers</tt>, and <tt>auto-renewal</tt> attributes/objectsMUST<bcp14>MUST</bcp14> be copiedas-is.</li>as is.</li> <li pn="section-2.4-5.3.2.2">Similarly, the <tt>star-certificate</tt> URL (or the <tt>certificate</tt> URL in case of non-STAR requests)MUST<bcp14>MUST</bcp14> be copiedas-is.</li>as is.</li> <li pn="section-2.4-5.3.2.3">The <tt>finalize</tt> URL isrewritten,rewritten so that the <tt>finalize</tt> request will be made to the proxy.</li> <li pn="section-2.4-5.3.2.4">The <tt>Location</tt> headerMUST<bcp14>MUST</bcp14> be rewritten to point to anOrderorder object on the proxy.</li> <li pn="section-2.4-5.3.2.5">Any <tt>Link</tt> relationsMUST<bcp14>MUST</bcp14> be rewritten to point to the proxy.</li> </ul></li> <li pn="section-2.4-5.4"> <t indent="0" pn="section-2.4-5.4.1">Finalize request: </t></dd> <dt pn="section-2.4-5.4"><tt>finalize</tt> request:</dt> <dd> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-2.4-5.4.2"> <li pn="section-2.4-5.4.2.1">The CSRMUST<bcp14>MUST</bcp14> be copiedas-is.</li> </ul> </li> <li pn="section-2.4-5.5"> <t indent="0" pn="section-2.4-5.5.1">Finalize response: </t>as is.</li> </ul></dd> <dt pn="section-2.4-5.5"><tt>finalize</tt> response:</dt> <dd> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-2.4-5.5.2"> <li pn="section-2.4-5.5.2.1">The <tt>Location</tt> header, <tt>Link</tt>relationsrelations, and the <tt>finalize</tt> URLs are rewritten as for Get Order.</li> </ul></li> </ul></dd> </dl> <t indent="0" pn="section-2.4-6">We note that all the above messages areauthenticated, and thereforeauthenticated; therefore, each proxy must be able to authenticate any subordinate server.</t> </section> </section> <section anchor="sec-ca-behavior" numbered="true" toc="include" removeInRFC="false" pn="section-3"> <name slugifiedName="name-ca-behavior">CA Behavior</name> <t indent="0" pn="section-3-1">Although most of this document, and in particular <xref target="sec-protocol-flow" format="default" sectionFormat="of" derivedContent="Section2"/>2"/>, is focused on the protocol between the NDC andtoIdO, the protocol does affect the ACME server running in the CA. A CA that wishes to support certificate delegationMUST<bcp14>MUST</bcp14> also support unauthenticated certificate fetching, which it declares using <tt>allow-certificate-get</tt> (<xref target="capability-metadata" format="default" sectionFormat="of" derivedContent="Section 2.3.5, Paragraph 3"/>).</t> </section> <section anchor="sec-csr-template" numbered="true" toc="include" removeInRFC="false" pn="section-4"> <name slugifiedName="name-csr-template">CSR Template</name> <t indent="0" pn="section-4-1">The CSR template is used to express and constrain the shape of the CSR that the NDC uses to request the certificate. The CSR is used for every certificate created under the same delegation. Its validation by the IdO is a critical element in the security of the whole delegation mechanism.</t> <t indent="0" pn="section-4-2">Instead of defining every possible CSR attribute, this document takes a minimalist approach by declaring only the minimum attribute set and deferring the registration of further,more specific,more-specific attributes to future documents.</t> <section anchor="sec-csr-template-syntax" numbered="true" toc="include" removeInRFC="false" pn="section-4.1"> <name slugifiedName="name-template-syntax">Template Syntax</name> <t indent="0" pn="section-4.1-1">The template is a JSON document. Each field (with the exception of <tt>keyTypes</tt>, see below) denotes oneof:</t>of the following:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-4.1-2"> <li pn="section-4.1-2.1">A mandatoryfield,field where the template specifies the literal value of that field. This is denoted by a literal string, such as <tt>abc.ido.example</tt>.</li> <li pn="section-4.1-2.2">A mandatoryfield,field where the content of the field is defined by the client. This is denoted by <tt>**</tt>.</li> <li pn="section-4.1-2.3">An optionalfield,field where the client decides whether the field is included in the CSRandand, if so, what its value is. This is denoted by <tt>*</tt>.</li> </ul> <t indent="0" pn="section-4.1-3">The NDCMUST NOT<bcp14>MUST NOT</bcp14> include any fields in theCSR any fields,CSR, including any extensions, unless they are specified in the template.</t> <t indent="0" pn="section-4.1-4">The structure of the template object is defined by theCDDLConcise Data Definition Language (CDDL) <xref target="RFC8610" format="default" sectionFormat="of" derivedContent="RFC8610"/> document in <xref target="csr-template-schema-cddl" format="default" sectionFormat="of" derivedContent="Appendix B"/>. An alternative,non-normativenonnormative JSON Schema syntax is given in <xref target="csr-template-schema" format="default" sectionFormat="of" derivedContent="Appendix C"/>. While the CSR template must follow the syntax defined here, neither the IdO nor the NDC are expected to validate it atrun-time.</t>runtime.</t> <t indent="0" pn="section-4.1-5">The <tt>subject</tt> field and its subfields are mapped into the <tt>subject</tt> field of the CSR, as per <xref target="RFC5280" format="default" sectionFormat="of"derivedContent="RFC5280"/>, Section 4.1.2.6.derivedContent="RFC5280" section="4.1.2.6"/>. Other extension fields of the CSR template are mapped into the CSR according to the table in <xref target="csr-template-registry" format="default" sectionFormat="of" derivedContent="Section 6.5"/>.</t> <t indent="0" pn="section-4.1-6">The <tt>subjectAltName</tt> field is currently defined for the following identifiers: DNS names, email addresses, and URIs. New identifier types may be added in the future by documents that extend this specification. Each new identifier typeSHALL<bcp14>SHALL</bcp14> have an associated identifier validation challenge that the CA can use to obtain proof of the requester's control over it.</t> <t indent="0" pn="section-4.1-7">The <tt>keyTypes</tt> property is not copied into the CSR. Instead, this property constrains the <tt>SubjectPublicKeyInfo</tt> field of the CSR, whichMUST<bcp14>MUST</bcp14> have the type/size defined by one of the array members of the <tt>keyTypes</tt> property.</t> <t indent="0" pn="section-4.1-8">When the IdO receives the CSR, itMUST<bcp14>MUST</bcp14> verify that the CSR is consistent with the template contained in the <tt>delegation</tt> object referenced in the Order. The IdOMAY<bcp14>MAY</bcp14> enforce additional constraints, e.g., by restricting field lengths. In this regard, note that a <tt>subjectAltName</tt> of type <tt>DNS</tt> can be specified using the wildcard notation, meaning that the NDC can be required (<tt>**</tt>) or offered the possibility (<tt>*</tt>) to define the delegated domain name by itself. If this is the case, the IdOMUST<bcp14>MUST</bcp14> apply application-specific checks on top of the control rules already provided by the CSR template to ensure the requested domain name is legitimate according to its local policy.</t> </section> <section anchor="example" numbered="true" toc="include" removeInRFC="false" pn="section-4.2"> <name slugifiedName="name-example">Example</name> <t indent="0" pn="section-4.2-1">The CSR template in <xref target="fig-csr-template" format="default" sectionFormat="of" derivedContent="Figure 10"/> represents one possible CSR template governing the delegation exchanges provided in the rest of this document.</t> <figure anchor="fig-csr-template" align="left" suppress-title="false" pn="figure-10"> <name slugifiedName="name-example-csr-template">Example CSRtemplate</name> <artworkTemplate</name> <sourcecode name=""type="" align="left" alt=""type="json" pn="section-4.2-2.1"><![CDATA[ { "keyTypes": [ { "PublicKeyType": "rsaEncryption", "PublicKeyLength": 2048, "SignatureType": "sha256WithRSAEncryption" }, { "PublicKeyType": "id-ecPublicKey", "namedCurve": "secp256r1", "SignatureType": "ecdsa-with-SHA256" } ], "subject": { "country": "CA", "stateOrProvince": "**", "locality": "**" }, "extensions": { "subjectAltName": { "DNS": [ "abc.ido.example" ] }, "keyUsage": [ "digitalSignature" ], "extendedKeyUsage": [ "serverAuth", "clientAuth" ] } }]]></artwork>]]></sourcecode> </figure> </section> </section> <section anchor="further-use-cases" numbered="true" toc="include" removeInRFC="false" pn="section-5"> <name slugifiedName="name-further-use-cases">Further Use Cases</name> <t indent="0" pn="section-5-1">Thisnon-normativenonnormative section describes additional use casesthat useimplementing the STAR certificate delegation innon-trivialnontrivial ways.</t> <section anchor="cdn-interconnection-cdni" numbered="true" toc="include" removeInRFC="false" pn="section-5.1"> <name slugifiedName="name-cdn-interconnection-cdni">CDN Interconnection (CDNI)</name> <t indent="0" pn="section-5.1-1"><xref target="I-D.ietf-cdni-interfaces-https-delegation" format="default" sectionFormat="of" derivedContent="I-D.ietf-cdni-interfaces-https-delegation"/> discusses several solutions addressing different delegation requirements for theCDNI (CDN Interconnection)CDN Interconnection (CDNI) environment. This section discusses two of the stated requirements in the context of the STAR delegation workflow.</t> <t indent="0" pn="section-5.1-2">This section usesspecificallyspecific CDNI terminology, e.g.,"uCDN"Upstream CDN (uCDN) and"dCDN",Downstream (dCDN), as defined in <xref target="RFC7336" format="default" sectionFormat="of" derivedContent="RFC7336"/>.</t> <section anchor="multiple-parallel-delegates" numbered="true" toc="include" removeInRFC="false" pn="section-5.1.1"> <name slugifiedName="name-multiple-parallel-delegates">Multiple Parallel Delegates</name> <t indent="0" pn="section-5.1.1-1">In somecasescases, the content owner (IdO) would like to delegate authority over aweb sitewebsite to multiple NDCs (CDNs). This could happen if the IdO has agreements in place with different regional CDNs for different geographicalregions,regions or if a "backup" CDN is used to handle overflow traffic by temporarily altering some of the CNAME mappings in place. The STAR delegation flow enables this use case naturally, since each CDN can authenticate separately to the IdO (via its own separate account) specifying its CSR, and the IdO is free to allow or deny each certificate request according to its own policy.</t> </section> <section anchor="sec-cdni-dele" numbered="true" toc="include" removeInRFC="false" pn="section-5.1.2"> <name slugifiedName="name-chained-delegation">Chained Delegation</name> <t indent="0" pn="section-5.1.2-1">In other cases, a content owner (IdO) delegates some domains to a large CDN (uCDN), which in turn delegates to a smaller regionalCDN, dCDN.CDN (dCDN). The IdO has a contractual relationship with uCDN, and uCDN has a similar relationship with dCDN.HoweverHowever, IdO may not even know about dCDN.</t> <t indent="0" pn="section-5.1.2-2">If needed, the STAR protocol can be chained to support this use case: uCDN could forward requests from dCDN toIdO,IdO and forward responses back to dCDN. Whether such proxying is allowed is governed by policy and contracts between the parties.</t> <t indent="0" pn="section-5.1.2-3">A mechanism is necessary at the interface between uCDN anddCDNdCDN, by which the uCDN can advertise:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-5.1.2-4"> <lipn="section-5.1.2-4.1">Thepn="section-5.1.2-4.1">the names that the dCDN is allowed touse;</li>use and</li> <lipn="section-5.1.2-4.2">Thepn="section-5.1.2-4.2">the policy for creating the key material (allowed algorithms, minimum key lengths, key usage, etc.) that the dCDN needs to satisfy.</li> </ul> <t indent="0" pn="section-5.1.2-5">Note that such mechanism is provided by the CSR template.</t> <section anchor="two-level-delegation-in-cdni" numbered="true" toc="exclude" removeInRFC="false" pn="section-5.1.2.1"> <name slugifiedName="name-two-level-delegation-in-cdn">Two-Level Delegation in CDNI</name> <t indent="0" pn="section-5.1.2.1-1">A User Agent (UA), e.g., a browser orset-top-box,set-top box, wants to fetch the video resource at the following URI: <tt>https://video.cp.example/movie</tt>. Redirection betweenContent Provider (CP), upstream,the content provider (CP) and upstream and downstream CDNs is arranged as a CNAME-based aliasingchainchain, as illustrated in <xref target="fig-cdni-dns-redirection" format="default" sectionFormat="of" derivedContent="Figure 11"/>.</t> <figure anchor="fig-cdni-dns-redirection" align="left" suppress-title="false" pn="figure-11"> <name slugifiedName="name-dns-redirection">DNS Redirection</name> <artset pn="section-5.1.2.1-2.1"> <artwork type="svg" name="" align="left" alt="" pn="section-5.1.2.1-2.1.1"><svg xmlns="http://www.w3.org/2000/svg" class="diagram" version="1.1"height="489" width="520"viewBox="0 0520.0780.0 489.0"> <g transform="translate(8,16)"> <path d="M 400,16 L 488,16" fill="none" stroke="black"/> <path d="M 400,32 L 448,32" fill="none" stroke="black"/> <path d="M 120,48 L 392,48" fill="none" stroke="black"/> <path d="M 152,80 L 400,80" fill="none" stroke="black"/> <path d="M 400,96 L 448,96" fill="none" stroke="black"/> <path d="M 400,112 L 488,112" fill="none" stroke="black"/> <path d="M 16,160 L 96,160" fill="none" stroke="black"/> <path d="M 112,160 L 128,160" fill="none" stroke="black"/> <path d="M 144,160 L 152,160" fill="none" stroke="black"/> <path d="M 400,160 L 488,160" fill="none" stroke="black"/> <path d="M 40,176 L 88,176" fill="none" stroke="black"/> <path d="M 88,176 L 104,176" fill="none" stroke="black"/> <path d="M 104,176 L 152,176" fill="none" stroke="black"/> <path d="M 400,176 L 448,176" fill="none" stroke="black"/> <path d="M 152,192 L 392,192" fill="none" stroke="black"/> <path d="M 160,224 L 400,224" fill="none" stroke="black"/> <path d="M 40,240 L 64,240" fill="none" stroke="black"/> <path d="M 64,240 L 88,240" fill="none" stroke="black"/> <path d="M 88,240 L 136,240" fill="none" stroke="black"/> <path d="M 136,240 L 152,240" fill="none" stroke="black"/> <path d="M 400,240 L 448,240" fill="none" stroke="black"/> <path d="M 16,256 L 56,256" fill="none" stroke="black"/> <path d="M 72,256 L 96,256" fill="none" stroke="black"/> <path d="M 112,256 L 128,256" fill="none" stroke="black"/> <path d="M 144,256 L 152,256" fill="none" stroke="black"/> <path d="M 400,256 L 488,256" fill="none" stroke="black"/> <path d="M 400,304 L 488,304" fill="none" stroke="black"/> <path d="M 400,320 L 448,320" fill="none" stroke="black"/> <path d="M 152,336 L 392,336" fill="none" stroke="black"/> <path d="M 120,368 L 400,368" fill="none" stroke="black"/> <path d="M 400,384 L 448,384" fill="none" stroke="black"/> <path d="M 80,416 L 392,416" fill="none" stroke="black"/> <path d="M 400,448 L 448,448" fill="none" stroke="black"/> <path d="M 400,464 L 488,464" fill="none" stroke="black"/> <path d="M 0,176 L 0,240" fill="none" stroke="black"/> <path d="M 40,176 L 40,240" fill="none" stroke="black"/> <path d="M 64,240 L 64,400" fill="none" stroke="black"/> <path d="M 88,176 L 88,240" fill="none" stroke="black"/> <path d="M 104,64 L 104,176" fill="none" stroke="black"/> <path d="M 104,256 L 104,352" fill="none" stroke="black"/> <path d="M 136,96 L 136,160" fill="none" stroke="black"/> <path d="M 136,240 L 136,320" fill="none" stroke="black"/> <path d="M 152,176 L 152,192" fill="none" stroke="black"/> <path d="M 152,192 L 152,240" fill="none" stroke="black"/> <path d="M 168,200 L 168,216" fill="none" stroke="black"/> <path d="M 384,56 L 384,72" fill="none" stroke="black"/> <path d="M 384,200 L 384,216" fill="none" stroke="black"/> <path d="M 384,344 L 384,360" fill="none" stroke="black"/> <path d="M 384,384 L 384,400" fill="none" stroke="black"/> <path d="M 384,432 L 384,448" fill="none" stroke="black"/> <path d="M 400,32 L 400,80" fill="none" stroke="black"/> <path d="M 400,80 L 400,96" fill="none" stroke="black"/> <path d="M 400,176 L 400,224" fill="none" stroke="black"/> <path d="M 400,224 L 400,240" fill="none" stroke="black"/> <path d="M 400,320 L 400,368" fill="none" stroke="black"/> <path d="M 400,368 L 400,384" fill="none" stroke="black"/> <path d="M 400,384 L 400,448" fill="none" stroke="black"/> <path d="M 448,32 L 448,96" fill="none" stroke="black"/> <path d="M 448,176 L 448,240" fill="none" stroke="black"/> <path d="M 448,320 L 448,384" fill="none" stroke="black"/> <path d="M 448,384 L 448,448" fill="none" stroke="black"/> <path d="M 504,32 L 504,96" fill="none" stroke="black"/> <path d="M 504,176 L 504,240" fill="none" stroke="black"/> <path d="M 504,320 L 504,448" fill="none" stroke="black"/> <path d="M 168,176 L 168,184" fill="none" stroke="black"/> <path d="M 168,200 L 168,208" fill="none" stroke="black"/> <path d="M 168,232 L 168,240" fill="none" stroke="black"/> <path d="M 384,32 L 384,40" fill="none" stroke="black"/> <path d="M 384,56 L 384,64" fill="none" stroke="black"/> <path d="M 384,88 L 384,96" fill="none" stroke="black"/> <path d="M 384,176 L 384,184" fill="none" stroke="black"/> <path d="M 384,200 L 384,208" fill="none" stroke="black"/> <path d="M 384,232 L 384,240" fill="none" stroke="black"/> <path d="M 384,320 L 384,328" fill="none" stroke="black"/> <path d="M 384,344 L 384,352" fill="none" stroke="black"/> <path d="M 384,376 L 384,384" fill="none" stroke="black"/> <path d="M 384,400 L 384,408" fill="none" stroke="black"/> <path d="M 384,424 L 384,432" fill="none" stroke="black"/> <path d="M 104,248 L 104,256" fill="none" stroke="black"/> <polygon points="120.000000,256.000000 108.000000,250.399994 108.000000,261.600006" transform="rotate(270.000000, 104.000000, 256.000000)" fill="black"/> <path d="M 136,160 L 136,168" fill="none" stroke="black"/> <polygon points="152.000000,160.000000 140.000000,154.399994 140.000000,165.600006" transform="rotate(90.000000, 136.000000, 160.000000)" fill="black"/> <polygon points="168.000000,224.000000 156.000000,218.399994 156.000000,229.600006" transform="rotate(180.000000, 160.000000, 224.000000)" fill="black"/> <polygon points="400.000000,48.000000 388.000000,42.400002 388.000000,53.599998" transform="rotate(0.000000, 392.000000, 48.000000)" fill="black"/> <polygon points="400.000000,192.000000 388.000000,186.399994 388.000000,197.600006" transform="rotate(0.000000, 392.000000, 192.000000)" fill="black"/> <polygon points="400.000000,336.000000 388.000000,330.399994 388.000000,341.600006" transform="rotate(0.000000, 392.000000, 336.000000)" fill="black"/> <polygon points="400.000000,416.000000 388.000000,410.399994 388.000000,421.600006" transform="rotate(0.000000, 392.000000, 416.000000)" fill="black"/> <path d="M 400,16 A 16,16 0 0,0 384,32" fill="none" stroke="black"/> <path d="M 488,16 A 16,16 0 0,1 504,32" fill="none" stroke="black"/> <path d="M 120,48 A 16,16 0 0,0 104,64" fill="none" stroke="black"/> <path d="M 152,80 A 16,16 0 0,0 136,96" fill="none" stroke="black"/> <path d="M 384,96 A 16,16 0 0,0 400,112" fill="none" stroke="black"/> <path d="M 504,96 A 16,16 0 0,1 488,112" fill="none" stroke="black"/> <path d="M 16,160 A 16,16 0 0,0 0,176" fill="none" stroke="black"/> <path d="M 152,160 A 16,16 0 0,1 168,176" fill="none" stroke="black"/> <path d="M 400,160 A 16,16 0 0,0 384,176" fill="none" stroke="black"/> <path d="M 488,160 A 16,16 0 0,1 504,176" fill="none" stroke="black"/> <path d="M 0,240 A 16,16 0 0,0 16,256" fill="none" stroke="black"/> <path d="M 168,240 A 16,16 0 0,1 152,256" fill="none" stroke="black"/> <path d="M 384,240 A 16,16 0 0,0 400,256" fill="none" stroke="black"/> <path d="M 504,240 A 16,16 0 0,1 488,256" fill="none" stroke="black"/> <path d="M 400,304 A 16,16 0 0,0 384,320" fill="none" stroke="black"/> <path d="M 488,304 A 16,16 0 0,1 504,320" fill="none" stroke="black"/> <path d="M 136,320 A 16,16 0 0,0 152,336" fill="none" stroke="black"/> <path d="M 104,352 A 16,16 0 0,0 120,368" fill="none" stroke="black"/> <path d="M 64,400 A 16,16 0 0,0 80,416" fill="none" stroke="black"/> <path d="M 384,448 A 16,16 0 0,0 400,464" fill="none" stroke="black"/> <path d="M 504,448 A 16,16 0 0,1 488,464" fill="none" stroke="black"/> <text text-anchor="middle" font-family="monospace" x="264" y="36" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="192" y="100" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="288" y="180" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="304" y="180" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="312" y="244" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="232" y="436" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="240" y="244" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="256" y="36" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="272" y="36" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="256" y="68" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="424" y="68" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="352" y="100" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="16" y="212" fill="black" font-size="1em">U</text> <text text-anchor="middle" font-family="monospace" x="424" y="212" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="232" y="324" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="304" y="36" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="168" y="100" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="72" y="212" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="216" y="436" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="336" y="100" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="24" y="212" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="304" y="244" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="256" y="356" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="240" y="36" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="352" y="180" fill="black" font-size="1em">?</text> <text text-anchor="middle" font-family="monospace" x="248" y="244" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="488" y="388" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="328" y="436" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="312" y="180" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="464" y="212" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="304" y="324" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="168" y="436" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="416" y="68" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="328" y="180" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="264" y="324" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="264" y="388" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="256" y="436" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="320" y="436" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="312" y="36" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="184" y="100" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="248" y="100" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="320" y="100" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="208" y="180" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="208" y="244" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="304" y="100" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="256" y="180" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="288" y="324" fill="black" font-size="1em">x</text> <text text-anchor="middle" font-family="monospace" x="176" y="436" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="264" y="68" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="296" y="100" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="200" y="180" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="224" y="388" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="472" y="212" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="232" y="244" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="264" y="244" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="272" y="388" fill="black" font-size="1em">0</text> <text text-anchor="middle" font-family="monospace" x="296" y="436" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="200" y="36" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="320" y="180" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="312" y="324" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="264" y="436" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="256" y="212" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="480" y="388" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="432" y="420" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="192" y="436" fill="black" font-size="1em">:</text> <text text-anchor="middle" font-family="monospace" x="224" y="36" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="112" y="212" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="264" y="356" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="416" y="420" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="232" y="180" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="264" y="180" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="272" y="180" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="296" y="244" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="200" y="324" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="216" y="324" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="280" y="388" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="416" y="356" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="288" y="36" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="312" y="100" fill="black" font-size="1em">x</text> <text text-anchor="middle" font-family="monospace" x="328" y="100" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="336" y="180" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="120" y="212" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="280" y="244" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="344" y="244" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="208" y="436" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="248" y="36" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="288" y="436" fill="black" font-size="1em">x</text> <text text-anchor="middle" font-family="monospace" x="432" y="356" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="296" y="388" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="272" y="436" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="272" y="100" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="192" y="324" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="256" y="388" fill="black" font-size="1em">2</text> <text text-anchor="middle" font-family="monospace" x="320" y="36" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="480" y="68" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="280" y="100" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="480" y="212" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="488" y="212" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="200" y="244" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="424" y="356" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="424" y="420" fill="black" font-size="1em">L</text> <text text-anchor="middle" font-family="monospace" x="232" y="100" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="256" y="244" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="288" y="244" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="248" y="324" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="320" y="324" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="272" y="356" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="216" y="36" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="224" y="100" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="56" y="212" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="320" y="244" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="368" y="244" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="248" y="436" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="432" y="68" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="432" y="212" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="352" y="244" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="280" y="324" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="288" y="388" fill="black" font-size="1em">2</text> <text text-anchor="middle" font-family="monospace" x="312" y="436" fill="black" font-size="1em">p</text> <text text-anchor="middle" font-family="monospace" x="328" y="324" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="176" y="100" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="240" y="100" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="256" y="100" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="280" y="180" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="336" y="244" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="272" y="324" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="296" y="324" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="464" y="388" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="200" y="100" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="216" y="100" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="128" y="212" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="224" y="324" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="248" y="388" fill="black" font-size="1em">9</text> <text text-anchor="middle" font-family="monospace" x="472" y="388" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="224" y="436" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="336" y="36" fill="black" font-size="1em">?</text> <text text-anchor="middle" font-family="monospace" x="248" y="180" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="264" y="212" fill="black" font-size="1em">b</text> <text text-anchor="middle" font-family="monospace" x="184" y="244" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="240" y="324" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="280" y="436" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="304" y="436" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="208" y="36" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="344" y="100" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="216" y="180" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="416" y="212" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="240" y="436" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="296" y="36" fill="black" font-size="1em">m</text> <text text-anchor="middle" font-family="monospace" x="264" y="100" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="240" y="388" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="280" y="36" fill="black" font-size="1em">x</text> <text text-anchor="middle" font-family="monospace" x="288" y="100" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="224" y="180" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="272" y="212" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="344" y="324" fill="black" font-size="1em">?</text> <text text-anchor="middle" font-family="monospace" x="304" y="388" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="184" y="436" fill="black" font-size="1em">I</text> <text text-anchor="middle" font-family="monospace" x="232" y="36" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="360" y="244" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="208" y="324" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="256" y="324" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="272" y="68" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="472" y="68" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="64" y="212" fill="black" font-size="1em">L</text> <text text-anchor="middle" font-family="monospace" x="192" y="244" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="216" y="244" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="272" y="244" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="328" y="244" fill="black" font-size="1em">x</text> <text text-anchor="middle" font-family="monospace" x="240" y="180" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="296" y="180" fill="black" font-size="1em">x</text> </g> </svg> </artwork> <artwork type="ascii-art" name="" align="left" alt="" pn="section-5.1.2.1-2.1.2"><![CDATA[ .------------. video.cp.example ? | .-----. | .---------------------------------->| | | | (a) | | DNS | CP | | .-------------------------------+ | | | | CNAME video.ucdn.example | '-----' | | | '------------' | | | | .-----------|---v--. .------------. | .-----.-+-----. | video.ucdn.example ? | .-----. | | | | +----------------------------->| | | | UA | TLS | DNS | | (b) | | DNS | uCDN | | | | |<-----------------------------+ | | | '--+--'-----+-' | CNAME video.dcdn.example | '-----' | '------|----^---|--' '------------' | | | | | | | | | .------------. | | | video.dcdn.example ? | .-----. | | | '------------------------------>| | | | | (c) | | DNS | | | '-----------------------------------+ | | | A 192.0.2.1 | +-----+ dCDN | | | | | | '--------------------------------------->| TLS | | SNI: video.cp.example | | | | | '-----' | '------------' ]]></artwork> </artset> </figure> <t indent="0" pn="section-5.1.2.1-3">Unlike HTTP-based redirection, where the original URL is supplanted by the one found in theLocation<tt>Location</tt> header of the 302 response, DNS redirection is completely transparent to the User Agent. As a result, the TLS connection to the dCDN edge is done with a Server Name Indication (SNI) equal to the <tt>host</tt> in the original URI--- in the example, <tt>video.cp.example</tt>. So, in order to successfully complete the handshake, the landing dCDN node has to be configured with a certificate whosesubjectAltName<tt>subjectAltName</tt> field matches <tt>video.cp.example</tt>, i.e., aContent Provider'scontent provider's name.</t> <t indent="0" pn="section-5.1.2.1-4"><xref target="fig-cdni-flow" format="default" sectionFormat="of" derivedContent="Figure 12"/> illustrates the cascaded delegation flow that allows dCDN to obtain a STAR certificate that bears a name belonging to theContent Providercontent provider with a private key that is only known to the dCDN.</t> <figure anchor="fig-cdni-flow" align="left" suppress-title="false" pn="figure-12"> <nameslugifiedName="name-two-levels-delegation-in-cd">Two levels delegationslugifiedName="name-two-levels-delegation-in-cd">Two-Level Delegation in CDNI</name> <artset pn="section-5.1.2.1-5.1"> <artwork type="svg" name="" align="left" alt="" pn="section-5.1.2.1-5.1.1"><svg xmlns="http://www.w3.org/2000/svg" class="diagram" version="1.1"height="553" width="464"viewBox="0 0464.0696.0 553.0"> <g transform="translate(8,16)"> <path d="M 96,16 L 248,16" fill="none" stroke="black"/> <path d="M 136,32 L 192,32" fill="none" stroke="black"/> <path d="M 192,32 L 248,32" fill="none" stroke="black"/> <path d="M 256,48 L 360,48" fill="none" stroke="black"/> <path d="M 248,80 L 288,80" fill="none" stroke="black"/> <path d="M 136,96 L 168,96" fill="none" stroke="black"/> <path d="M 168,96 L 192,96" fill="none" stroke="black"/> <path d="M 192,96 L 248,96" fill="none" stroke="black"/> <path d="M 96,112 L 160,112" fill="none" stroke="black"/> <path d="M 176,112 L 216,112" fill="none" stroke="black"/> <path d="M 232,112 L 248,112" fill="none" stroke="black"/> <path d="M 360,128 L 368,128" fill="none" stroke="black"/> <path d="M 384,128 L 432,128" fill="none" stroke="black"/> <path d="M 360,144 L 376,144" fill="none" stroke="black"/> <path d="M 376,144 L 416,144" fill="none" stroke="black"/> <path d="M 320,160 L 352,160" fill="none" stroke="black"/> <path d="M 360,192 L 408,192" fill="none" stroke="black"/> <path d="M 360,224 L 400,224" fill="none" stroke="black"/> <path d="M 400,224 L 416,224" fill="none" stroke="black"/> <path d="M 360,240 L 368,240" fill="none" stroke="black"/> <path d="M 384,240 L 392,240" fill="none" stroke="black"/> <path d="M 408,240 L 432,240" fill="none" stroke="black"/> <path d="M 56,256 L 160,256" fill="none" stroke="black"/> <path d="M 176,256 L 184,256" fill="none" stroke="black"/> <path d="M 200,256 L 208,256" fill="none" stroke="black"/> <path d="M 96,272 L 152,272" fill="none" stroke="black"/> <path d="M 152,272 L 192,272" fill="none" stroke="black"/> <path d="M 192,272 L 208,272" fill="none" stroke="black"/> <path d="M 96,336 L 136,336" fill="none" stroke="black"/> <path d="M 136,336 L 152,336" fill="none" stroke="black"/> <path d="M 152,336 L 168,336" fill="none" stroke="black"/> <path d="M 168,336 L 208,336" fill="none" stroke="black"/> <path d="M 56,352 L 104,352" fill="none" stroke="black"/> <path d="M 120,352 L 128,352" fill="none" stroke="black"/> <path d="M 144,352 L 160,352" fill="none" stroke="black"/> <path d="M 176,352 L 184,352" fill="none" stroke="black"/> <path d="M 200,352 L 208,352" fill="none" stroke="black"/> <path d="M 56,432 L 104,432" fill="none" stroke="black"/> <path d="M 120,432 L 128,432" fill="none" stroke="black"/> <path d="M 144,432 L 160,432" fill="none" stroke="black"/> <path d="M 176,432 L 184,432" fill="none" stroke="black"/> <path d="M 200,432 L 264,432" fill="none" stroke="black"/> <path d="M 96,448 L 112,448" fill="none" stroke="black"/> <path d="M 112,448 L 152,448" fill="none" stroke="black"/> <path d="M 152,448 L 192,448" fill="none" stroke="black"/> <path d="M 192,448 L 208,448" fill="none" stroke="black"/> <path d="M 208,448 L 264,448" fill="none" stroke="black"/> <path d="M 264,464 L 360,464" fill="none" stroke="black"/> <path d="M 272,496 L 384,496" fill="none" stroke="black"/> <path d="M 96,512 L 152,512" fill="none" stroke="black"/> <path d="M 152,512 L 208,512" fill="none" stroke="black"/> <path d="M 208,512 L 264,512" fill="none" stroke="black"/> <path d="M 56,528 L 264,528" fill="none" stroke="black"/> <path d="M 40,272 L 40,336" fill="none" stroke="black"/> <path d="M 40,448 L 40,512" fill="none" stroke="black"/> <path d="M 80,32 L 80,96" fill="none" stroke="black"/> <path d="M 96,272 L 96,336" fill="none" stroke="black"/> <path d="M 96,448 L 96,512" fill="none" stroke="black"/> <path d="M 112,352 L 112,384" fill="none" stroke="black"/> <path d="M 112,416 L 112,448" fill="none" stroke="black"/> <path d="M 136,32 L 136,96" fill="none" stroke="black"/> <path d="M 136,336 L 136,368" fill="none" stroke="black"/> <path d="M 136,400 L 136,432" fill="none" stroke="black"/> <path d="M 152,272 L 152,336" fill="none" stroke="black"/> <path d="M 152,448 L 152,512" fill="none" stroke="black"/> <path d="M 168,96 L 168,144" fill="none" stroke="black"/> <path d="M 168,176 L 168,256" fill="none" stroke="black"/> <path d="M 168,336 L 168,368" fill="none" stroke="black"/> <path d="M 168,400 L 168,432" fill="none" stroke="black"/> <path d="M 192,32 L 192,96" fill="none" stroke="black"/> <path d="M 192,256 L 192,272" fill="none" stroke="black"/> <path d="M 192,352 L 192,384" fill="none" stroke="black"/> <path d="M 192,416 L 192,448" fill="none" stroke="black"/> <path d="M 208,272 L 208,336" fill="none" stroke="black"/> <path d="M 208,448 L 208,512" fill="none" stroke="black"/> <path d="M 224,112 L 224,176" fill="none" stroke="black"/> <path d="M 224,208 L 224,224" fill="none" stroke="black"/> <path d="M 224,272 L 224,336" fill="none" stroke="black"/> <path d="M 248,32 L 248,80" fill="none" stroke="black"/> <path d="M 248,80 L 248,96" fill="none" stroke="black"/> <path d="M 264,56 L 264,72" fill="none" stroke="black"/> <path d="M 264,448 L 264,464" fill="none" stroke="black"/> <path d="M 264,464 L 264,512" fill="none" stroke="black"/> <path d="M 280,472 L 280,488" fill="none" stroke="black"/> <path d="M 304,128 L 304,144" fill="none" stroke="black"/> <path d="M 344,176 L 344,224" fill="none" stroke="black"/> <path d="M 360,144 L 360,192" fill="none" stroke="black"/> <path d="M 360,192 L 360,224" fill="none" stroke="black"/> <path d="M 376,64 L 376,80" fill="none" stroke="black"/> <path d="M 376,112 L 376,144" fill="none" stroke="black"/> <path d="M 376,240 L 376,400" fill="none" stroke="black"/> <path d="M 376,432 L 376,448" fill="none" stroke="black"/> <path d="M 400,224 L 400,256" fill="none" stroke="black"/> <path d="M 400,288 L 400,480" fill="none" stroke="black"/> <path d="M 416,144 L 416,224" fill="none" stroke="black"/> <path d="M 448,144 L 448,224" fill="none" stroke="black"/> <path d="M 264,32 L 264,40" fill="none" stroke="black"/> <path d="M 264,56 L 264,64" fill="none" stroke="black"/> <path d="M 264,88 L 264,96" fill="none" stroke="black"/> <path d="M 280,448 L 280,456" fill="none" stroke="black"/> <path d="M 280,472 L 280,480" fill="none" stroke="black"/> <path d="M 280,504 L 280,512" fill="none" stroke="black"/> <path d="M 344,144 L 344,152" fill="none" stroke="black"/> <path d="M 344,168 L 344,176" fill="none" stroke="black"/> <path d="M 112,344 L 112,352" fill="none" stroke="black"/> <polygon points="128.000000,352.000000 116.000000,346.399994 116.000000,357.600006" transform="rotate(270.000000, 112.000000, 352.000000)" fill="black"/> <path d="M 136,432 L 136,440" fill="none" stroke="black"/> <polygon points="152.000000,432.000000 140.000000,426.399994 140.000000,437.600006" transform="rotate(90.000000, 136.000000, 432.000000)" fill="black"/> <path d="M 168,256 L 168,264" fill="none" stroke="black"/> <polygon points="184.000000,256.000000 172.000000,250.399994 172.000000,261.600006" transform="rotate(90.000000, 168.000000, 256.000000)" fill="black"/> <path d="M 168,432 L 168,440" fill="none" stroke="black"/> <polygon points="184.000000,432.000000 172.000000,426.399994 172.000000,437.600006" transform="rotate(90.000000, 168.000000, 432.000000)" fill="black"/> <path d="M 192,344 L 192,352" fill="none" stroke="black"/> <polygon points="208.000000,352.000000 196.000000,346.399994 196.000000,357.600006" transform="rotate(270.000000, 192.000000, 352.000000)" fill="black"/> <path d="M 224,104 L 224,112" fill="none" stroke="black"/> <polygon points="240.000000,112.000000 228.000000,106.400002 228.000000,117.599998" transform="rotate(270.000000, 224.000000, 112.000000)" fill="black"/> <polygon points="264.000000,48.000000 252.000000,42.400002 252.000000,53.599998" transform="rotate(180.000000, 256.000000, 48.000000)" fill="black"/> <polygon points="280.000000,496.000000 268.000000,490.399994 268.000000,501.600006" transform="rotate(180.000000, 272.000000, 496.000000)" fill="black"/> <polygon points="360.000000,160.000000 348.000000,154.399994 348.000000,165.600006" transform="rotate(0.000000, 352.000000, 160.000000)" fill="black"/> <path d="M 376,232 L 376,240" fill="none" stroke="black"/> <polygon points="392.000000,240.000000 380.000000,234.399994 380.000000,245.600006" transform="rotate(270.000000, 376.000000, 240.000000)" fill="black"/> <path d="M 96,16 A 16,16 0 0,0 80,32" fill="none" stroke="black"/> <path d="M 248,16 A 16,16 0 0,1 264,32" fill="none" stroke="black"/> <path d="M 360,48 A 16,16 0 0,1 376,64" fill="none" stroke="black"/> <path d="M 288,80 A 16,16 0 0,1 304,96" fill="none" stroke="black"/> <path d="M 80,96 A 16,16 0 0,0 96,112" fill="none" stroke="black"/> <path d="M 264,96 A 16,16 0 0,1 248,112" fill="none" stroke="black"/> <path d="M 360,128 A 16,16 0 0,0 344,144" fill="none" stroke="black"/> <path d="M 432,128 A 16,16 0 0,1 448,144" fill="none" stroke="black"/> <path d="M 304,144 A 16,16 0 0,0 320,160" fill="none" stroke="black"/> <path d="M 208,240 A 16,16 0 0,0 192,256" fill="none" stroke="black"/> <path d="M 224,224 A 16,16 0 0,1 208,240" fill="none" stroke="black"/> <path d="M 344,224 A 16,16 0 0,0 360,240" fill="none" stroke="black"/> <path d="M 448,224 A 16,16 0 0,1 432,240" fill="none" stroke="black"/> <path d="M 56,256 A 16,16 0 0,0 40,272" fill="none" stroke="black"/> <path d="M 208,256 A 16,16 0 0,1 224,272" fill="none" stroke="black"/> <path d="M 40,336 A 16,16 0 0,0 56,352" fill="none" stroke="black"/> <path d="M 224,336 A 16,16 0 0,1 208,352" fill="none" stroke="black"/> <path d="M 56,432 A 16,16 0 0,0 40,448" fill="none" stroke="black"/> <path d="M 264,432 A 16,16 0 0,1 280,448" fill="none" stroke="black"/> <path d="M 376,448 A 16,16 0 0,1 360,464" fill="none" stroke="black"/> <path d="M 400,480 A 16,16 0 0,1 384,496" fill="none" stroke="black"/> <path d="M 40,512 A 16,16 0 0,0 56,528" fill="none" stroke="black"/> <path d="M 280,512 A 16,16 0 0,1 264,528" fill="none" stroke="black"/> <text text-anchor="middle" font-family="monospace" x="168" y="84" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="224" y="84" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="168" y="308" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="184" y="468" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="64" y="484" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="400" y="276" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="112" y="308" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="176" y="308" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="192" y="308" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="168" y="468" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="192" y="468" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="72" y="484" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="176" y="500" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="376" y="180" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="56" y="308" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="176" y="324" fill="black" font-size="1em">w</text> <text text-anchor="middle" font-family="monospace" x="160" y="52" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="392" y="164" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="168" y="388" fill="black" font-size="1em">8</text> <text text-anchor="middle" font-family="monospace" x="128" y="484" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="192" y="484" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="232" y="52" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="112" y="68" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="216" y="84" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="384" y="180" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="184" y="292" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="160" y="84" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="400" y="164" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="408" y="276" fill="black" font-size="1em">0</text> <text text-anchor="middle" font-family="monospace" x="112" y="484" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="136" y="484" fill="black" font-size="1em">I</text> <text text-anchor="middle" font-family="monospace" x="120" y="308" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="104" y="68" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="176" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="208" y="84" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="400" y="180" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="376" y="212" fill="black" font-size="1em">H</text> <text text-anchor="middle" font-family="monospace" x="432" y="180" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="168" y="292" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="176" y="292" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="136" y="308" fill="black" font-size="1em">I</text> <text text-anchor="middle" font-family="monospace" x="168" y="324" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="176" y="484" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="216" y="52" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="224" y="52" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="168" y="68" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="216" y="68" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="384" y="212" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="136" y="388" fill="black" font-size="1em">2</text> <text text-anchor="middle" font-family="monospace" x="112" y="404" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="56" y="484" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="176" y="52" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="152" y="68" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="376" y="164" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="192" y="292" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="128" y="308" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="232" y="484" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="248" y="484" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="184" y="484" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="240" y="484" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="168" y="52" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="208" y="52" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="232" y="68" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="168" y="164" fill="black" font-size="1em">7</text> <text text-anchor="middle" font-family="monospace" x="192" y="404" fill="black" font-size="1em">3</text> <text text-anchor="middle" font-family="monospace" x="384" y="164" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="432" y="196" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="72" y="308" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="184" y="324" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="176" y="468" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="400" y="212" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="80" y="308" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="184" y="308" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="152" y="52" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="152" y="84" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="304" y="116" fill="black" font-size="1em">5</text> <text text-anchor="middle" font-family="monospace" x="224" y="196" fill="black" font-size="1em">4</text> <text text-anchor="middle" font-family="monospace" x="392" y="212" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="208" y="68" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="64" y="308" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="120" y="484" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="168" y="500" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="80" y="484" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="168" y="484" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="224" y="484" fill="black" font-size="1em">H</text> <text text-anchor="middle" font-family="monospace" x="160" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="224" y="68" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="376" y="100" fill="black" font-size="1em">6</text> <text text-anchor="middle" font-family="monospace" x="392" y="180" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="376" y="420" fill="black" font-size="1em">9</text> <text text-anchor="middle" font-family="monospace" x="184" y="500" fill="black" font-size="1em">i</text> </g> </svg> </artwork> <artwork type="ascii-art" name="" align="left" alt="" pn="section-5.1.2.1-5.1.2"><![CDATA[ .--------------------. | .------.------. | | | STAR | ACME |<-------------. | CP | dele | STAR | | | | | srv | cli +-----. | | '---+--'------' | | 6 '---------|------^---' 5 | | | | .--|-------. | | | | .-+----. | 7 | '---->| ACME | | | | | | STAR | C | | 4 | +------| A | | | | | HTTP | | | | | '----+-' | | .-' '--^--|----' .--------------v--|--. | | | .------.----+-. | | 10 | | | STAR | | | | | uCDN | CDNI | dele | | | | | | | fwd | | | | | '----+-'-+----' | | | '-------^--|---|--^--' | | | | | | | | | 2 8 | | | 1 | | 3 | | | | | | 9 | .-------|--v---v--|---------. | | | .-+----.----+-.------. | | | | | | STAR | +------------' | | dCDN | CDNI | dele | HTTP | | | | | | cli | |<--------------' | '------'------'------' | '---------------------------' ]]></artwork> </artset> </figure> <t indent="0" pn="section-5.1.2.1-6">uCDN is configured to delegate to dCDN, and CP is configured to delegate to uCDN, both as defined in <xref target="sec-profile-dele-config" format="default" sectionFormat="of" derivedContent="Section 2.3.1"/>.</t> <olspacing="compact"spacing="normal" type="1" indent="adaptive" start="1"pn="section-5.1.2.1-7"><lipn="section-5.1.2.1-7"> <li pn="section-5.1.2.1-7.1" derivedCounter="1.">dCDN requests CDNI path metadata touCDN;</li>uCDN.</li> <li pn="section-5.1.2.1-7.2" derivedCounter="2.">uCDN replies with, among other CDNI metadata, the STAR delegation configuration, which includes the delegatedContent Provider's name;</li>content provider's name.</li> <li pn="section-5.1.2.1-7.3" derivedCounter="3.">dCDN creates akey-pairkey pair and the CSR with the delegated name. It then places an order for the delegated name touCDN;</li>uCDN.</li> <li pn="section-5.1.2.1-7.4" derivedCounter="4.">uCDN forwards the received order to theContent Provider (CP);</li>content provider (CP).</li> <li pn="section-5.1.2.1-7.5" derivedCounter="5.">CP creates an order for a STAR certificate and sends it to the CA. The order also requests unauthenticated access to the certificateresource;</li>resource.</li> <li pn="section-5.1.2.1-7.6" derivedCounter="6.">After all authorizations complete successfully, the STAR certificate isissued;</li>issued.</li> <li pn="section-5.1.2.1-7.7" derivedCounter="7.">CP notifies uCDN that the STAR certificate is available at the order'sstar-certificate URL;</li><tt>star-certificate</tt> URL.</li> <li pn="section-5.1.2.1-7.8" derivedCounter="8.">uCDN forwards the information to dCDN. At thispointpoint, the ACMEsignallingsignaling iscomplete;</li>complete.</li> <li pn="section-5.1.2.1-7.9" derivedCounter="9.">dCDN requests the STAR certificate using unauthenticated GET from theCA;</li>CA.</li> <li pn="section-5.1.2.1-7.10"derivedCounter="10.">thederivedCounter="10.">The CA returns the certificate. Now dCDN is fully configured to handle HTTPS trafficin-lieuin lieu of theContent Provider.</li>content provider.</li> </ol> <t indent="0" pn="section-5.1.2.1-8">Note that9.9 and10.10 repeat until the delegation expires or is terminated.</t> </section> </section> </section> <section anchor="secure-telephone-identity-revisited-stir" numbered="true" toc="include" removeInRFC="false" pn="section-5.2"> <name slugifiedName="name-secure-telephone-identity-r">Secure Telephone Identity Revisited (STIR)</name> <t indent="0" pn="section-5.2-1">As a second use case, we consider the delegation of credentials in the STIR ecosystem <xreftarget="I-D.ietf-stir-cert-delegation"target="RFC9060" format="default" sectionFormat="of"derivedContent="I-D.ietf-stir-cert-delegation"/>.</t>derivedContent="RFC9060"/>.</t> <t indent="0" pn="section-5.2-2">This section uses STIR terminology. The termPASSPorTPersonal Assertion Token (PASSporT) is defined in <xref target="RFC8225" format="default" sectionFormat="of" derivedContent="RFC8225"/>, and "TNAuthList" is defined in <xref target="RFC8226" format="default" sectionFormat="of" derivedContent="RFC8226"/>.</t> <t indent="0" pn="section-5.2-3">In the STIR<tt>delegated</tt>delegated mode, a service provider SP2--- the NDC--- needs to signPASSPorT'sPASSporTs <xref target="RFC8225" format="default" sectionFormat="of" derivedContent="RFC8225"/> for telephone numbers (e.g., TN=+123) belonging to another service provider, SP1--- the IdO. In order to do that, SP2 needs a STIRcertificate,certificate and a privatekey,key that includes TN=+123 in the TNAuthList <xref target="RFC8226" format="default" sectionFormat="of" derivedContent="RFC8226"/> certificate extension.</t> <t indent="0" pn="section-5.2-4">Indetailsdetail (<xref target="fig-stir-flow" format="default" sectionFormat="of" derivedContent="Figure 13"/>):</t> <olspacing="compact"spacing="normal" type="1" indent="adaptive" start="1"pn="section-5.2-5"><lipn="section-5.2-5"> <li pn="section-5.2-5.1" derivedCounter="1.">SP1 and SP2 agree on the configuration of the delegation--- in particular, the CSR template thatapplies;</li>applies.</li> <li pn="section-5.2-5.2" derivedCounter="2.">SP2 generates a private/publickey-pairkey pair and sends a CSR toSP1SP1, requesting creation of a certificatewith:with an SP1 name, an SP2 public key, and a TNAuthList extension with the list of TNs that SP1 delegates to SP2. (Note that the CSR sent by SP2 to SP1 needs to be validated against the CSR template agreed upon in step1.);</li>1.).</li> <li pn="section-5.2-5.3" derivedCounter="3.">SP1 sends an order for the CSR to the CA. The order also requests unauthenticated access to the certificateresource;</li>resource.</li> <li pn="section-5.2-5.4" derivedCounter="4.">Subsequently, after the required TNAuthList authorizations are successfully completed, the CA moves the order to a "valid" state; at the sametimetime, the star-certificate endpoint ispopulated;</li>populated.</li> <li pn="section-5.2-5.5" derivedCounter="5.">Theordercontents of the order are forwarded from SP1 to SP2 by means of the paired "delegation"order;</li>order.</li> <li pn="section-5.2-5.6" derivedCounter="6.">SP2 dereferences thestar-certificate<tt>star-certificate</tt> URL in the order to fetch the rolling STAR certificate bearing the delegatedidentifiers;</li>identifiers.</li> <li pn="section-5.2-5.7" derivedCounter="7.">The STAR certificate is returned to SP2.</li> </ol> <figure anchor="fig-stir-flow" align="left" suppress-title="false" pn="figure-13"> <name slugifiedName="name-delegation-in-stir">Delegation in STIR</name> <artset pn="section-5.2-6.1"> <artwork type="svg" name="" align="left" alt="" pn="section-5.2-6.1.1"><svg xmlns="http://www.w3.org/2000/svg" class="diagram" version="1.1"height="377" width="408"viewBox="0 0408.0612.0 377.0"> <g transform="translate(8,16)"> <path d="M 56,16 L 200,16" fill="none" stroke="black"/> <path d="M 88,32 L 144,32" fill="none" stroke="black"/> <path d="M 144,32 L 200,32" fill="none" stroke="black"/> <path d="M 208,48 L 320,48" fill="none" stroke="black"/> <path d="M 16,64 L 32,64" fill="none" stroke="black"/> <path d="M 200,80 L 240,80" fill="none" stroke="black"/> <path d="M 88,96 L 128,96" fill="none" stroke="black"/> <path d="M 128,96 L 144,96" fill="none" stroke="black"/> <path d="M 144,96 L 200,96" fill="none" stroke="black"/> <path d="M 56,112 L 96,112" fill="none" stroke="black"/> <path d="M 112,112 L 120,112" fill="none" stroke="black"/> <path d="M 136,112 L 200,112" fill="none" stroke="black"/> <path d="M 304,128 L 328,128" fill="none" stroke="black"/> <path d="M 344,128 L 376,128" fill="none" stroke="black"/> <path d="M 304,144 L 336,144" fill="none" stroke="black"/> <path d="M 336,144 L 360,144" fill="none" stroke="black"/> <path d="M 272,160 L 296,160" fill="none" stroke="black"/> <path d="M 304,192 L 352,192" fill="none" stroke="black"/> <path d="M 272,208 L 296,208" fill="none" stroke="black"/> <path d="M 304,224 L 336,224" fill="none" stroke="black"/> <path d="M 336,224 L 360,224" fill="none" stroke="black"/> <path d="M 304,240 L 328,240" fill="none" stroke="black"/> <path d="M 344,240 L 376,240" fill="none" stroke="black"/> <path d="M 56,256 L 96,256" fill="none" stroke="black"/> <path d="M 112,256 L 120,256" fill="none" stroke="black"/> <path d="M 136,256 L 200,256" fill="none" stroke="black"/> <path d="M 88,272 L 104,272" fill="none" stroke="black"/> <path d="M 104,272 L 144,272" fill="none" stroke="black"/> <path d="M 144,272 L 200,272" fill="none" stroke="black"/> <path d="M 200,288 L 240,288" fill="none" stroke="black"/> <path d="M 16,304 L 32,304" fill="none" stroke="black"/> <path d="M 208,320 L 320,320" fill="none" stroke="black"/> <path d="M 88,336 L 128,336" fill="none" stroke="black"/> <path d="M 128,336 L 144,336" fill="none" stroke="black"/> <path d="M 144,336 L 160,336" fill="none" stroke="black"/> <path d="M 160,336 L 200,336" fill="none" stroke="black"/> <path d="M 56,352 L 200,352" fill="none" stroke="black"/> <path d="M 0,80 L 0,176" fill="none" stroke="black"/> <path d="M 0,208 L 0,288" fill="none" stroke="black"/> <path d="M 40,32 L 40,96" fill="none" stroke="black"/> <path d="M 40,272 L 40,336" fill="none" stroke="black"/> <path d="M 88,32 L 88,96" fill="none" stroke="black"/> <path d="M 88,272 L 88,336" fill="none" stroke="black"/> <path d="M 104,112 L 104,208" fill="none" stroke="black"/> <path d="M 104,240 L 104,272" fill="none" stroke="black"/> <path d="M 128,96 L 128,128" fill="none" stroke="black"/> <path d="M 128,160 L 128,256" fill="none" stroke="black"/> <path d="M 144,32 L 144,96" fill="none" stroke="black"/> <path d="M 144,272 L 144,336" fill="none" stroke="black"/> <path d="M 200,32 L 200,80" fill="none" stroke="black"/> <path d="M 200,80 L 200,96" fill="none" stroke="black"/> <path d="M 200,272 L 200,288" fill="none" stroke="black"/> <path d="M 200,288 L 200,336" fill="none" stroke="black"/> <path d="M 216,56 L 216,72" fill="none" stroke="black"/> <path d="M 216,296 L 216,312" fill="none" stroke="black"/> <path d="M 256,128 L 256,144" fill="none" stroke="black"/> <path d="M 256,224 L 256,240" fill="none" stroke="black"/> <path d="M 288,176 L 288,192" fill="none" stroke="black"/> <path d="M 304,144 L 304,192" fill="none" stroke="black"/> <path d="M 304,192 L 304,224" fill="none" stroke="black"/> <path d="M 336,64 L 336,80" fill="none" stroke="black"/> <path d="M 336,112 L 336,144" fill="none" stroke="black"/> <path d="M 336,224 L 336,256" fill="none" stroke="black"/> <path d="M 336,288 L 336,304" fill="none" stroke="black"/> <path d="M 360,144 L 360,224" fill="none" stroke="black"/> <path d="M 392,144 L 392,224" fill="none" stroke="black"/> <path d="M 216,32 L 216,40" fill="none" stroke="black"/> <path d="M 216,56 L 216,64" fill="none" stroke="black"/> <path d="M 216,88 L 216,96" fill="none" stroke="black"/> <path d="M 216,272 L 216,280" fill="none" stroke="black"/> <path d="M 216,296 L 216,304" fill="none" stroke="black"/> <path d="M 216,328 L 216,336" fill="none" stroke="black"/> <path d="M 288,144 L 288,152" fill="none" stroke="black"/> <path d="M 288,168 L 288,176" fill="none" stroke="black"/> <path d="M 288,192 L 288,200" fill="none" stroke="black"/> <path d="M 288,216 L 288,224" fill="none" stroke="black"/> <polygon points="40.000000,64.000000 28.000000,58.400002 28.000000,69.599998" transform="rotate(0.000000, 32.000000, 64.000000)" fill="black"/> <polygon points="40.000000,304.000000 28.000000,298.399994 28.000000,309.600006" transform="rotate(0.000000, 32.000000, 304.000000)" fill="black"/> <path d="M 104,104 L 104,112" fill="none" stroke="black"/> <polygon points="120.000000,112.000000 108.000000,106.400002 108.000000,117.599998" transform="rotate(270.000000, 104.000000, 112.000000)" fill="black"/> <path d="M 128,256 L 128,264" fill="none" stroke="black"/> <polygon points="144.000000,256.000000 132.000000,250.399994 132.000000,261.600006" transform="rotate(90.000000, 128.000000, 256.000000)" fill="black"/> <polygon points="216.000000,48.000000 204.000000,42.400002 204.000000,53.599998" transform="rotate(180.000000, 208.000000, 48.000000)" fill="black"/> <polygon points="216.000000,320.000000 204.000000,314.399994 204.000000,325.600006" transform="rotate(180.000000, 208.000000, 320.000000)" fill="black"/> <polygon points="304.000000,160.000000 292.000000,154.399994 292.000000,165.600006" transform="rotate(0.000000, 296.000000, 160.000000)" fill="black"/> <polygon points="304.000000,208.000000 292.000000,202.399994 292.000000,213.600006" transform="rotate(0.000000, 296.000000, 208.000000)" fill="black"/> <path d="M 56,16 A 16,16 0 0,0 40,32" fill="none" stroke="black"/> <path d="M 200,16 A 16,16 0 0,1 216,32" fill="none" stroke="black"/> <path d="M 320,48 A 16,16 0 0,1 336,64" fill="none" stroke="black"/> <path d="M 16,64 A 16,16 0 0,0 0,80" fill="none" stroke="black"/> <path d="M 240,80 A 16,16 0 0,1 256,96" fill="none" stroke="black"/> <path d="M 40,96 A 16,16 0 0,0 56,112" fill="none" stroke="black"/> <path d="M 216,96 A 16,16 0 0,1 200,112" fill="none" stroke="black"/> <path d="M 304,128 A 16,16 0 0,0 288,144" fill="none" stroke="black"/> <path d="M 376,128 A 16,16 0 0,1 392,144" fill="none" stroke="black"/> <path d="M 256,144 A 16,16 0 0,0 272,160" fill="none" stroke="black"/> <path d="M 272,208 A 16,16 0 0,0 256,224" fill="none" stroke="black"/> <path d="M 288,224 A 16,16 0 0,0 304,240" fill="none" stroke="black"/> <path d="M 392,224 A 16,16 0 0,1 376,240" fill="none" stroke="black"/> <path d="M 56,256 A 16,16 0 0,0 40,272" fill="none" stroke="black"/> <path d="M 200,256 A 16,16 0 0,1 216,272" fill="none" stroke="black"/> <path d="M 256,272 A 16,16 0 0,1 240,288" fill="none" stroke="black"/> <path d="M 0,288 A 16,16 0 0,0 16,304" fill="none" stroke="black"/> <path d="M 336,304 A 16,16 0 0,1 320,320" fill="none" stroke="black"/> <path d="M 40,336 A 16,16 0 0,0 56,352" fill="none" stroke="black"/> <path d="M 216,336 A 16,16 0 0,1 200,352" fill="none" stroke="black"/> <text text-anchor="middle" font-family="monospace" x="0" y="196" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="320" y="212" fill="black" font-size="1em">H</text> <text text-anchor="middle" font-family="monospace" x="56" y="308" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="120" y="308" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="64" y="68" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="112" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="328" y="180" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="336" y="212" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="64" y="308" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="184" y="308" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="120" y="324" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="112" y="324" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="104" y="52" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="128" y="52" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="120" y="68" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="160" y="84" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="256" y="116" fill="black" font-size="1em">3</text> <text text-anchor="middle" font-family="monospace" x="328" y="212" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="104" y="324" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="128" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="176" y="84" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="344" y="180" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="160" y="52" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="336" y="276" fill="black" font-size="1em">7</text> <text text-anchor="middle" font-family="monospace" x="112" y="308" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="320" y="164" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="376" y="196" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="104" y="228" fill="black" font-size="1em">2</text> <text text-anchor="middle" font-family="monospace" x="256" y="260" fill="black" font-size="1em">6</text> <text text-anchor="middle" font-family="monospace" x="168" y="308" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="72" y="68" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="104" y="84" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="168" y="84" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="344" y="164" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="120" y="52" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="176" y="52" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="184" y="52" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="320" y="180" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="376" y="180" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="176" y="308" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="168" y="52" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="56" y="68" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="104" y="68" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="120" y="84" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="328" y="164" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="336" y="180" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="160" y="308" fill="black" font-size="1em">H</text> <text text-anchor="middle" font-family="monospace" x="160" y="68" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="112" y="84" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="168" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="128" y="148" fill="black" font-size="1em">5</text> <text text-anchor="middle" font-family="monospace" x="336" y="164" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="104" y="308" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="184" y="68" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="128" y="292" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="336" y="100" fill="black" font-size="1em">4</text> <text text-anchor="middle" font-family="monospace" x="344" y="212" fill="black" font-size="1em">P</text> <text text-anchor="middle" font-family="monospace" x="128" y="308" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="112" y="52" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="120" y="292" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="176" y="68" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="104" y="292" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="112" y="292" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="72" y="308" fill="black" font-size="1em">2</text> </g> </svg> </artwork> <artwork type="ascii-art" name="" align="left" alt="" pn="section-5.2-6.1.2"><![CDATA[ .-------------------. | .------.------. | | | STAR | STAR |<--------------. .-->| SP1 | dele | dele | | | | | | srv | cli +-----. | | | '----+-'------' | | 4 | '------^--|---------' 3 | | | | | .----|-----. | | 5 | | .---+--. | | | | '--->| ACME | | | | | | | STAR | C | 1 | | | +------| A | | | | .--->| HTTP | | | 2 | | | '---+--' | | | | | '----|-----' | .------|--v---------. 6 | | | .-+----.------. | | 7 | | | STAR | +-----' | '-->| SP2 | dele | HTTP | | | | | cli | |<--------------' | '----+-'-+----' | '-------------------' ]]></artwork> </artset> </figure> <t indent="0" pn="section-5.2-7">As shown, the STAR delegation profile described in this document appliesstraightforwardly,straightforwardly; the only extra requirement being the ability to instruct the NDC about the allowed TNAuthList values. This can be achieved by a simple extension to the CSR template.</t> </section> </section> <section anchor="iana-considerations" numbered="true" toc="include" removeInRFC="false" pn="section-6"> <name slugifiedName="name-iana-considerations">IANA Considerations</name><t indent="0" pn="section-6-1">[[RFC Editor: please replace XXXX below by the RFC number.]]</t><section anchor="new-fields-in-the-meta-object-within-a-directory-object" numbered="true" toc="include" removeInRFC="false" pn="section-6.1"> <name slugifiedName="name-new-fields-in-the-meta-obje">New Fields in the "meta" Object within a Directory Object</name> <t indent="0" pn="section-6.1-1">This document adds the following entries to theACME"ACME Directory MetadataFieldsFields" registry:</t> <table align="center" pn="table-1"> <thead> <tr> <th align="left" colspan="1" rowspan="1">Field Name</th> <th align="left" colspan="1" rowspan="1">Field Type</th> <th align="left" colspan="1" rowspan="1">Reference</th> </tr> </thead> <tbody> <tr> <td align="left" colspan="1" rowspan="1">delegation-enabled</td> <td align="left" colspan="1" rowspan="1">boolean</td> <td align="left" colspan="1" rowspan="1">RFCXXXX</td>9115</td> </tr> <tr> <td align="left" colspan="1" rowspan="1">allow-certificate-get</td> <td align="left" colspan="1" rowspan="1">boolean</td> <td align="left" colspan="1" rowspan="1">RFCXXXX</td>9115</td> </tr> </tbody> </table> </section> <section anchor="new-fields-in-the-order-object" numbered="true" toc="include" removeInRFC="false" pn="section-6.2"> <name slugifiedName="name-new-fields-in-the-order-obj">New Fields in the Order Object</name> <t indent="0" pn="section-6.2-1">This document adds the following entries to theACME"ACME Order ObjectFieldsFields" registry:</t> <table align="center" pn="table-2"> <thead> <tr> <th align="left" colspan="1" rowspan="1">Field Name</th> <th align="left" colspan="1" rowspan="1">Field Type</th> <th align="left" colspan="1" rowspan="1">Configurable</th> <th align="left" colspan="1" rowspan="1">Reference</th> </tr> </thead> <tbody> <tr> <td align="left" colspan="1" rowspan="1">allow-certificate-get</td> <td align="left" colspan="1" rowspan="1">boolean</td> <td align="left" colspan="1" rowspan="1">true</td> <td align="left" colspan="1" rowspan="1">RFCXXXX</td>9115</td> </tr> <tr> <td align="left" colspan="1" rowspan="1">delegation</td> <td align="left" colspan="1" rowspan="1">string</td> <td align="left" colspan="1" rowspan="1">true</td> <td align="left" colspan="1" rowspan="1">RFCXXXX</td>9115</td> </tr> </tbody> </table> </section> <section anchor="new-fields-in-the-account-object" numbered="true" toc="include" removeInRFC="false" pn="section-6.3"> <name slugifiedName="name-new-fields-in-the-account-o">New Fields in the Account Object</name> <t indent="0" pn="section-6.3-1">This document adds the following entries to theACME"ACME Account ObjectFieldsFields" registry:</t> <table align="center" pn="table-3"> <thead> <tr> <th align="left" colspan="1" rowspan="1">Field Name</th> <th align="left" colspan="1" rowspan="1">Field Type</th> <th align="left" colspan="1" rowspan="1">Requests</th> <th align="left" colspan="1" rowspan="1">Reference</th> </tr> </thead> <tbody> <tr> <td align="left" colspan="1" rowspan="1">delegations</td> <td align="left" colspan="1" rowspan="1">string</td> <td align="left" colspan="1" rowspan="1">none</td> <td align="left" colspan="1" rowspan="1">RFCXXXX</td>9115</td> </tr> </tbody> </table> <t indent="0" pn="section-6.3-3">Note that the <tt>delegations</tt> field is only reported by ACME servers that have <tt>delegation-enabled</tt> set to true in their meta Object.</t> </section> <section anchor="new-error-types" numbered="true" toc="include" removeInRFC="false" pn="section-6.4"> <name slugifiedName="name-new-error-types">New Error Types</name> <t indent="0" pn="section-6.4-1">This document adds the following entries to theACME"ACME ErrorTypeTypes" registry:</t> <table align="center" pn="table-4"> <thead> <tr> <th align="left" colspan="1" rowspan="1">Type</th> <th align="left" colspan="1" rowspan="1">Description</th> <th align="left" colspan="1" rowspan="1">Reference</th> </tr> </thead> <tbody> <tr> <td align="left" colspan="1" rowspan="1">unknownDelegation</td> <td align="left" colspan="1" rowspan="1">An unknown configuration is listed in the<tt>delegations</tt><tt>delegation</tt> attribute of therequest Order</td>order request</td> <td align="left" colspan="1" rowspan="1">RFCXXXX</td>9115</td> </tr> </tbody> </table> </section> <section anchor="csr-template-registry" numbered="true" toc="include" removeInRFC="false" pn="section-6.5"> <name slugifiedName="name-csr-template-extensions">CSR Template Extensions</name> <t indent="0" pn="section-6.5-1">IANA is requested to establish aregistryregistry, "STAR Delegation CSR Template Extensions", with "Specification Required" as its registration procedure.</t> <t indent="0" pn="section-6.5-2">Each extension registered must specify:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-6.5-3"> <lipn="section-6.5-3.1">Anpn="section-6.5-3.1">an extensionname.</li>name,</li> <lipn="section-6.5-3.2">Anpn="section-6.5-3.2">an extension syntax, as a reference to a CDDL document that defines thisextension.</li>extension, and</li> <lipn="section-6.5-3.3">Thepn="section-6.5-3.3">the extension's mapping into an X.509 certificate extension.</li> </ul> <t indent="0" pn="section-6.5-4">The initial contents of this registry are the extensions defined by the CDDL in <xref target="csr-template-schema-cddl" format="default" sectionFormat="of" derivedContent="Appendix B"/>.</t> <table align="center" pn="table-5"> <thead> <tr> <th align="left" colspan="1" rowspan="1">Extension Name</th> <th align="left" colspan="1" rowspan="1">Extension Syntax</th> <th align="left" colspan="1" rowspan="1">Mapping to X.509 Certificate Extension</th> </tr> </thead> <tbody> <tr> <td align="left" colspan="1" rowspan="1">keyUsage</td> <td align="left" colspan="1" rowspan="1">See <xref target="csr-template-schema-cddl" format="default" sectionFormat="of" derivedContent="Appendix B"/></td> <td align="left" colspan="1" rowspan="1"> <xref target="RFC5280" format="default"sectionFormat="of" derivedContent="RFC5280"/>, Section 4.2.1.3</td>sectionFormat="comma" derivedContent="RFC5280" section="4.2.1.3"/></td> </tr> <tr> <td align="left" colspan="1" rowspan="1">extendedKeyUsage</td> <td align="left" colspan="1" rowspan="1">See <xref target="csr-template-schema-cddl" format="default" sectionFormat="of" derivedContent="Appendix B"/></td> <td align="left" colspan="1" rowspan="1"> <xref target="RFC5280" format="default"sectionFormat="of" derivedContent="RFC5280"/>, Section 4.2.1.12</td>sectionFormat="comma" derivedContent="RFC5280" section="4.2.1.12"/></td> </tr> <tr> <td align="left" colspan="1" rowspan="1">subjectAltName</td> <td align="left" colspan="1" rowspan="1">See <xref target="csr-template-schema-cddl" format="default" sectionFormat="of" derivedContent="Appendix B"/></td> <td align="left" colspan="1" rowspan="1"> <xref target="RFC5280" format="default"sectionFormat="of" derivedContent="RFC5280"/>, Section 4.2.1.6sectionFormat="comma" derivedContent="RFC5280" section="4.2.1.6"/> (note that only specific name formats are allowed: URI, DNS name, email address)</td> </tr> </tbody> </table> <t indent="0" pn="section-6.5-6">When evaluating a request for an assignment in this registry, the designated expert should follow this guidance:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-6.5-7"> <li pn="section-6.5-7.1">The definition must include a full CDDL definition, which the expert will validate.</li> <li pn="section-6.5-7.2">The definition must include both positive and negative test cases.</li> <li pn="section-6.5-7.3">Additional requirements that are not captured by the CDDL definition are allowed but must be explicitly specified.</li> </ul> </section> </section> <section anchor="security-considerations" numbered="true" toc="include" removeInRFC="false" pn="section-7"> <name slugifiedName="name-security-considerations">Security Considerations</name> <section anchor="sec-trust-model" numbered="true" toc="include" removeInRFC="false" pn="section-7.1"> <name slugifiedName="name-trust-model">Trust Model</name> <t indent="0" pn="section-7.1-1">The ACME trust model needs to be extended to include the trust relationship between NDC and IdO. Note that once this trust link is established, it potentially becomes recursive. Therefore, there has to be a trust relationship between each of the nodes in the delegation chain; for example, in case of cascadingCDNsCDNs, this is contractually defined. Note that when using standard <xref target="RFC6125" format="default" sectionFormat="of" derivedContent="RFC6125"/> identityverificationverification, there are no mechanisms available to the IdO to restrict the use of the delegated name once the name has been handed over to the first NDC. Itis thereforeis, therefore, expected that contractual measures are in place to get some assurance thatre-delegationredelegation is not being performed.</t> </section> <section anchor="delegation-security-goal" numbered="true" toc="include" removeInRFC="false" pn="section-7.2"> <name slugifiedName="name-delegation-security-goal">Delegation Security Goal</name> <t indent="0" pn="section-7.2-1">Delegation introduces a new security goal: only an NDC that has beenauthorisedauthorized by the IdO, either directly or transitively, can obtain a certificate with an IdO identity.</t> <t indent="0" pn="section-7.2-2">From a security point of view, the delegation process has five separate parts:</t> <olspacing="compact"spacing="normal" type="1" indent="adaptive" start="1"pn="section-7.2-3"><lipn="section-7.2-3"> <li pn="section-7.2-3.1"derivedCounter="1.">EnablingderivedCounter="1.">enabling a specific third party (the intended NDC) to submit requests for delegatedcertificates;</li>certificates</li> <li pn="section-7.2-3.2"derivedCounter="2.">MakingderivedCounter="2.">making sure that any request for a delegated certificate matches the intended "shape" in terms of delegated identities as well as any other certificate metadata, e.g., key length, x.509 extensions,etc.;</li>etc.</li> <li pn="section-7.2-3.3"derivedCounter="3.">ServingderivedCounter="3.">serving the certificate back to theNDC;</li>NDC</li> <li pn="section-7.2-3.4"derivedCounter="4.">A process for handlingderivedCounter="4.">handling revocation of thedelegation;</li>delegation</li> <li pn="section-7.2-3.5"derivedCounter="5.">A process for handlingderivedCounter="5.">handling revocation of the certificateitself.</li>itself</li> </ol> <t indent="0" pn="section-7.2-4">The first part is covered by the NDC's ACME account that is administered by the IdO, whose security relies on the correct handling of the associated key pair. When a compromise of the private key is detected, the delegateMUST<bcp14>MUST</bcp14> use the account deactivation procedures defined inSection 7.3.6 of<xref target="RFC8555" format="default" sectionFormat="of"derivedContent="RFC8555"/>.</t>derivedContent="RFC8555" section="7.3.6"/>.</t> <t indent="0" pn="section-7.2-5">The second part is covered by the act of checking an NDC's certificate request against the intended CSR template. The steps of shaping the CSR template correctly, selecting the right CSR template to check against the presented CSR, and making sure that the presented CSR matches the selected CSR template are all security relevant.</t> <t indent="0" pn="section-7.2-6">The third part builds on the trust relationship between NDC and IdO that is responsible for correctly forwarding the certificate URL from the Order returned by the CA.</t> <t indent="0" pn="section-7.2-7">The fourth part is associated with the ability of the IdO to unilaterally remove thedelegation<tt>delegation</tt> object associated with the revoked identity,thereforetherefore, disabling any further NDC requests for such identity. Note that, in more extreme circumstances, the IdO might decide to disable the NDCaccountaccount, thus entirely blocking any further interaction.</t> <t indent="0" pn="section-7.2-8">The fifth is covered by two different mechanisms, depending on the nature of the certificate. For STAR, the IdO shall use the cancellation interface defined inSection 2.3 of<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>.derivedContent="RFC8739" section="2.3"/>. For non-STAR, the certificate revocation interface defined inSection 7.6 of<xref target="RFC8555" format="default" sectionFormat="of"derivedContent="RFC8555"/>)derivedContent="RFC8555" section="7.6"/>) is used.</t> <t indent="0" pn="section-7.2-9">The ACME account associated with the delegation plays a crucial role in the overall security of the presented protocol. This, in turn, means thatin(in delegationscenariosscenarios) the security requirements and verification associated with an ACME account may be more stringent than intraditional ACME,base ACME deployments, since the out-of-band configuration of delegations that an account is authorized touse, combineduse (combined with accountauthentication,authentication) takes the place of the normal ACME authorization challenge procedures. Therefore, the IdOMUST<bcp14>MUST</bcp14> ensure that each account is associated with the exact policies (via their matching <tt>delegation</tt> objects) that define which domain names can be delegated to the account and how. The IdO is expected to useout of bandout-of-band means topre-registerpreregister each NDC to the corresponding account.</t> </section> <section anchor="new-acme-channels" numbered="true" toc="include" removeInRFC="false" pn="section-7.3"> <name slugifiedName="name-new-acme-channels">New ACME Channels</name> <t indent="0" pn="section-7.3-1">Using the model established inSection 10.1 of<xref target="RFC8555" format="default" sectionFormat="of"derivedContent="RFC8555"/>,derivedContent="RFC8555" section="10.1"/>, we can decompose the interactions of the basic delegationworkflowworkflow, as shown in <xref target="fig-sec-channels" format="default" sectionFormat="of" derivedContent="Figure 14"/>.</t> <figure anchor="fig-sec-channels" align="left" suppress-title="false" pn="figure-14"> <name slugifiedName="name-delegation-channels-topolog">Delegation Channels Topology</name> <artset pn="section-7.3-2.1"> <artwork type="svg" name="" align="left" alt="" pn="section-7.3-2.1.1"><svg xmlns="http://www.w3.org/2000/svg" class="diagram" version="1.1"height="345" width="504"viewBox="0 0504.0756.0 345.0"> <g transform="translate(8,16)"> <path d="M 0,16 L 48,16" fill="none" stroke="black"/> <path d="M 168,16 L 240,16" fill="none" stroke="black"/> <path d="M 48,32 L 160,32" fill="none" stroke="black"/> <path d="M 0,48 L 24,48" fill="none" stroke="black"/> <path d="M 24,48 L 48,48" fill="none" stroke="black"/> <path d="M 168,64 L 192,64" fill="none" stroke="black"/> <path d="M 192,64 L 240,64" fill="none" stroke="black"/> <path d="M 216,112 L 320,112" fill="none" stroke="black"/> <path d="M 320,112 L 432,112" fill="none" stroke="black"/> <path d="M 168,144 L 192,144" fill="none" stroke="black"/> <path d="M 192,144 L 216,144" fill="none" stroke="black"/> <path d="M 216,144 L 240,144" fill="none" stroke="black"/> <path d="M 408,144 L 432,144" fill="none" stroke="black"/> <path d="M 432,144 L 464,144" fill="none" stroke="black"/> <path d="M 408,176 L 432,176" fill="none" stroke="black"/> <path d="M 432,176 L 448,176" fill="none" stroke="black"/> <path d="M 448,176 L 464,176" fill="none" stroke="black"/> <path d="M 168,192 L 216,192" fill="none" stroke="black"/> <path d="M 216,192 L 240,192" fill="none" stroke="black"/> <path d="M 216,208 L 312,208" fill="none" stroke="black"/> <path d="M 312,208 L 432,208" fill="none" stroke="black"/> <path d="M 24,240 L 192,240" fill="none" stroke="black"/> <path d="M 192,240 L 448,240" fill="none" stroke="black"/> <path d="M 0,16 L 0,48" fill="none" stroke="black"/> <path d="M 24,48 L 24,240" fill="none" stroke="black"/> <path d="M 48,16 L 48,32" fill="none" stroke="black"/> <path d="M 48,32 L 48,48" fill="none" stroke="black"/> <path d="M 168,16 L 168,64" fill="none" stroke="black"/> <path d="M 168,144 L 168,192" fill="none" stroke="black"/> <path d="M 192,64 L 192,144" fill="none" stroke="black"/> <path d="M 216,112 L 216,144" fill="none" stroke="black"/> <path d="M 216,192 L 216,208" fill="none" stroke="black"/> <path d="M 240,16 L 240,64" fill="none" stroke="black"/> <path d="M 240,144 L 240,192" fill="none" stroke="black"/> <path d="M 408,144 L 408,176" fill="none" stroke="black"/> <path d="M 432,112 L 432,144" fill="none" stroke="black"/> <path d="M 432,176 L 432,208" fill="none" stroke="black"/> <path d="M 448,176 L 448,240" fill="none" stroke="black"/> <path d="M 464,144 L 464,176" fill="none" stroke="black"/> <polygon points="168.000000,32.000000 156.000000,26.400000 156.000000,37.599998" transform="rotate(0.000000, 160.000000, 32.000000)" fill="black"/> <polygon points="200.000000,240.000000 188.000000,234.399994 188.000000,245.600006" transform="rotate(0.000000, 192.000000, 240.000000)" fill="black"/> <polygon points="320.000000,208.000000 308.000000,202.399994 308.000000,213.600006" transform="rotate(180.000000, 312.000000, 208.000000)" fill="black"/> <polygon points="328.000000,112.000000 316.000000,106.400002 316.000000,117.599998" transform="rotate(0.000000, 320.000000, 112.000000)" fill="black"/> <circle cx="192" cy="64" r="6" fill="white" stroke="black"/> <circle cx="192" cy="144" r="6" fill="white" stroke="black"/> <text text-anchor="middle" font-family="monospace" x="288" y="228" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="104" y="292" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="264" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="296" y="228" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="248" y="260" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="288" y="260" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="144" y="292" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="88" y="308" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="200" y="164" fill="black" font-size="1em">O</text> <text text-anchor="middle" font-family="monospace" x="424" y="292" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="80" y="308" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="200" y="36" fill="black" font-size="1em">O</text> <text text-anchor="middle" font-family="monospace" x="216" y="52" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="272" y="100" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="112" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="128" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="280" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="208" y="52" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="280" y="100" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="184" y="164" fill="black" font-size="1em">I</text> <text text-anchor="middle" font-family="monospace" x="256" y="228" fill="black" font-size="1em">V</text> <text text-anchor="middle" font-family="monospace" x="208" y="292" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="448" y="292" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="488" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="64" y="20" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="24" y="36" fill="black" font-size="1em">D</text> <text text-anchor="middle" font-family="monospace" x="208" y="180" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="216" y="180" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="328" y="228" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="176" y="260" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="72" y="292" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="160" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="256" y="292" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="472" y="292" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="96" y="308" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="184" y="36" fill="black" font-size="1em">I</text> <text text-anchor="middle" font-family="monospace" x="80" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="288" y="292" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="48" y="308" fill="black" font-size="1em">v</text> <text text-anchor="middle" font-family="monospace" x="104" y="308" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="280" y="228" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="168" y="260" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="320" y="260" fill="black" font-size="1em">]</text> <text text-anchor="middle" font-family="monospace" x="360" y="292" fill="black" font-size="1em">-</text> <text text-anchor="middle" font-family="monospace" x="192" y="36" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="352" y="228" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="272" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="144" y="20" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="296" y="100" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="224" y="180" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="240" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="320" y="292" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="40" y="308" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="192" y="52" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="8" y="292" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="32" y="292" fill="black" font-size="1em">U</text> <text text-anchor="middle" font-family="monospace" x="56" y="292" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="336" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="56" y="308" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="352" y="100" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="384" y="228" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="80" y="20" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="112" y="20" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="216" y="260" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="112" y="308" fill="black" font-size="1em">.</text> <text text-anchor="middle" font-family="monospace" x="72" y="20" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="304" y="228" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="360" y="228" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="40" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="464" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="88" y="20" fill="black" font-size="1em">E</text> <text text-anchor="middle" font-family="monospace" x="440" y="164" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="304" y="260" fill="black" font-size="1em">[</text> <text text-anchor="middle" font-family="monospace" x="136" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="200" y="292" fill="black" font-size="1em">f</text> <text text-anchor="middle" font-family="monospace" x="368" y="292" fill="black" font-size="1em">S</text> <text text-anchor="middle" font-family="monospace" x="72" y="308" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="288" y="100" fill="black" font-size="1em">M</text> <text text-anchor="middle" font-family="monospace" x="432" y="164" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="320" y="228" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="376" y="228" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="136" y="260" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="256" y="260" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="96" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="312" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="392" y="292" fill="black" font-size="1em">R</text> <text text-anchor="middle" font-family="monospace" x="136" y="20" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="312" y="100" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="184" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="224" y="292" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="64" y="308" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="320" y="100" fill="black" font-size="1em">h</text> <text text-anchor="middle" font-family="monospace" x="336" y="100" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="112" y="260" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="168" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="384" y="292" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="432" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="120" y="260" fill="black" font-size="1em">u</text> <text text-anchor="middle" font-family="monospace" x="272" y="260" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="312" y="260" fill="black" font-size="1em">1</text> <text text-anchor="middle" font-family="monospace" x="16" y="36" fill="black" font-size="1em">N</text> <text text-anchor="middle" font-family="monospace" x="192" y="180" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="184" y="260" fill="black" font-size="1em">)</text> <text text-anchor="middle" font-family="monospace" x="88" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="344" y="292" fill="black" font-size="1em">o</text> <text text-anchor="middle" font-family="monospace" x="416" y="292" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="200" y="52" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="328" y="100" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="128" y="260" fill="black" font-size="1em">b</text> <text text-anchor="middle" font-family="monospace" x="352" y="292" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="456" y="292" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="120" y="20" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="232" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="272" y="228" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="144" y="260" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="240" y="260" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="360" y="100" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="184" y="180" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="312" y="228" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="200" y="260" fill="black" font-size="1em">A</text> <text text-anchor="middle" font-family="monospace" x="408" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="480" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="104" y="20" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="264" y="228" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="368" y="228" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="376" y="292" fill="black" font-size="1em">T</text> <text text-anchor="middle" font-family="monospace" x="128" y="20" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="184" y="52" fill="black" font-size="1em">s</text> <text text-anchor="middle" font-family="monospace" x="192" y="164" fill="black" font-size="1em">d</text> <text text-anchor="middle" font-family="monospace" x="152" y="260" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="48" y="292" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="120" y="292" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="264" y="260" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="280" y="260" fill="black" font-size="1em">e</text> <text text-anchor="middle" font-family="monospace" x="16" y="292" fill="black" font-size="1em">]</text> <text text-anchor="middle" font-family="monospace" x="192" y="292" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="152" y="20" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="344" y="100" fill="black" font-size="1em">n</text> <text text-anchor="middle" font-family="monospace" x="392" y="228" fill="black" font-size="1em">l</text> <text text-anchor="middle" font-family="monospace" x="104" y="260" fill="black" font-size="1em">(</text> <text text-anchor="middle" font-family="monospace" x="176" y="292" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="304" y="292" fill="black" font-size="1em">a</text> <text text-anchor="middle" font-family="monospace" x="440" y="292" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="200" y="180" fill="black" font-size="1em">i</text> <text text-anchor="middle" font-family="monospace" x="0" y="292" fill="black" font-size="1em">[</text> <text text-anchor="middle" font-family="monospace" x="64" y="292" fill="black" font-size="1em">t</text> <text text-anchor="middle" font-family="monospace" x="32" y="36" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="208" y="260" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="216" y="292" fill="black" font-size="1em">c</text> <text text-anchor="middle" font-family="monospace" x="32" y="308" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="224" y="52" fill="black" font-size="1em">r</text> <text text-anchor="middle" font-family="monospace" x="344" y="228" fill="black" font-size="1em">C</text> <text text-anchor="middle" font-family="monospace" x="224" y="260" fill="black" font-size="1em">E</text> </g> </svg> </artwork> <artwork type="ascii-art" name="" align="left" alt="" pn="section-7.3-2.1.2"><![CDATA[ .-----. ACME Channel .--------. | NDC +------------->| IdO | '--+--' | server | | '--o-----' | | | | ACME Channel | | .------------>-------------. | | | | | .--o--+--. .--+---. | | IdO | | CA | | | client | '--+-+-' | '-----+--' | | | '-----------<--------------' | | Validation Channel | '-------------------->-------------------------------' (subset of) ACME Channel [1] [1] Unauthenticated certificate fetch and non-STAR certificate revocation. ]]></artwork> </artset> </figure> <t indent="0" pn="section-7.3-3">The considerations regarding the security of the ACME Channel and Validation Channel discussed in <xref target="RFC8555" format="default" sectionFormat="of" derivedContent="RFC8555"/> apply verbatim to the IdO-CA leg. The same can be said for the ACMEchannelChannel on the NDC-IdO leg. A slightly different set of considerations apply to the ACME Channel between the NDC and CA, which consists of a subset of the ACME interface comprising two API endpoints: the unauthenticated certificate retrieval and, potentially, non-STAR revocation via certificate private key. No specific security considerations apply to the former, but the privacy considerations inSection 6.3 of<xref target="RFC8739" format="default" sectionFormat="of"derivedContent="RFC8739"/>derivedContent="RFC8739" section="6.3"/> do. Withregardsregard to the latter, it should be noted that there is currently no means for an IdO to disableauthorisingauthorizing revocation based on certificate private keys. So, in theory, an NDC could use the revocation API directly with the CA,thereforetherefore, bypassing the IdO. The NDCSHOULD NOT<bcp14>SHOULD NOT</bcp14> directly use the revocation interface exposed by the CA unless failing to do so would compromise the overall security, forexampleexample, if the certificate private key is compromised and the IdO is not currently reachable.</t> <t indent="0" pn="section-7.3-4">All other security considerations from <xref target="RFC8555" format="default" sectionFormat="of" derivedContent="RFC8555"/> and <xref target="RFC8739" format="default" sectionFormat="of" derivedContent="RFC8739"/> applyas-isas is to the delegation topology.</t> </section> <section anchor="restricting-cdns-to-the-delegation-mechanism" numbered="true" toc="include" removeInRFC="false" pn="section-7.4"> <name slugifiedName="name-restricting-cdns-to-the-del">Restricting CDNs to the Delegation Mechanism</name> <t indent="0" pn="section-7.4-1">When aweb sitewebsite is delegated to a CDN, the CDN can in principle modify theweb sitewebsite at will, e.g., create and remove pages. This means that a malicious or breached CDN can pass the ACME (as well as common non-ACME) HTTPS-based validation challenges and generate a certificate for the site. This is true regardless of whether or not the CNAME mechanisms defined in the current document isused or not.</t>used.</t> <t indent="0" pn="section-7.4-2">In some cases, this is the desiredbehavior:behavior; the domain holder trusts the CDN to have full control of the cryptographic credentials for the site.The currentHowever, this documenthoweverassumes a scenario where the domain holder only wants to delegate restrictedcontrol,control and wishes to retain the capability to cancel the CDN's credentials at a short notice.</t> <t indent="0" pn="section-7.4-3">The following is a possible mitigation when the IdO wishes to ensure that a rogue CDN cannot issue unauthorized certificates:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-7.4-4"> <li pn="section-7.4-4.1">The domain holder makes sure that the CDN cannot modify the DNS records for the domain. The domain holder should ensure it is the only entity authorized to modify the DNS zone. Typically, it establishes a CNAME resource record from a subdomain into a CDN-managed domain.</li> <li pn="section-7.4-4.2">The domain holder uses aCAACertification Authority Authorization (CAA) record <xref target="RFC8659" format="default" sectionFormat="of" derivedContent="RFC8659"/> to restrict certificate issuance for the domain to specific CAs that comply with ACME and are known to implement <xref target="RFC8657" format="default" sectionFormat="of" derivedContent="RFC8657"/>.</li> <li pn="section-7.4-4.3">The domain holder uses the ACME-specific CAA mechanism <xref target="RFC8657" format="default" sectionFormat="of" derivedContent="RFC8657"/> to restrict issuance to a specific CA accountkey whichthat is controlled byit,it andMUST<bcp14>MUST</bcp14> require "dns-01" as the sole validation method.</li> </ul> <t indent="0" pn="section-7.4-5">We note that the above solution may need to be tweaked depending on the exact capabilities andauthorisationauthorization flows supported by the selected CA. In addition, this mitigation may be bypassed if a malicious or misconfigured CA does not comply with CAA restrictions.</t> </section> </section><section anchor="acknowledgments" numbered="true" toc="include" removeInRFC="false" pn="section-8"> <name slugifiedName="name-acknowledgments">Acknowledgments</name> <t indent="0" pn="section-8-1">We would like to thank the following people who contributed significantly to this document with their review comments and design proposals: Richard Barnes, Carsten Bormann, Roman Danyliw, Lars Eggert, <contact fullname="Frédéric" asciiFullname="Frederic"/> Fieau, Russ Housley, Ben Kaduk, Eric Kline, Sanjay Mishra, Francesca Palombini, Jon Peterson, Ryan Sleevi, Emile Stephan, <contact fullname="Éric" asciiFullname="Eric"/> Vyncke.</t> <t indent="0" pn="section-8-2">This work is partially supported by the European Commission under Horizon 2020 grant agreement no. 688421 Measurement and Architecture for a Middleboxed Internet (MAMI). This support does not imply endorsement.</t> </section></middle> <back> <displayreference target="I-D.ietf-acme-authority-token-tnauthlist" to="TOKEN-TNAUTHLIST"/> <displayreference target="I-D.ietf-cdni-interfaces-https-delegation" to="HTTPS-DELEGATION"/> <displayreference target="I-D.ietf-tls-subcerts" to="TLS-SUBCERTS"/> <displayreference target="I-D.mglt-lurk-tls13" to="MGLT-LURK-TLS13"/> <displayreference target="I-D.handrews-json-schema-validation" to="json-schema-07"/> <referencespn="section-9">pn="section-8"> <name slugifiedName="name-references">References</name> <referencespn="section-9.1">pn="section-8.1"> <name slugifiedName="name-normative-references">Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2986.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5280.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7807.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8555.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8610.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8739.xml"/> </references> <references pn="section-8.2"> <name slugifiedName="name-informative-references">Informative References</name> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-acme-authority-token-tnauthlist.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-cdni-interfaces-https-delegation.xml"/> <referenceanchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119">anchor='RFC9060' target='https://www.rfc-editor.org/info/rfc9060'> <front><title>Key words for use in RFCs to Indicate Requirement Levels</title><title>Secure Telephone Identity Revisited (STIR) Certificate Delegation</title> <authorfullname="S. Bradner" initials="S." surname="Bradner">initials='J' surname='Peterson' fullname='Jon Peterson'> <organizationshowOnFrontPage="true"/>/> </author> <datemonth="March" year="1997"/> <abstract> <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract>year='2021' month='August'/> </front> <seriesInfoname="BCP" value="14"/> <seriesInfoname="RFC"value="2119"/>value="9060"/> <seriesInfo name="DOI"value="10.17487/RFC2119"/>value="10.17487/RFC9060"/> </reference><reference anchor="RFC2986" target="https://www.rfc-editor.org/info/rfc2986" quoteTitle="true" derivedAnchor="RFC2986"> <front> <title>PKCS #10: Certification Request Syntax Specification Version 1.7</title> <author fullname="M. Nystrom" initials="M." surname="Nystrom"> <organization showOnFrontPage="true"/> </author> <author fullname="B. Kaliski" initials="B." surname="Kaliski"> <organization showOnFrontPage="true"/> </author> <date month="November" year="2000"/> <abstract><xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-tls-subcerts.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.mglt-lurk-tls13.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.handrews-json-schema-validation.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6125.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7336.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8225.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8226.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8657.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8659.xml"/> </references> </references> <section anchor="csr-template-schema-cddl" numbered="true" toc="include" removeInRFC="false" pn="section-appendix.a"> <name slugifiedName="name-csr-template-cddl">CSR Template: CDDL</name> <tindent="0">This memo represents a republication of PKCS #10 v1.7 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change controlindent="0" pn="section-appendix.b-1">Following isretained withinthePKCS process. The bodynormative definition ofthis document, except forthesecurity considerations section,CSR template using CDDL <xref target="RFC8610" format="default" sectionFormat="of" derivedContent="RFC8610"/>. The CSR template <bcp14>MUST</bcp14> be a valid JSON document that istaken directly from the PKCS #9 v2.0 or the PKCS #10 v1.7 document. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="2986"/> <seriesInfo name="DOI" value="10.17487/RFC2986"/> </reference> <reference anchor="RFC5280" target="https://www.rfc-editor.org/info/rfc5280" quoteTitle="true" derivedAnchor="RFC5280"> <front> <title>Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile</title> <author fullname="D. Cooper" initials="D." surname="Cooper"> <organization showOnFrontPage="true"/> </author> <author fullname="S. Santesson" initials="S." surname="Santesson"> <organization showOnFrontPage="true"/> </author> <author fullname="S. Farrell" initials="S." surname="Farrell"> <organization showOnFrontPage="true"/> </author> <author fullname="S. Boeyen" initials="S." surname="Boeyen"> <organization showOnFrontPage="true"/> </author> <author fullname="R. Housley" initials="R." surname="Housley"> <organization showOnFrontPage="true"/> </author> <author fullname="W. Polk" initials="W." surname="Polk"> <organization showOnFrontPage="true"/> </author> <date month="May" year="2008"/> <abstract> <t indent="0">This memo profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet. An overview of this approach and model is provided as an introduction. The X.509 v3 certificate format is described in detail, with additional information regarding the format and semantics of Internet name forms. Standard certificate extensions are described and two Internet-specific extensions are defined. A set of required certificate extensions is specified. The X.509 v2 CRL format is described in detail along with standard and Internet-specific extensions. An algorithm for X.509 certification path validation is described. An ASN.1 module and examples are provided in the appendices. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="5280"/> <seriesInfo name="DOI" value="10.17487/RFC5280"/> </reference> <reference anchor="RFC7807" target="https://www.rfc-editor.org/info/rfc7807" quoteTitle="true" derivedAnchor="RFC7807"> <front> <title>Problem Details for HTTP APIs</title> <author fullname="M. Nottingham" initials="M." surname="Nottingham"> <organization showOnFrontPage="true"/> </author> <author fullname="E. Wilde" initials="E." surname="Wilde"> <organization showOnFrontPage="true"/> </author> <date month="March" year="2016"/> <abstract> <t indent="0">This document defines a "problem detail" as a way to carry machine- readable details of errors in a HTTP response to avoid the need to define new error response formats for HTTP APIs.</t> </abstract> </front> <seriesInfo name="RFC" value="7807"/> <seriesInfo name="DOI" value="10.17487/RFC7807"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"> <organization showOnFrontPage="true"/> </author> <date month="May" year="2017"/> <abstract> <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC8555" target="https://www.rfc-editor.org/info/rfc8555" quoteTitle="true" derivedAnchor="RFC8555"> <front> <title>Automatic Certificate Management Environment (ACME)</title> <author fullname="R. Barnes" initials="R." surname="Barnes"> <organization showOnFrontPage="true"/> </author> <author fullname="J. Hoffman-Andrews" initials="J." surname="Hoffman-Andrews"> <organization showOnFrontPage="true"/> </author> <author fullname="D. McCarney" initials="D." surname="McCarney"> <organization showOnFrontPage="true"/> </author> <author fullname="J. Kasten" initials="J." surname="Kasten"> <organization showOnFrontPage="true"/> </author> <date month="March" year="2019"/> <abstract> <t indent="0">Public Key Infrastructure using X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. As of this writing, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation.</t> </abstract> </front> <seriesInfo name="RFC" value="8555"/> <seriesInfo name="DOI" value="10.17487/RFC8555"/> </reference> <reference anchor="RFC8610" target="https://www.rfc-editor.org/info/rfc8610" quoteTitle="true" derivedAnchor="RFC8610"> <front> <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title> <author fullname="H. Birkholz" initials="H." surname="Birkholz"> <organization showOnFrontPage="true"/> </author> <author fullname="C. Vigano" initials="C." surname="Vigano"> <organization showOnFrontPage="true"/> </author> <author fullname="C. Bormann" initials="C." surname="Bormann"> <organization showOnFrontPage="true"/> </author> <date month="June" year="2019"/> <abstract> <t indent="0">This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t> </abstract> </front> <seriesInfo name="RFC" value="8610"/> <seriesInfo name="DOI" value="10.17487/RFC8610"/> </reference> <reference anchor="RFC8739" target="https://www.rfc-editor.org/info/rfc8739" quoteTitle="true" derivedAnchor="RFC8739"> <front> <title>Support for Short-Term, Automatically Renewed (STAR) Certificates in the Automated Certificate Management Environment (ACME)</title> <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"> <organization showOnFrontPage="true"/> </author> <author fullname="D. Lopez" initials="D." surname="Lopez"> <organization showOnFrontPage="true"/> </author> <author fullname="O. Gonzalez de Dios" initials="O." surname="Gonzalez de Dios"> <organization showOnFrontPage="true"/> </author> <author fullname="A. Pastor Perales" initials="A." surname="Pastor Perales"> <organization showOnFrontPage="true"/> </author> <author fullname="T. Fossati" initials="T." surname="Fossati"> <organization showOnFrontPage="true"/> </author> <date month="March" year="2020"/> <abstract> <t indent="0">Public key certificates need to be revoked when they are compromised, that is, when the associated private key is exposed to an unauthorized entity. However, the revocation process is often unreliable. An alternative to revocation is issuing a sequence of certificates, each with a short validity period, and terminating the sequence upon compromise. This memo proposes an Automated Certificate Management Environment (ACME) extension to enable the issuance of Short-Term, Automatically Renewed (STAR) X.509 certificates.</t> </abstract> </front> <seriesInfo name="RFC" value="8739"/> <seriesInfo name="DOI" value="10.17487/RFC8739"/> </reference> </references> <references pn="section-9.2"> <name slugifiedName="name-informative-references">Informative References</name> <reference anchor="I-D.ietf-acme-authority-token-tnauthlist" target="https://www.ietf.org/archive/id/draft-ietf-acme-authority-token-tnauthlist-08.txt" quoteTitle="true" derivedAnchor="I-D.ietf-acme-authority-token-tnauthlist"> <front> <title>TNAuthList profile of ACME Authority Token</title> <author fullname="Chris Wendt"> <organization showOnFrontPage="true">Comcast</organization> </author> <author fullname="David Hancock"> <organization showOnFrontPage="true">Comcast</organization> </author> <author fullname="Mary Barnes"> <organization showOnFrontPage="true">Independent</organization> </author> <author fullname="Jon Peterson"> <organization showOnFrontPage="true">Neustar Inc.</organization> </author> <date day="27" month="March" year="2021"/> <abstract> <t indent="0"> This document defines a profile of the Automated Certificate Management Environment (ACME) Authority Token for the automated and authorized creation of certificates for VoIP Telephone Providers to support Secure Telephony Identity (STI) using the TNAuthList defined by STI certificates. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-acme-authority-token-tnauthlist-08"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="I-D.ietf-cdni-interfaces-https-delegation" target="https://www.ietf.org/archive/id/draft-ietf-cdni-interfaces-https-delegation-05.txt" quoteTitle="true" derivedAnchor="I-D.ietf-cdni-interfaces-https-delegation"> <front> <title>CDNI extensions for HTTPS delegation</title> <author fullname="Frederic Fieau"> <organization showOnFrontPage="true">Orange</organization> </author> <author fullname="Emile Stephan"> <organization showOnFrontPage="true">Orange</organization> </author> <author fullname="Sanjay Mishra"> <organization showOnFrontPage="true">Verizon</organization> </author> <date day="12" month="March" year="2021"/> <abstract> <t indent="0"> The delivery of content over HTTPS involving multiple CDNs raises credential management issues. This document proposes extensions in CDNI Control and Metadata interfaces to setup HTTPS delegation from an Upstream CDN (uCDN) to a Downstream CDN (dCDN). </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-cdni-interfaces-https-delegation-05"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="I-D.ietf-stir-cert-delegation" target="https://www.ietf.org/archive/id/draft-ietf-stir-cert-delegation-04.txt" quoteTitle="true" derivedAnchor="I-D.ietf-stir-cert-delegation"> <front> <title>STIR Certificate Delegation</title> <author fullname="Jon Peterson"> <organization showOnFrontPage="true">Neustar, Inc.</organization> </author> <date day="22" month="February" year="2021"/> <abstract> <t indent="0"> The Secure Telephone Identity Revisited (STIR) certificate profile provides a way to attest authority over telephone numbers and related identifiers for the purpose of preventing telephone number spoofing. This specification details how that authority can be delegated from a parent certificate to a subordinate certificate. This supports a number of use cases, including those where service providers grant credentials to enterprises or other customers capable of signing calls with STIR. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-stir-cert-delegation-04"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="I-D.ietf-tls-subcerts" target="https://www.ietf.org/archive/id/draft-ietf-tls-subcerts-10.txt" quoteTitle="true" derivedAnchor="I-D.ietf-tls-subcerts"> <front> <title>Delegated Credentials for TLS</title> <author fullname="Richard Barnes"> <organization showOnFrontPage="true">Cisco</organization> </author> <author fullname="Subodh Iyengar"> <organization showOnFrontPage="true">Facebook</organization> </author> <author fullname="Nick Sullivan"> <organization showOnFrontPage="true">Cloudflare</organization> </author> <author fullname="Eric Rescorla"> <organization showOnFrontPage="true">Mozilla</organization> </author> <date day="24" month="January" year="2021"/> <abstract> <t indent="0"> The organizational separation between the operator of a TLS endpoint and the certification authority can create limitations. For example, the lifetime of certificates, how they may be used, and the algorithms they support are ultimately determined by the certification authority. This document describes a mechanism by which operators may delegate their own credentials for use in TLS, without breaking compatibility with peers that do not support this specification. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-tls-subcerts-10"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="I-D.mglt-lurk-tls13" target="https://www.ietf.org/archive/id/draft-mglt-lurk-tls13-04.txt" quoteTitle="true" derivedAnchor="I-D.mglt-lurk-tls13"> <front> <title>LURK Extension version 1 for (D)TLS 1.3 Authentication</title> <author fullname="Daniel Migault"> <organization showOnFrontPage="true">Ericsson</organization> </author> <date day="25" month="January" year="2021"/> <abstract> <t indent="0"> This document describes the LURK Extension 'tls13' which enables interactions between a LURK Client and a LURK Server in a context of authentication with (D)TLS 1.3. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-mglt-lurk-tls13-04"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="json-schema-07" target="https://datatracker.ietf.org/doc/html/draft-handrews-json-schema-validation-01" quoteTitle="true" derivedAnchor="json-schema-07"> <front> <title>JSON Schema Validation: A Vocabulary for Structural Validation of JSON</title> <author initials="A." surname="Wright" fullname="Austin Wright"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Andrews" fullname="Henry Andrews"> <organization showOnFrontPage="true"/> </author> <author initials="G." surname="Luff" fullname="Geraint Luff"> <organization showOnFrontPage="true"/> </author> <date year="2018"/> </front> </reference> <reference anchor="RFC6125" target="https://www.rfc-editor.org/info/rfc6125" quoteTitle="true" derivedAnchor="RFC6125"> <front> <title>Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)</title> <author fullname="P. Saint-Andre" initials="P." surname="Saint-Andre"> <organization showOnFrontPage="true"/> </author> <author fullname="J. Hodges" initials="J." surname="Hodges"> <organization showOnFrontPage="true"/> </author> <date month="March" year="2011"/> <abstract> <t indent="0">Many application technologies enable secure communication between two entities by means of Internet Public Key Infrastructure Using X.509 (PKIX) certificates in the context of Transport Layer Security (TLS). This document specifies procedures for representing and verifying the identity of application services in such interactions. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6125"/> <seriesInfo name="DOI" value="10.17487/RFC6125"/> </reference> <reference anchor="RFC7336" target="https://www.rfc-editor.org/info/rfc7336" quoteTitle="true" derivedAnchor="RFC7336"> <front> <title>Framework for Content Distribution Network Interconnection (CDNI)</title> <author fullname="L. Peterson" initials="L." surname="Peterson"> <organization showOnFrontPage="true"/> </author> <author fullname="B. Davie" initials="B." surname="Davie"> <organization showOnFrontPage="true"/> </author> <author fullname="R. van Brandenburg" initials="R." role="editor" surname="van Brandenburg"> <organization showOnFrontPage="true"/> </author> <date month="August" year="2014"/> <abstract> <t indent="0">This document presents a framework for Content Distribution Network Interconnection (CDNI). The purpose of the framework is to provide an overall picture of the problem space of CDNI and to describe the relationships among the various components necessary to interconnect CDNs. CDNI requires the specification of interfaces and mechanisms to address issues such as request routing, distribution metadata exchange, and logging information exchange across CDNs. The intent of this document is to outline what each interface needs to accomplish and to describe how these interfaces and mechanisms fit together, while leaving their detailed specification to other documents. This document, in combination with RFC 6707, obsoletes RFC 3466.</t> </abstract> </front> <seriesInfo name="RFC" value="7336"/> <seriesInfo name="DOI" value="10.17487/RFC7336"/> </reference> <reference anchor="RFC8225" target="https://www.rfc-editor.org/info/rfc8225" quoteTitle="true" derivedAnchor="RFC8225"> <front> <title>PASSporT: Personal Assertion Token</title> <author fullname="C. Wendt" initials="C." surname="Wendt"> <organization showOnFrontPage="true"/> </author> <author fullname="J. Peterson" initials="J." surname="Peterson"> <organization showOnFrontPage="true"/> </author> <date month="February" year="2018"/> <abstract> <t indent="0">This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.</t> </abstract> </front> <seriesInfo name="RFC" value="8225"/> <seriesInfo name="DOI" value="10.17487/RFC8225"/> </reference> <reference anchor="RFC8226" target="https://www.rfc-editor.org/info/rfc8226" quoteTitle="true" derivedAnchor="RFC8226"> <front> <title>Secure Telephone Identity Credentials: Certificates</title> <author fullname="J. Peterson" initials="J." surname="Peterson"> <organization showOnFrontPage="true"/> </author> <author fullname="S. Turner" initials="S." surname="Turner"> <organization showOnFrontPage="true"/> </author> <date month="February" year="2018"/> <abstract> <t indent="0">In order to prevent the impersonation of telephone numbers on the Internet, some kind of credential system needs to exist that cryptographically asserts authority over telephone numbers. This document describes the use of certificates in establishing authority over telephone numbers, as a component of a broader architecture for managing telephone numbers as identities in protocols like SIP.</t> </abstract> </front> <seriesInfo name="RFC" value="8226"/> <seriesInfo name="DOI" value="10.17487/RFC8226"/> </reference> <reference anchor="RFC8657" target="https://www.rfc-editor.org/info/rfc8657" quoteTitle="true" derivedAnchor="RFC8657"> <front> <title>Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding</title> <author fullname="H. Landau" initials="H." surname="Landau"> <organization showOnFrontPage="true"/> </author> <date month="November" year="2019"/> <abstract> <t indent="0">The Certification Authority Authorization (CAA) DNS record allows a domain to communicate an issuance policy to Certification Authorities (CAs) but only allows a domain to define a policy with CA-level granularity. However, the CAA specification (RFC 8659) also provides facilities for an extension to admit a more granular, CA-specific policy. This specification defines two such parameters: one allowing specific accounts of a CA to be identified by URIs and one allowing specific methods of domain control validation as defined by the Automatic Certificate Management Environment (ACME) protocol to be required.</t> </abstract> </front> <seriesInfo name="RFC" value="8657"/> <seriesInfo name="DOI" value="10.17487/RFC8657"/> </reference> <reference anchor="RFC8659" target="https://www.rfc-editor.org/info/rfc8659" quoteTitle="true" derivedAnchor="RFC8659"> <front> <title>DNS Certification Authority Authorization (CAA) Resource Record</title> <author fullname="P. Hallam-Baker" initials="P." surname="Hallam-Baker"> <organization showOnFrontPage="true"/> </author> <author fullname="R. Stradling" initials="R." surname="Stradling"> <organization showOnFrontPage="true"/> </author> <author fullname="J. Hoffman-Andrews" initials="J." surname="Hoffman-Andrews"> <organization showOnFrontPage="true"/> </author> <date month="November" year="2019"/> <abstract> <t indent="0">The Certification Authority Authorization (CAA) DNS Resource Record allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain name. CAA Resource Records allow a public CA to implement additional controls to reduce the risk of unintended certificate mis-issue. This document defines the syntax of the CAA record and rules for processing CAA records by CAs.</t> <t indent="0">This document obsoletes RFC 6844.</t> </abstract> </front> <seriesInfo name="RFC" value="8659"/> <seriesInfo name="DOI" value="10.17487/RFC8659"/> </reference> </references> </references> <section anchor="document-history" numbered="true" toc="include" removeInRFC="false" pn="section-appendix.a"> <name slugifiedName="name-document-history">Document History</name> <t indent="0" pn="section-appendix.a-1">[[Note to RFC Editor: please remove before publication.]]</t> <section anchor="draft-ietf-acme-star-delegation-09" numbered="true" toc="include" removeInRFC="false" pn="section-a.1"> <name slugifiedName="name-draft-ietf-acme-star-delega">draft-ietf-acme-star-delegation-09</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.1-1"> <li pn="section-a.1-1.1">A few remaining comments by Ben Kaduk.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-08" numbered="true" toc="include" removeInRFC="false" pn="section-a.2"> <name slugifiedName="name-draft-ietf-acme-star-delegat">draft-ietf-acme-star-delegation-08</name> <t indent="0" pn="section-a.2-1">Extensive reviews by multiple IETF contributors and IESG members (many thanks to all involved, your names are in the Acknowledgments). Specifically:</t> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.2-2"> <li pn="section-a.2-2.1">More clarity in the Terminology, and correct distinction between CA and ACME server.</li> <li pn="section-a.2-2.2">Explicit description of "delegations list", the object returned by the <tt>delegations</tt> URL.</li> <li pn="section-a.2-2.3">The <tt>delegation</tt> is no longer part of the identifier, rather it is a property of the order.</li> <li pn="section-a.2-2.4">Clarified the negotiation of unauthenticated GET for fetching certificates. This includes some normative changes.</li> <li pn="section-a.2-2.5">Explicit description of the changes required on the CA: support for unauthenticated GET.</li> <li pn="section-a.2-2.6">Some changes to IANA registrations and a change to the registration policy of a new registry.</li> <li pn="section-a.2-2.7">More detail about security considerations related to pre-registration of the NDC as an ACME account on IdO.</li> <li pn="section-a.2-2.8">Minor changes to the CSR Template schemas.</li> <li pn="section-a.2-2.9">Many editorial changes.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-07" numbered="true" toc="include" removeInRFC="false" pn="section-a.3"> <name slugifiedName="name-draft-ietf-acme-star-delegati">draft-ietf-acme-star-delegation-07</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.3-1"> <li pn="section-a.3-1.1">SecDir comments by Russ Housley.</li> <li pn="section-a.3-1.2">In particular, reorganized some parts of the document to clarify handling of non-STAR certificates.</li> <li pn="section-a.3-1.3">And changed the document's title accordingly.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-06" numbered="true" toc="include" removeInRFC="false" pn="section-a.4"> <name slugifiedName="name-draft-ietf-acme-star-delegatio">draft-ietf-acme-star-delegation-06</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.4-1"> <li pn="section-a.4-1.1">CDDL schema to address Roman's remaining comments.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-05" numbered="true" toc="include" removeInRFC="false" pn="section-a.5"> <name slugifiedName="name-draft-ietf-acme-star-delegation">draft-ietf-acme-star-delegation-05</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.5-1"> <li pn="section-a.5-1.1">Detailed AD review by Roman Danyliw.</li> <li pn="section-a.5-1.2">Some comments that were left unaddressed in Ryan Sleevi's review.</li> <li pn="section-a.5-1.3">Numerous other edits for clarity and consistency.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-04" numbered="true" toc="include" removeInRFC="false" pn="section-a.6"> <name slugifiedName="name-draft-ietf-acme-star-delegation-">draft-ietf-acme-star-delegation-04</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.6-1"> <li pn="section-a.6-1.1">Delegation of non-STAR certificates.</li> <li pn="section-a.6-1.2">More IANA clarity, specifically on certificate extensions.</li> <li pn="section-a.6-1.3">Add delegation configuration object and extend account and order objects accordingly.</li> <li pn="section-a.6-1.4">A lot more depth on Security Considerations.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-03" numbered="true" toc="include" removeInRFC="false" pn="section-a.7"> <name slugifiedName="name-draft-ietf-acme-star-delegation-0">draft-ietf-acme-star-delegation-03</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.7-1"> <li pn="section-a.7-1.1">Consistency with the latest changes in the base ACME STAR document, e.g. star-delegation-enabled capability renamed and moved.</li> <li pn="section-a.7-1.2">Proxy use cases (recursive delegation) and the definition of proxy behavior.</li> <li pn="section-a.7-1.3">More detailed analysis of the CDNI and STIR use cases, including sequence diagrams.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-02" numbered="true" toc="include" removeInRFC="false" pn="section-a.8"> <name slugifiedName="name-draft-ietf-acme-star-delegation-02">draft-ietf-acme-star-delegation-02</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.8-1"> <li pn="section-a.8-1.1">Security considerations: review by Ryan Sleevi.</li> <li pn="section-a.8-1.2">CSR template simplified: instead of being a JSON Schema document itself, it is now a simple JSON document which validates to a JSON Schema.</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-01" numbered="true" toc="include" removeInRFC="false" pn="section-a.9"> <name slugifiedName="name-draft-ietf-acme-star-delegation-01">draft-ietf-acme-star-delegation-01</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.9-1"> <li pn="section-a.9-1.1">Refinement of the CDNI use case.</li> <li pn="section-a.9-1.2">Addition of the CSR template (partial, more work required).</li> <li pn="section-a.9-1.3">Further security considerations (work in progress).</li> </ul> </section> <section anchor="draft-ietf-acme-star-delegation-00" numbered="true" toc="include" removeInRFC="false" pn="section-a.10"> <name slugifiedName="name-draft-ietf-acme-star-delegation-00">draft-ietf-acme-star-delegation-00</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.10-1"> <li pn="section-a.10-1.1">Republished as a working group draft.</li> </ul> </section> <section anchor="draft-sheffer-acme-star-delegation-01" numbered="true" toc="include" removeInRFC="false" pn="section-a.11"> <name slugifiedName="name-draft-sheffer-acme-star-del">draft-sheffer-acme-star-delegation-01</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.11-1"> <li pn="section-a.11-1.1">Added security considerations about disallowing CDNs from issuing certificates for a delegated domain.</li> </ul> </section> <section anchor="draft-sheffer-acme-star-delegation-00" numbered="true" toc="include" removeInRFC="false" pn="section-a.12"> <name slugifiedName="name-draft-sheffer-acme-star-dele">draft-sheffer-acme-star-delegation-00</name> <ul spacing="compact" bare="false" empty="false" indent="3" pn="section-a.12-1"> <li pn="section-a.12-1.1">Initial version, some text extracted from draft-sheffer-acme-star-requests-02</li> </ul> </section> </section> <section anchor="csr-template-schema-cddl" numbered="true" toc="include" removeInRFC="false" pn="section-appendix.b"> <name slugifiedName="name-csr-template-cddl">CSR Template: CDDL</name> <t indent="0" pn="section-appendix.b-1">Following is the normative definition of the CSR template, using CDDL <xref target="RFC8610" format="default" sectionFormat="of" derivedContent="RFC8610"/>. The CSR template MUST be a valid JSON document,compliant with the syntax defined here.</t> <t indent="0" pn="section-appendix.b-2">There are additional constraints not expressed in CDDL thatMUST<bcp14>MUST</bcp14> be validated by the recipient, including:</t> <ulspacing="compact"spacing="normal" bare="false" empty="false" indent="3" pn="section-appendix.b-3"> <lipn="section-appendix.b-3.1">Thepn="section-appendix.b-3.1">the value of each <tt>subjectAltName</tt> entry is compatible with itstype;</li>type and</li> <lipn="section-appendix.b-3.2">Thepn="section-appendix.b-3.2">the parameters in each <tt>keyTypes</tt> entry form an acceptable combination.</li> </ul><artwork<sourcecode name=""type="" align="left" alt=""type="cddl" pn="section-appendix.b-4"><![CDATA[ csr-template-schema = { keyTypes: [ + $keyType ] ? subject: non-empty<distinguishedName> extensions: extensions } non-empty<M> = (M) .and ({ + any => any }) mandatory-wildcard = "**" optional-wildcard = "*" wildcard = mandatory-wildcard / optional-wildcard ; regtext matches all text strings but "*" and "**" regtext = text .regexp "([^\*].*)|([\*][^\*].*)|([\*][\*].+)" regtext-or-wildcard = regtext / wildcard distinguishedName = { ? country: regtext-or-wildcard ? stateOrProvince: regtext-or-wildcard ? locality: regtext-or-wildcard ? organization: regtext-or-wildcard ? organizationalUnit: regtext-or-wildcard ? emailAddress: regtext-or-wildcard ? commonName: regtext-or-wildcard } $keyType /= rsaKeyType $keyType /= ecdsaKeyType rsaKeyType = { PublicKeyType: "rsaEncryption" ; OID: 1.2.840.113549.1.1.1 PublicKeyLength: rsaKeySize SignatureType: $rsaSignatureType } rsaKeySize = uint ; RSASSA-PKCS1-v1_5 with SHA-256 $rsaSignatureType /= "sha256WithRSAEncryption" ; RSASSA-PCKS1-v1_5 with SHA-384 $rsaSignatureType /= "sha384WithRSAEncryption" ; RSASSA-PCKS1-v1_5 with SHA-512 $rsaSignatureType /= "sha512WithRSAEncryption" ; RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a 32 byte salt $rsaSignatureType /= "sha256WithRSAandMGF1" ; RSASSA-PSS with SHA-384, MGF-1 with SHA-384, and a 48 byte salt $rsaSignatureType /= "sha384WithRSAandMGF1" ; RSASSA-PSS with SHA-512, MGF-1 with SHA-512, and a 64 byte salt $rsaSignatureType /= "sha512WithRSAandMGF1" ecdsaKeyType = { PublicKeyType: "id-ecPublicKey" ; OID: 1.2.840.10045.2.1 namedCurve: $ecdsaCurve SignatureType: $ecdsaSignatureType } $ecdsaCurve /= "secp256r1" ; OID: 1.2.840.10045.3.1.7 $ecdsaCurve /= "secp384r1" ; OID: 1.3.132.0.34 $ecdsaCurve /= "secp521r1" ; OID: 1.3.132.0.3 $ecdsaSignatureType /= "ecdsa-with-SHA256" ; paired with secp256r1 $ecdsaSignatureType /= "ecdsa-with-SHA384" ; paired with secp384r1 $ecdsaSignatureType /= "ecdsa-with-SHA512" ; paired with secp521r1 subjectaltname = { ? DNS: [ + regtext-or-wildcard ] ? Email: [ + regtext ] ? URI: [ + regtext ] * $$subjectaltname-extension } extensions = { ? keyUsage: [ + keyUsageType ] ? extendedKeyUsage: [ + extendedKeyUsageType ] subjectAltName: non-empty<subjectaltname> } keyUsageType /= "digitalSignature" keyUsageType /= "nonRepudiation" keyUsageType /= "keyEncipherment" keyUsageType /= "dataEncipherment" keyUsageType /= "keyAgreement" keyUsageType /= "keyCertSign" keyUsageType /= "cRLSign" keyUsageType /= "encipherOnly" keyUsageType /= "decipherOnly" extendedKeyUsageType /= "serverAuth" extendedKeyUsageType /= "clientAuth" extendedKeyUsageType /= "codeSigning" extendedKeyUsageType /= "emailProtection" extendedKeyUsageType /= "timeStamping" extendedKeyUsageType /= "OCSPSigning" extendedKeyUsageType /= oid oid = text .regexp "([0-2])((\.0)|(\.[1-9][0-9]*))*"]]></artwork>]]></sourcecode> </section> <section anchor="csr-template-schema" numbered="true" toc="include" removeInRFC="false"pn="section-appendix.c">pn="section-appendix.b"> <name slugifiedName="name-csr-template-json-schema">CSR Template: JSON Schema</name> <t indent="0" pn="section-appendix.c-1">This appendix includes an alternative,non-normative,nonnormative JSON Schema definition of the CSR template. The syntax used is that of draft 7 of JSON Schema, which is documented in <xreftarget="json-schema-07"target="I-D.handrews-json-schema-validation" format="default" sectionFormat="of"derivedContent="json-schema-07"/>.derivedContent="I-D.handrews-json-schema-validation"/>. Note that later versions of this(now expired)(now-expired) draft describe later versions of the JSON Schema syntax. At the time of writing, a stable reference for this syntax is not yet available, and we have chosen to use the draftversionversion, which is currently best supported by tool implementations.</t> <t indent="0" pn="section-appendix.c-2">The same considerations about additional constraints checking discussed in <xref target="csr-template-schema-cddl" format="default" sectionFormat="of" derivedContent="Appendix B"/> apply here as well.</t><artwork<sourcecode name=""type="" align="left" alt=""type="json" pn="section-appendix.c-3"><![CDATA[ { "title": "JSON Schema for the STAR Delegation CSR template", "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://ietf.org/acme/drafts/star-delegation/csr-template", "$defs": { "distinguished-name": { "$id": "#distinguished-name", "type": "object", "minProperties": 1, "properties": { "country": { "type": "string" }, "stateOrProvince": { "type": "string" }, "locality": { "type": "string" }, "organization": { "type": "string" }, "organizationalUnit": { "type": "string" }, "emailAddress": { "type": "string" }, "commonName": { "type": "string" } }, "additionalProperties": false }, "rsaKeyType": { "$id": "#rsaKeyType", "type": "object", "properties": { "PublicKeyType": { "type": "string", "const": "rsaEncryption" }, "PublicKeyLength": { "type": "integer" }, "SignatureType": { "type": "string", "enum": [ "sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption", "sha256WithRSAandMGF1", "sha384WithRSAandMGF1", "sha512WithRSAandMGF1" ] } }, "required": [ "PublicKeyType", "PublicKeyLength", "SignatureType" ], "additionalProperties": false }, "ecdsaKeyType": { "$id": "#ecdsaKeyType", "type": "object", "properties": { "PublicKeyType": { "type": "string", "const": "id-ecPublicKey" }, "namedCurve": { "type": "string", "enum": [ "secp256r1", "secp384r1", "secp521r1" ] }, "SignatureType": { "type": "string", "enum": [ "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512" ] } }, "required": [ "PublicKeyType", "namedCurve", "SignatureType" ], "additionalProperties": false } }, "type": "object", "properties": { "keyTypes": { "type": "array", "minItems": 1, "items": { "anyOf": [ { "$ref": "#rsaKeyType" }, { "$ref": "#ecdsaKeyType" } ] } }, "subject": { "$ref": "#distinguished-name" }, "extensions": { "type": "object", "properties": { "keyUsage": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "digitalSignature", "nonRepudiation", "keyEncipherment", "dataEncipherment", "keyAgreement", "keyCertSign", "cRLSign", "encipherOnly", "decipherOnly" ] } }, "extendedKeyUsage": { "type": "array", "minItems": 1, "items": { "anyOf": [ { "type": "string", "enum": [ "serverAuth", "clientAuth", "codeSigning", "emailProtection", "timeStamping", "OCSPSigning" ] }, { "type": "string", "pattern": "^([0-2])((\\.0)|(\\.[1-9][0-9]*))*$", "description": "Used for OID values" } ] } }, "subjectAltName": { "type": "object", "minProperties": 1, "properties": { "DNS": { "type": "array", "minItems": 1, "items": { "anyOf": [ { "type": "string", "enum": [ "*", "**" ] }, { "type": "string", "format": "hostname" } ] } }, "Email": { "type": "array", "minItems": 1, "items": { "type": "string", "format": "email" } }, "URI": { "type": "array", "minItems": 1, "items": { "type": "string", "format": "uri" } } }, "additionalProperties": false } }, "required": [ "subjectAltName" ], "additionalProperties": false } }, "required": [ "extensions", "keyTypes" ], "additionalProperties": false }]]></artwork>]]></sourcecode> </section> <section anchor="acknowledgements" numbered="false" toc="include" removeInRFC="false" pn="section-appendix.c"> <name slugifiedName="name-acknowledgements">Acknowledgements</name> <t indent="0" pn="section-8-1">We would like to thank the following people who contributed significantly to this document with their review comments and design proposals: <contact fullname="Richard Barnes"/>, <contact fullname="Carsten Bormann"/>, <contact fullname="Roman Danyliw"/>, <contact fullname="Lars Eggert"/>, <contact fullname="Frédéric Fieau"/>, <contact fullname="Russ Housley"/>, <contact fullname="Ben Kaduk"/>, <contact fullname="Eric Kline"/>, <contact fullname="Sanjay Mishra"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Jon Peterson"/>, <contact fullname="Ryan Sleevi"/>, <contact fullname="Emile Stephan"/>, and <contact fullname="Éric Vyncke"/>.</t> <t indent="0" pn="section-8-2">This work is partially supported by the European Commission under Horizon 2020 grant agreement no. 688421 Measurement and Architecture for a Middleboxed Internet (MAMI). This support does not imply endorsement.</t> </section> <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.d"> <name slugifiedName="name-authors-addresses">Authors' Addresses</name> <author initials="Y." surname="Sheffer" fullname="Yaron Sheffer"> <organization showOnFrontPage="true">Intuit</organization> <address> <email>yaronf.ietf@gmail.com</email> </address> </author> <author initials="D." surname="López" fullname="Diego López"> <organization showOnFrontPage="true">Telefonica I+D</organization> <address> <email>diego.r.lopez@telefonica.com</email> </address> </author> <author initials="A." surname="Pastor Perales" fullname="Antonio Agustín Pastor Perales"> <organization showOnFrontPage="true">Telefonica I+D</organization> <address> <email>antonio.pastorperales@telefonica.com</email> </address> </author> <author initials="T." surname="Fossati" fullname="Thomas Fossati"> <organization showOnFrontPage="true">ARM</organization> <address> <email>thomas.fossati@arm.com</email> </address> </author> </section> </back><!-- ##markdown-source: H4sIANwdw2AAA+192Xbb2LXg+/kKXFXWsmiTtCSPJacqYUl2WSlPEeUklbpO CyQhCmUSYABQMlNyVr/2J/Rbv96Hfuo/6PxJf0nv8QwASMlOcm/uoJWUJQBn 3mfPQ6/XM1VazZL9aJBFg4OXT6M3RX6WzpLoLC+ib5MsKeIqzabRYTJLpnGV TKKDpKjSs3QMf5QmHo2K5GKfm8o3aZ6ZST7O4jl0Oynis6qXJtVZLx7Pk15Z xUVvYj/s7XxpsKdpXqz2o7KaGJMuiv2oKpZltbez8+XOnomLJN6Phsl4WaTV ylzmxftpkS8XPKp5n6zg0WQ/OsqqpMiSqneIYxoDQ2WT/xbP8gzmsYLJLtJ9 E0XF2TiZlNVqJk+jqMrH3q9pNkmySh+UeVEVyVlp/17Ngz+rIh3bj8f5fA5t 7ds0m6WZGyb5UPVmaVn1oJNRPoPP8t7tO9xuEbtuyuWo9mScZ2WSlUtochbP ysSYeFmd5wWspwevcSR49X0/Gp4nZ2dJQc/4AL6PizwLnufFNM7SP9H+064t 04peJPM4ncGQ2OKsj2f2yyk+6sNsgoEO+9GLv/yfRfInb5zDFA7RfxwOcwJH fpZnADbR0Z1Df7gJNuwX/VkOLX9Z2e8aow760Zu4rAAu3wBUzmhjdPRBVkGj PBpMAW7+8r+zti9vOqGY++ovqIsF97BpYif96FleltCxN6OT83wel8GLcAKD 45f+qBV93z/j738ZF3Max6QZ3MQ5PLpIEHp/LOHSlONzaNXbebRPPfSgdUy/ weWaJgA151W1KPfv3p3EVVwV8fh9UtB59mEKd+Fu3j2v5rO7fDfP4ZYUyWXZ 87u+iGfpRG7oLnfNaGLrV8PXr6IhfRX9xn4Fy4l+k4/j0XIWFytCHkO4w+Nq CbvnfRflZxH2sEV9WiCmn5786477t0U6Pa/sYzlqOOE0C9/Vmj7vA0DQompt nycZzC58V2v7LcD28uys1vBbgII0q9wrWA483tvZfWxMr9eL4lGJGw1ox5yc p2UEm7xEXBBNkjPAAWUURwvBrLAF1XkC66hyPNexj1Gjl3EWTxNq+TS7SOEm 4u9mG1FdB7sADJXPotEqujxPx+fU03k+myQF9htnUYrYC3qDB9tJf9rvwsgT GAi2DJfSicZxZuLZLL+EF9V5WkyiRVxUK0B9UT6q8Dvo5Xf9BztfRmNvYuWS RosrGtJ7YwBd/ZiMqwhWja8mllJ4U4HJwsq9lvB6sRzNYPWAvwG/FUVSLvJs UhqYB+5VeoGj8susKvLZDJrAsrEPb9p9M8CP5wh1yxK6j+E/NBOYKe5IdADN cTuBOsEdgs9eJRXSkGj74PBVt95fxwARmacZU72TF8OoTMoSILeMAHpHyXk8 O+N+x9IvnMlFivu/XTsL2XZD296PACMk8HECiBw3Z56M4eal5TyiwyhrJ4l/ efsHm1IkeDhGdiPKL/Cx22+8XHCT4bOL/D20rSLYgDiDDUvnCYx+NF8AKQPc NlvhotPSuBlMcgDQLK+g8R+XaZFQu3k+4RPGnmF8Hmsxy1cwe9gYM56lSOxo 1DIpYD5lny/DPJ1MZkCkvkDqUuQTwAPIFNRuBvxeJDOCFOj+p5/+6fjZweNH 9778+LELV5FPsMznsBaduj3h0s50lFfntssSOxpRgxndoWTSj04Ani7ydBJN louZrKdrLpNoCuAQnSe43GgETEZvlONFnSTluEgXiq1w2fO8QnDEJ4jZcPdg ZrMlPoGtfZYXZp4XuD1wRLOyG8HwCIfAKfDZ0WnqVgCrA/tFW1IaGMFfOWwg MGJH7uBfX2YIWkeT153oHOhJPC0SWloJlAHGicdJdJnCHsDcgcBENI9XhwfR 9isAO48lw3tQwi4VHZwQbiSeW1wBFwdHgd3RoHijzFFGM27cK3wIM8GTa8J/ lzqEfUVmhS7ENXev464OATVgTwIFQ8DEyELaE7A/Pzl5M5R7BM0jvagJ3x16 jS0y3ltYm6FNOcPlRclkiqsAwqXASvPNEmAGcUfkZtK3CtnbowJuJnzahfMd IQaLFws43hKYzCpfAMB8SMoO7oWHKC/Pc9gqvPQRoHcYT9Ciw8EwJYOP3h6/ YChPGZ7hJJIJwH4/6XctApM9h3W/Bca0IKY2HuElprsBr0oYZwUQPHuPV748 jwtEXdAuLSJgfqc93Cgfo5YMMTHc+HPENh5bgnvSNTAXQEowhOJyaJEvZ4Bc YmqBqOI8xjPKI2QfkKjRC0ShaVLecuPCYY4Bc5X96DV9ATc+uQivcow3Jy3H y7JEopHBhThbFvh1Dz7q0Ud0M+qEFe/pqJW0ojRiaaXcrwcPHnz8yNvKGJfO AK8KIVfa/uisyOe65QDQY6ICsTfEhDtnEOrWjh6Qg4kbBBBoa08OFeFxlODm 0BHl3umeyN2CJxluDkGNCVeyTeeGbUCUAHmAyJLug2ydwyUdb2EmLctlnI0T pkxDYLuq3gmcT9fxIXjk0TGIfJfQ1/bwZHDcqa+Oxi4RhJuLlDVMWWZMJqak QQj4/G4QeQRDFjKkEHdasmOJkHAMiE/Ejdw+GHQAvSZFCtSJm58leMlsczxQ vNjLkumKxRKMIIxDECVuGNz0ZXjN9CCAT4oS6KhOYx1VhSFNibRmhawjsbty 86KDAY4N8sOC/rQL5sUCS4xTnCWVNjD+DiUfFkjaaP9mtCqQgM9gIXAHfmsZ qQZ2BtQbT4CzLUvcY2/KsDw8Tf8USmJ8PBYAYGyR45YxQRyjKJtP6OqDwJnz hUYkPgm6AdSD/OqEMIpp3L0+7eY8h5sFOCMdJ4C58LKjLJogNI6AHiQA8F73 uDM4XROMI8zlZSwcoDJpjkh7C07tvJDxyXiDcYvg0zUL6VripndPOCmERMLU cCq0QQxnBk6Y6F2MBEOvBnwDLEZaUVthnUYxtkIC7B3xsX1vXqSwO9sHxy86 1OFr0hkEHw9BiFuWqJkRNPD6YPimw0QrX8R4DQWXGECvKwQpQcRMyy3tbsFM RMo92sS8ocOydPhCp+FTgwegqxXcyRKq3b94lC9ZSDh4NQBYmAPNhCkJS470 lrk0g3cmJrY+zbT1rTI6fDWM/oSIEr5KMgIYukKzNC5xaeFxQ2uaNsDesmTE rncQdShwxYQWe+CBHMgZCkDMLTIFQ4xByN7gPzPi15LiDPgrvHUJwm8iRJkI GRPiYqKEMzmDXUBuWK4gX9Ecpj/HKfv325sKbiUKGR5WAsK+SMb0LaK3n376 xVHvkKT3XjUre6gcgr6AIhK4yOv5dFb1ZsviPX6zew/IJd08PBiYK1GLCc+J RvMmAwgAtp8ZgghoMCAqILw5sJ3A1afTDPfE+/4JdTJDvhH2IAE4swwY00Q4 QV94g11EeW6STKg5sDfEoZaozeMjgqPOqj6winPoTHA2ME3KUgD0FDmybXJF oV1B5N/yAXXhBVHaNCmVvOKCM2E74dDG7xWCmMuLlKoJRc/gb+oSbrGy7IRY UzwdwNwosWTjld+9Oz2AlS++iE4IO+WzfLqCCzh5bfYbLH3Xl/e2dVG47cCg XyfJm0hkeXulVPKxtwIQ32GygFOnK5M5bvpD1bUYlO4rMI/QH91z6EDJJtx2 OHzCLPDxtnI/HZ/9ceKg0F63SOiRJRfZXWolG74s21rI94RPYG7AekWW2zkY wL4CtoF9XCfV8KIEqUEnTjviM94pKn0c5sDbFwMLME9J8mBBmbhMQosoZKQN UQjVsYhQt+EVoAfYTqDOyJkTGy5oAuAJep3FxLQIvAEI4kaPizxbzcvOzU4I ceznnFDLXuPWmaht82B3Ya2wu+vkNQS9S4BHwEfAqVfAbi4J88q1QjBEvTVC hS/tAC64TEZWiiNMgN0APzRJif4D+J6n03NoDDwdKTozQrjEAOzfgE9tKKqQ 5pFdYF9bhDaLNRo2WCEerPfd3H3niRJWksA9G+AgIa8aOV6VRTtVRZRNyaTP vIlHbr2DRxXDKkNQyZcisG1tuntrZrGF8xwe00TffHcw/GJ3R4SEvS8fPwQi EjAagu+PWWjoouRTLheofeGBcALQ4bNfE7Q8W+JJ/BpkRVboHfJNQzhjPAjg dIFXEnntZamE3lsvynRMJ9CEU0ZbL98OT7a6/G/06jX9fvz012+Pjp8e4u/D 54MXL+wvRr4YPn/99sWh+821PHj98uXTV4fcGJ5GwSOz9XLw/RYrLrZevzk5 ev1q8GKrMUuSUEWzhLhpAQItMqqlCWSvbw7e/N//tXtft3d3F2QwFch2H92H Py5BtuPR8my2kj/h8FYGqFwSF9gLQDfgl0UKrFHJB3AOVIHYcthU84VjA58B C2N+2o++AGLaU5jqIWPzUWRl0TKpbsMyJdwev2TtlWWVMuBcuihIpNl4tpwk FmaNSthWTmhuEl52mHzsQTqJHXZAu1umJqkytLwpEsAUTGdLWhi1hKV5zz8y yNg+4xIxGA95liv7FzSh45sn1b4xPSvdMTePOqCAolmmT8k74N/tskMbVKSl spYoHy0zxHkelrBtn8g4iLtRZ1ckU0CaSUHCDQ8nHTgSB3PCZiq94hRJw0L6 PhIf4mgLLjIgBzgquKxbosbrylkR7wqnEAHnkc6X8302JJJmnmif8BCn8Wjc Tyd5P/kQ46GfdrpO+QTQN0W0cT5n7RjcTOhmlmTT6rxL93RZwnK7nv5BJGac +GUKx88UkkBDp0p0NiF6gisYA73EsZaoz2poFKBP3AjegJvt3ToEjMoC4Bss 4w5TAK7KyvqtuFngoMhnuLOkmkPe0mqCDLAFg/3I0n6rMFrkaB8CUn+RJpeW xQz0HqKBAdgd0z1DgQ3nwcgACGnJqqatRY5SZDbdwp27BCHD2QRgn4Gqwkn0 FnFa0CEBU8PGkzIdieFe7rOCq5X2YGluo2QeAEc4ROk4LbiLr+FLXAjgeuyO GZluiD9y+cYzapDyYJyTdpUU50gPrIKClpCWtocumUaQp9isq+g7nIcGmIsU poSrBOrYa3xMhJN5r66Jrf4GFfMwQad6YLSA5ngngDoEovr5PqMbZUlJnheV ha9s8hTjU1x95uhyoDc0VvS0MyJUKBgcP0TRLdo0JsnYPCYqIVB3vJw58hyo O7seGvYRro+sUZvFohZ9a282c3VAmICTLBV7+NIo+XPEett6Vf4+yXpVhk9w W2EUMgOfHB13ZBvzZUXKDb0d+XyU4lY5kkQNWk40LuVwou2ffjpLpz3gm6sc /vPxY4fwOp5ESUIuoImcbsxr/O+u1Va02iUBhwrmJZUfYSbqQhoDZOfLYoyn gcIjXONT5PZXpyoxn56lIBSmf0pOUUmkKDydz0Hghc9nK51VpB9aXfM2yyhC auX+DY87nl5YJ8b31n1DOLCYeEpkoRPLBbL1HpmgHs5suwABnLGxSpaKSrP8 gmUL2IDTNCMngFNZN4Ac4HXC4nCJ8YpU+aLc1D1exOUYUczZctZlWTNHAUEG JAUpGpCj6FRwEfR72hWDIu8acPn8/V60zQoa1LchRyRkoNM8YPS8CY6YMZs3 1xbmxN+MPZkoNHXboPeciJVOnCw3Z7NkLFhElratNhxGEfS00zp+saxtlLaV icC7U55Ah7dwnC8EEHDfyJ3KuywEhUyUpANYg0yKtOKLidXXyGM+3gplUxlJ bivOHJXgGaIr2PFZHqN1irV2qmPnLWnX9I8SMkWRWjgLjQZW/H+tEjeOhIJi mi1BxoV/Z/RFHRsYVo6XqljALZkkY9JOwlLHSGFna3TuSvBqegXLH1Q+1r0I 7O+C5kTXtzhHchYw/0MmGOZR/0FENl1nckpZiEKtIHNyAhY9nDtaSmGjxvGy rqO1BlnalpgQpdApvGqO6Dp0gUOJ5w7yS9MYD4u133kGWHOJbJSPHRCbIu0Z l0VPn/VA7KziD4BYmRABfOdFYoHZlFaVWMdoPisq0+wGs/OwItkzjIAgMnoj pG/x+D1A2wxttRPPFEPCXjRaIu0GnLBNa+zQSiykGM/JiM9HhRr/ds3QvD1A TUoWHLt3/7JkmldpYFrYWhJVw+MgJWb07dOTrWhbz/xe/35Us+N31KabFnxs TJIQtRIV89Tn8Xgs+mKz5joLyBC0/vnPfwYWAwizifo9+ulH3o88sz9tL/vm KqLBo+jKvdRfcb/DJ/wroazoytzRru+41+7Zxpcw7gGrpYKuh8xyb35pbmn3 t9zrWzrmnU0vb5naapqLbn9p2wmYfnK7ISnoUNF983Z5r/nz9Q3Ha766Sbsf ole5ExHg591N2zkvQZB64pu3C7BpedN2n7u+iBDF57T71z6/gUN/pFEIxhN6 3mj385YBc69dcxHX72f7Ij7lHI4V9934/AYhUNysXevibzbeMcvMSWlf3qzd v81++i9vsi9AJ/7sKCL+9XcdL2q7ZP+Y+9m8ZH9fOGu+lHv75z8P0HvAKob+ 7OGJ5suN57fxx2+3XeNkOsjKNJhsv13bVm/8WTtP39LwxW7j9SZ8tvEn/0dc 317j9d9kffWfH/r9/rvWN/+g5579LfcFuWEyFPgaIY5U+GrraTZhFxJ2Jwq8 LoAF3/pIik4X13SkHJBEQPmmFVLM1Ywq6x37fRtfVwxHbIgNVYdGNP2kcv2i ZpglcY09hGoTofCpHkt0Yg4h3coSZL1RIrYPlfbIBXCcTzOU02o+wiWrWtTz FWY1Zz8u8WMWV5521xXx50H9IBnck3hMTsi8mC8AzbKW/jWbIJ5agwF5OJOS TMVr9LUok9mZLyvGZV3fX3PNUznZzJezKgVBj1QMJRuZofuuKmxIEvS2UxxO rfBenRf5cnpuTt3aTqOcZo16xzIfpwQfVmvAKnhdH3+pMhqf5kCtduzMCsAp a+jx16iYtZCi5gyranRdoWqffXd0fFaIeVMtT9GHmw3ypAj1T2hbJdAuBapl 0w6aga2GiPWPMSnBEXi9phxzpkBknd51rqI28OL4ZMNQ8sXTAThUv0yUDNC2 /ub18KQXlz1EPKIw6MsNhrdbJTm5be1HWyRVbHXxIWk+xhU8/YGQxBbGSlX5 vjdwPJmn2S89gxaGFr2j1qiQKl+foQiZjpMBaUi3KLYwofckk9OQGi8lXWDk 1V1Ub9/lT+6W8fPF2Tc8J2+X/Kb4uW9X4/bex3fjybM/5n/aMh8DtBVChkVe 3EkdyggG/Al8lNvm4Q70J4RL9hTvYxw2t6rmuAZC60DCeEizdonUiuc0eW0H 7x260UPnewzgDhdXcabqxMnuP8KIDIoz02WTS30wZQN4YzYh00AGF7qIyc0G 1gFIjVCRYBfyhoyjdeuI5vEkMfEFgBV7Glqr741gXdYiRsOXg+9hkcDKUggV bLY6IOJuAj5C11O9xi/S7H10To5DES9FDQoZ3PhTaJK9NxQeQ6r0jNzncC2X ZGMTB3l0eCoQgcrWx2O+73Kx0OP57m5/N9rb2Ylef2fEvad3slok+4S6RVd/ F2P/DM5pP/r5NRAN/VMMy9dPYHpfbWG47IetG7Zt3IZfjJdFmRdf7UlvuPgt wxghvGiCAG46wN18elY8fgoUGF1BPrHt5TB98GI0erj79L60vXubqSYCGBmE Gb+TYVuuKgZCI/tw++4njjad71yevfj++TdJRrhLEETjYjMlLS070AKRwqIo Q+L7fRKtsTRmnkNrn6SgVatHhmjXrVGchIS+SKwXyYbrZHmCVEkxRlkRvUe6 GFh6uXNRbjvTltNNl0kSNfXTFNjgmybpzsaV17f42CzYYxO1zdnKxpoFXslq PFJEF1gH0bfhCNZbSiRrElgiSyK3/sx8esurA3obLCkuhW1EnTCcddvq+tgr 8jI9mGO0ravwuoxx9oju0A8rQj+Akv3cCfHh38xeOJfHdfZP/g4I7jJRD3sX ionbg4iQupE4JfJDTOMyqTltk8M2wRwxnIwkBLOX+YwdAvJwHmhO1MiRbzCM jxk4PDqaUWmpAa5Tg5YiPz7zVv9W34gByRIEguJ5EqMrGyr08Yi9QyWSAwgQ 6AnQEQ640zvcBE9YJVEiDsImW45wdoY5uwD+LX/nczb+8QIi+4nRw/tkhWjY obZI3tDbNxQb+x1/g2xGOuklY/tUsBJ9irs2OVgCBcLvAJ4Wew8eFrv+J1bF or0l40kZ93BDe8PnA/h+Sz7+SP++E4Qp/kN20sSRAU0sVtjJwcCOQdxb8rp4 g4EC2ZjGuH3bvZ7lYwCbaiXP6fFHGcS5EvnjyNCDWYXuhN4beHf4aujtGj2q OTVt2XfvdGF2LrDxb9GJKehia5JO0eXO7pT28M62U0b8u9b2zAKgDtO2NLqh H5mX1TvtYKA26z5uDz7LJmP3DDuo8YxtMFfnHNdJkwLYyDkeeWYp4TAS4QA1 BCGIfPLxbeKcxoLYpYaA4sknhD4nE2uyVI6wJkMFplEhArhqMo7B1vRgBJr3 x4+GQyDwLToDtXwhLJphHKceSMGUcExkgMmDy3OpWEfkArKYlr6AbwUlf0sc 3yvWf393jDeVzJnlG9QxdtGiNuDBoWoitSYkxQ2mVuaBK/QFTxf5ROjWMbBJ UeSFupZJlDFLaTAyHM39nXvR9rO8GKVwphmG5VGYEDPcGvpiPX3ZOvro8c4j dIQlWZqQMAy2j+5E+xhKMi/3kTvap6H3lxlqajMHyaeiKeEtEs3CSRFn5Tyt yKEfZRixq1o/qVzcLZhJ58DGhk6FQIdgpvcjsEhZssIL0hZZxkEDddVZNxBj 9PQCGQkjGIhnoH1m7861N8Ux/OxE5ut0PA4tanBcBH60QU+CoVRSECg79Sji qdBO4maRhQhjq9A5X4OjbZiCAzQ7DLpXC7zyEACj35DzADvP4N8DNPvLeKVt qa3Q7QjdNnrisaF6GHZzpKjyKBWA5S7QO9W68Ik9PrrXR5mnHllPHBLFxY0x SUlXXWjIIO8b3XvTpPLPQrkQ3QR2T6JwBlQlCKlHSTdi3h7mzqAUqQBmnudl BYxbTRTYJJCBxHuHpDJmIlCfSF5GQCMwovDh/WUx21Y6Mpsi6Xg6REouZPV9 OrlePQEooLqbXLw+++781duHO5dTbQ3YlKn4YDbe2RksHh5Xj759+f7p7N6L 3V/97oF+BnO4fhC7HUTKOkQMF/EK3YnaFuMBZjtvVAkTA+ybz+QQhlcK2sIL hKyND2Y+3wEkvjdhRm1rb2dvt7dzv7e3c7Kzs0//+73H06RnCYYMwZf37j94 uLPTdfzI3bvR/WgSrzTHzFYrkIkuKuCG3N3e0rw4ny1Jyl6XlqeBNU3vP7if 3DuffDN7f3J/8PSy3+9n3yVvsrer35/8+G31u98/fF7XUDWoqrIar4DSEx5k fKzId0uU0gEhU2KpKNEpOR1KxIEsjlE/S+Is12EKz2B8KlogIi1/Soo8SsS5 u9GY/bwkIDHEwO2YbU3DEFWVHM1dfj4+bFeH0j6w6lF83xxsPujt7Aawadov kIB329XZfG8+sjLVrLsxN70vLbfF3ORifOSxG7fi8+6EXYgHN7hFskL1Z7se pdE1uHvy+nFxNs3v2nZtFwfaCl+hypee3gG5Rt4VOlb9zIG7JnBFwhvFLGtm 3e+C1Afoacgh4KpPERDURAPrFB3WtnKejN/bSCEM+2aXQc+b0OozTMMzsSlA t/InhRdg5rtRmg3uiI5/xumQu67vgERsWabBlsZb3GYGN9rI4BqPweWEORlH JC+KlNxm4UJ1I4msKZIfiUS7oNZTNLedjuIJTBmYV9zj2qASsKZ4AsRe4ZxL 618YPew/Un7GepV2jOXWziSQwI4a7lQa+j86B9GuEzdUpJHVO+9nzy/bOkBX l2lWS7FCTsEY25JiWqK0Sms4vncwIHFOPIs3sskhTRjnC37qa3CIDXNA/8QR kCJdNEQsx8o5hA60YkU5jBY2PLed86wNRRk4xILrzehWzUHYOrQGO6/2gImN 3/DFRNsGXT68uM5Bt7kreEDkCM8Ywap15fzw5NiV+0ljH1t8TIX710gmDx/x XfEnYyIO6W8ODlBHWzNJKO0VxtgIiLW7tVJPYo/aRltRJaFcvVd51WNCSRtl nxGxJJ46sJyUHZG92MsbqUyBjBfGxYfI0SWroCxPgYyO7Gg0y6fp+Fqr5H+R 4X9sMszd1IGu0d04buttdVLs3SuHh9Mvb0rOOaZiIzl/K5/45DzM0eNQKZpv NFuGpxID3ECaFVHokJE1TJETZEWSZCZZVHddp+vz7dOTLiDkjAObOGXTzObD sgqmRV5i9kMiempJVl90xWEcHoAGSGxBuItQm+ZHCez+YoQSfZgXXDDiXiTc UdkXpk1KLWwgjyPoQj0xNW7he/MnEpGDZIfj10vT7sQ/otxNi8SlbrIZypSh t1EXg1ulObX2TyURxMTA3nvqh0Y4gEeRB3Z7jUxtTXjB2qxNjpVBCUO2zDjV oadvBLKcUNBO5dEN96VHLoIwJ1i5YZLYrhtRgaaVYmJvlKT4VK3jqEPKx2jp xZY2G1EwW9GsUbCrpY/+bmmcFQdKrJmYHBkO00qgTs416lDjO0wY57Zk+xOg 7pQkvI3rrxHfmDcNT8clTKILCANOl5jGYTsGbnZ8XuQZ/NWh/DpIsTynA02e ZJCrQ6AG3qiUvDKYUYGMl0ccgxV6h7F9IfVesQYzzCSjqnbfBhZdxqXS4okD MfQpiCcSaErjohYSI4XFOrCR7WcWAe2CzB/vM1UFolG3esii6oYPawT/69S9 GiTcVPlai8EnqH3bQo6vUf0qWv2PrPrlZJAbMIZb3n8azenR99+8z399Fh8M H++8HR9kX/7x+eNvq3//mtO/mYbyhqxnixLzxy9/9c3bi5fpNL3/p3yynPT7 /Xj8/fun38Xx4+kff7tqUWK2mgd9ReYrvdn/WZWZGynqP7Zq8m8rl2yAx7+x 5HLv94ez8+9XaxWIFmivVyLWwPdGikQZVtJUhulTiY1ejkqkaoD9PUVb7lRL QtyE4xknjiGgIHnMFRm75JhMNwFp1fVT5lr9VPQJ+imzWT8V/bvQT1ltzXX0 9D+AQmqTLmqdGsoqoUxUG7Lr5zbZYHLhPEClGpKj5EN6A4f0/0Jzfws0x918 um7m++p4796wnHzb0M1swpQ1/cw6TNnU0QwqZqltaicxirj0aV2H7DTrvcaY lJ45oymZfeTAGYC3b9ZrPqJP1nyYNs3HGv3CDTQfxtN8RBs0H7xMTJzQc2CF 8BRqPoyV5a/VfIS6WT6hmvbDeNqP5p59ivbDNLQfN5Rl/kvV8XdTdUQH8SIe peg0Gh2mJeUUW4Uui+fJbIE2HM4agRlR5TsLXtYdT0R+BiALx8YpQ2ppALcB TbMilXP2NxPdvu4EnuvGpQ5rOPSdzpMqFspWC9HqcYLrie/mPcrzWRJnnf3o G/4NME089dUC3vJMpEiJnK9rihlM6ZTMc4CGQbg+rq2i+IGqwUQ1bTT1R9fG 5YJMKfMce9czQ5NgwQxPnj/x1ZOTBBPHMV/gH4k3EKupT5s7cmoKeFJMZqh/ hgO6PE9Q2Yyj2Xlfm+JetTWhnhxmgFVj+p8DTUE9BFTB4/RpEWa9oj0Auugm QGfagO5gEMJc9Ckw13q928FuaMMu2jE6389XmiaHzQxvm4jcKtzaugk338vz Xk/WDvvUmuevlqjeuHBcV9TAK/YBzxX28yieXGBPZRKcLSfiwaNspT4Uz9ZC rygRtOYHR2riGTw6fFd8sLJLpVBiikxkMR8IaY/R7LSIsyWnXEQgJYJxCbM8 dy7KjDrF3GFZElUShKmpKi9q2VhNHTEtLuKiTOYxrqrk/K0Yb2ezn9ecK9G6 YYJsgoGEZ9M9bicfxskCuASk57CHJePflYsZrksclr5InRlYoYiTNVue/RLd u5/nl8mFxLKsDGd4pHVj+KewbWmBxqxUgulqNxLvCkcMebJmuW/8WbD17bLA RL20H6gc98wfKCxbT3xaJGaXzBlKhDnDkkHAYSUzOFW8G2NL4no4BSzW99EM FE5JV0Sh0erKzdQQ9g0BpGrAoiaSyi283So5w1aYlW1leYebczmI3pEZMHXk om65bTjuUxHPkXjn20iemsctEjudi3DevFVyxeky4rfPnw4OO8pucV44bwMw ho+C0eRSehuNOdU517PLyqXir99FCyowODrsLWICRok32lm6v6zSlUpVBuAp 5Bdl+czuVW4P+n/3/ZUdcjvp9tymMmtFiZwtks9BVhlEiTTC6tVy0bfmFz3b MSIRrciieeYq9eWyjHJoYlDWuKIoE4w0Jqzp3e9+IzPwpepRlpyrtm1hLlOd y7fZFcmLY4BxWpSqn3enJeq9bNsRy7kzdT3xgtzwU6+0rrGJKkIDlS105LLc VhTO6dUYUC6qsjUOGilAKK9upfbGb1bAiGNKRQlElugJy+ehjdBVWKqbAs/a Bhit/EgUBPhxMAIG/Pie/HuN3HqY0t5vkteTatbLTRkA9CLHWV3YLB2u2FPg 8oCxfYEsrI4PmPyaFYZG5HDxfABYhAXcUt+HOAqWYwuLBUpQN7++eZOjIStl YUN8MiqqDFK2tggLrNBdGHNxNtUWEMzb+kN0ClLTpjG6Rz3pnRYw4kIPyKmU tj+pheTXxRlKiSrK5si3cG3WTWRCgAIuAimK0cwslgplyaR5gJrw0+VytgDm KgB68OpKK/nG30+A2DZ2swG1hqO+eF+0dhADzoaqUZzDceAn71VQf9R/WHPx 7Nr+ZDlwj1kVJdH+GHJmCH8mqVzrxIdXjgQWwPMXI++o/gSnfqbyC8isGjKn I04EolFkrZWwcuvKoimMSynmiqBgw86ASBqrPTqs8QYdqSiISQtGGjZMlUvr k7Vbazyq4d2AvgNhjjXHDqh+eKT5E8rzdGGT74iFw0gVAFaXyfH4sEU9cJy8 pICgRz16BFjIVzQbhmKuLYRXOENU40wf4qMAaGhORkxkf9fAIFayIrnG6oIs leZ6TLgtpKPjeuhRkZbvtYBC/mEVfSMp0gnk0YWy0EKLnDrCokovQpRSkpfn eiJwZT+klDUGi/5yQQdj+fpawUHScE6ylPIRcOGpIEuSVmnEcW36dpAgqG8e qZQobClJpmn59UpRMKjLyx/1kLvaqq+Bv9iKeobKYeJISZcLJ6Bo5bLpxiiI yI3R0o4ftFJV5qVC94iuVofKSQPhBpA8Rep8ogWUw5xJBPqo7D2hk+aTp+QD MV4JEu+cegMvd2ClGSXWmOMcSjBRRu88XwQaBAU3u9a29EVtoamS5Z6bpUmt 6gs5hig7plg4La1AZZ1HGDHMDYJc4LeCNWOssiK10QUfVrfKMKW/1w2IZSXG WaNphkt6qXXR1I9eSAzIG7ejV9aFRBaHppLbqg7lfCyhB4xIbRrmRwm2sbpL Ly371HbI5QRmUgCh3e2tvXk4H/b5dxM6ZT0sMNunQuXw15orQLc2XbJjBVMg W5Blf8u7mrxq/Ypo8CBzPecrvizQsSrD2rJOveB9qCwGVfoYceQaZtCxkgye afumvRAqdqq+2zo7OyphSKJvnIE+sPzmWX2AQbaCXtPs/anD89d06vVwO/oW xKTX/2gHU9+19oTQ23LPTxtv1OiQc5V6y8qo6NH5twWKk39ISHhWy2Pu4AD9 E9ZdbK9VA3zqS+w256eINNxxTk7n5izuExZW67UoMRM/cX0jtG1ZjImdBMKr zYYnQgtnisENMJo3UNkwvx1FVJXLEbGrcaVCObIbyP5ZVsP6oMY9RedoP53B fVlOz7kArOZecLXOOKrbi8l2lVC8WlYf2V42XnrZ8xeuHkxLMZbcSRau9hTy UzGIxaItCIr9LLPM6QuQR8eqbgPe4cu0PGdnE9UVrynl6SR//bCuQGgzHnQl 4UZaqbmkVKPIGvURMKNtikMSi78giD3R8Dx7LH6CIab1QVqitLRVBQHdFezy PyGTdlWor1h5Hi8S3/vHGp1x47lqbu4LoTVBU0fVwVxRKL+8w7XFoSQnk+eQ 5GWg48L0cHfQjmJEHW59kpRjljVcnudhyh9rOCDTEBmPOS3iGbNrPFsMiqBC SxQVqci9Xje3it9TvVyqxhVTOj2tZIoT5rNmrQyXeNa6XTVXWTbRniWFraTB FbEKK7BKKjgtrCqJW7oe3aF4kSUlsNL5lVqoVCBgSEGWrQCjAZgMNz7MSJI+ 7bMfUc5B1i76pcpRgSeTPdW0R0A9UdGDxdAvO2iEzsk0R8WBiI8bYGk1OGEU GanLrie/2FmowZNZSrgRGMgSecleqDAlte/byp48GrG2sW3DCTKdyNOok9a/ blJa5lLAy2pZNeOXwCnrVG3aqnA+p7dv80CZTV/WMhBrZbXsiVPqeYOqOz/n GdMrSxj3DAg5doc+rHyTKPtX6/6c3varwdigEzUJe/VIkFKwK1VQkQ6eugRP XbjWM1Grs4WkHklg9GRlVJd6TYuo6slrfq7G/h4cHr5QfeHD3R2gH/ZSkrwa wvYY5JUY5NfJDC2bA6y/CPCQkaqQDcgZZf5CzSFB+5BaRHwpqOAXKR3WdY29 uprtAdYlwitVrQg/cZe6HDxumIGn2kEMB7OxcVq4gVaDAXdcPSeRmGDGvmXW o5q2vJWnklJLDTcEC2SZH4kLHNVJVAOXMEn1Vg7/e94/sNUP9h7voMpK1Vn3 UXPbf9iPXtP0XVUxGcunIzY7Xsv4rcWuKuJVmlsuqHFFRmp/zZJG7NTdD6m4 TApy3m8Vnp1V3ePu9w2WJSdzaTdKMAutFvpOJIvy2+MjDKNHV3K/+BTiOtEX SO4rAXRByEgLFCeLLYLyjDE5sZXAhfIRgs2aQxiukMMaicwX+70PPZIJdG6G VR29mDngd8ZxRloe2GVRZADBgoMKc7RSiW/EdYXUAAQo0u222J3qhAJZX2kB ReGe/XPtOw8tddLhJpbvYKx+OuRDtNnvjrKzvA0emZMKA1Jwd+6WyKZ7aCJ3 NejYz36ezEeaGrB9Hb6fLd7DIhknqVY7ptHVJkU10FbexjLPQ/6BJRIIY0mj hfxGHoWWZNSRC6sOvLL6NnXDy8H3UYLxzUHBcmO3syo1VQFps5HisfMfbyWX +ZRUkpKmAV1wur68YRpXyoaSwQ05VdW0w+tOMw7y4WSMznrQnag6JUuj2yyt OTZKXPWkbSSKnYi0hmdUCZQ4e2LD2CQOX5yinVGcQHyNKlrDvALg6PRIucbV L5EpHlHVWBwUnIchOyp4wUU9mxdP0mSQx8fCFTTkW4EFGQGdzig+wqbRMEqg fJxHHiHiw+nl1KtVLYezmcJxzglLKjY0EmNHyRUjqhm6YrZOcgC2cfqakDzM Oepnd8XLEfC4NtsHl7bU4/QYZ1XQlS5lSKpmtBbJz/eybqTBtJmYGikwizJ+ mo2LFfFFLg+T/e4FwS98ubdz/7F93ch9CXLM3oOHv4U7eDwceB36aZjWT2JN Hs5rs3DeOAen+Hu3ZN9szb25MfNmS97Nj+LG3si5uT7jZiPf5ro4sXf+Frbl 2VyTZVMjyzZk2PTza9otZT7Y5dzE8RupMv38vLUUmUE5ZcykHj2TtNpvgQoe oM2E++GnPaCNPbKkaPx+yB42TR4OCVuvKCHy+GejtKFvz8+oc8DQFym0voxX IrEdHL4C9AxEGHBNJgNuw8OjjjF+cVayyFhTbdkj73ovZTSyxWk5XiIDAzO/ YBkony1JO2WEucG7bp0J/BsvyJnZFuWccBo0mfoMOybJLtIiz1hMrFmI7DSq y1wxKUH1JBxGGCcSsz5YMate20Mr7PZr5TpIQWH5KbSr0HTZGJPP8ulKiePW Et5scVH4Cf7aDfM2YxFcTGV5795D6w35UotQvIkLZK1mtrBISZ6OZT535++J ipcZOn6SOzHbQ2fpeyIKSr7U9INqC7K/mMtkFJUpkw5b+wKredDWlx1bUJP6 O0d+Oqh6jS4s5L1Cu4ou/nAB1AnRHTby0gS52Cm77dp30ySfFvHiHDdSPizZ NnZm4mhrFI/fLxdbBKueaglIxASrpMAyyN4IPMkZklIki3AL8yIuUiS3KICR m3OOzvTC3/lJuwkUaNKiVmqr7yKOluzdbK+fIbzj+1qQJhRnOmaPPqf7LBNM SUrVKr3CJJSqRmrQGv3EFaNlCFtpoVqWk8IK0Wew9859ivyhMzaymRbbXCj9 aPFbj9oDTjhn3tGzV1pFjjXMGmvrJzDsUvajJhQq3JUMssyGiFPhLC6mdMvN Nl6RjtVdwsXElFquLX1ezvEmFAEkdSO8UV66MYJGutNYdXVJ8OQZ7Qkol9SQ Cs7iQVETrfHd/NzICOIVwLVxgMdHKYT8vDCprEQf0KfkccbJgroOpVjNsbCj Y9lkTxEcQNY+Tc7wrdOwFOvxRQFtOJrVTuNy3Gdaig6vDl1/mthvRbNjTeUr sZ8S6CSTer1xhgrV3dKOlqoiJ60BqdrZ3O65SSMlS9CAGmNSLK8OLpIOq2Kn vSd1JP4Co/HhI0pe2vujjtXk+olnLEV5lL+fCE7QBcBSYQOfyMcyf3K0Rz2w sproe4W8b4G0cFvbxrMpIsbzOQCzKk/hS2ACRJLpUsMlshKA26txv1ObCB46 q/ZhrPJsFfgE0qYHm2SZ2xZGXh2QTi7z3gv08fXt03BBkNjgrgNnUUSDKV67 7bcDuEKjIr/EZ7DmMql66CM8yj/A1Yoz9hQkSwGNh4PnjSAcp694e3y0H51q HB193R8vbCDdHGZPkUrHkp8/dZXlNZ9C9IbXCOjg4A3MbrkAKTGJ5wyvWAWa /2aqgAcJ8jOZ5ukeE5rujag+ANUJwGnRzaGAuNlsSZprJaPEoBGGyspe4Wal +fO50m30qT9BEdz++vb1HYp+QY+vpAOpnXtV66BeYre1FJp01NZBSyG37bhT ++QqQn0TfHrwpr2D62Zx55oZUMVGIqq8C0s4B7sP+JrK52o93TUdbPq55c/m Vkv71kf+sq7g/xe1Esb1n9pRe1vTl2LEfeq6ZZG/iFqO+srtmi7wTm/TT/2o r6K3A/jr5AWdHh4inab92R6tO2pCoq0zuKY0Xu2or2T3Yd58BnfgFK+Cw574 +9A86ltu/3t/4F+8usrNnzVHbVdydbNHm4aI1t7qevuWFf6CP1lzq92GB+u4 /qibHYQ/2+O1t7qlg+tGbzvqsIPwZxDtfrnX3+nv9V2pzSsB5jtM/jZ30PZz Fa3ZgxvNXjZR7katA/9n+AoIWQM7XzODGy9hE2a7yU8N3ANtQwsxU60DHr1H eVHh8DYjcQ8jBYVoeu18ix/wOVN0E1GnHMryCwyC40XyDGNQl5nVvKkLijrZ iCB1b2fPsptdAkd/qiQ2spPcbGUqTLUFLGPifGYc+4JBpciHc3QFM854sp5e QutoIF+M5XbJWIfqRankIym6UN0UHUl4K8UYvDrqRMA5u3jh0/O8tMHIxtuN o6inCxYw6UandchBnmeYo1nSRhya1jwY1A+KqeV5/D5R33SOnmCGEdMCo/zB 3t/OwdHIknwBjqvWhWo1ZGPH6E/SnCTMr5/0u8hF1XixWyWx0Rg15lgm9Y2x PJXVYo/jSZApjMVhPxZSBBFj3VUb7u709SiJCzxi1pwnWL7OM8LVZ6lb4Llm R5ooiZwcqJiHDxRrmLxW1sZn466C7/Sf4CoreuCVXbG7T42O1rokTou2zTUL 8WLrAGVxgf+MZ6myCv1NDRB5WMpMhDny0O9Dfx8cnrnif/5g0daDthH8mQb/ 2N/6tqt1bHF7Q6Sdd3Rpa4Z8VG/J8/9a9/4TJit/2lM4uKbl/fpTYdlg6E8f k8K2P2O2tNo7dD4bWvabnNQtOtgrJib8qHYDLuh1Gx98ZQdruRN3hPdtttnd CRrVL0t7IzsQM6qsPrUX5po24T9nl5Pohm10Wxn+bm1uY6+MbOgV/dbGu141 T+nKspFruKH2Nljo+/GntNm149z7lHE2z+1L10aB54oAR4BHb337OBZ47vjA Y/HqpjZ12KGfQGTybsSV8J012JErV79S7eMQotW/aoLRrSboOFRrMW4NVtp+ Wrg6JqLMyp1c5hEFcgc5KETLg4zdUtRcYSFuq9MXBR8rVYDubPyStZ+YsaJh hlhXFBzVJ7t93myrgqQ9X8TVeaQ+o9r7E7PX51tdJJxMFEk5zG6OBWtZaUyt taGnJg0SkoYZB516WLK8h2b5NVzOE3NPZs6uoMiAACvRw4A1lyxneOwCWsKU peQfis/FREAleGLl/NRUFbZxG3FfNkI0sxr+Rr4eE5evoo3/IY3ZE/Ogjydq 5+4P3MJnceQ11mhNvTRPUrMOJs6NyavYHuT6uP+a061VFT4xD/sRZ89Hh/Ew jsFxvz5P7B1xGE2Ls+JQzSfmEa01y6WKO+2c1bC2RuLa4ED5iNZ3izpt5HgA WeeJedx2IJzEP1YhQxT+Ybquyjp5U+ahGWvOGUh5vU/Ml/U70jpv9mBpiwa3 aeoOBk/M7k5fHak4X13Z4gT9CpCI6sBV9vAvPtvICEMhVhxaI1ma9eBmLq2/ Uw34As01LAvhCicEFzpBczNMe9b02uDAWo5Ac+HjbGgeorc0iHTw/eIchTYb dn6cXKRogJxgNPgRxtYOOL3KGCsRqj0Ebr9LilYfGjOCwIo57tkmJsbeDPRS rsoqmWN1XGfPLquUoSOwYbcaebEb367LDlL4IHozGA7f5MWJ7zZqDbqP9/Yo 6pYMvyev0K8Aa6lvBV+wyffITdi6aiWTUwoX7UqqGUzsslDcMHyzB5Kqejj1 PMsDQKfRaf2///4/y2AyjK/sEWRLdlPbZkP1yauv7uzu3esEspnREMb6HLow iV2ZBAe/+xl4Jhzb06WZ8uxiPpAg0zXuTRB9zhKeYniZkR6o20Tjb2AtvFtc UXhbJ0BisLLPttb8hGNnUbezT0QNF4GzwHmSGVtjQsLql3kjh3cvjDUhL5Km O5aXUpvIIg7D9RGYFMni73K8c0iZGJHH3GNOM3Ux44R5yKilceaBrgCI2T61 QHrEp+CG0CxC3n5Cb86n1pJCijOAzk9eic0NewzMstAxnPy2QxYVExqcs6Yt xcFl/hZOR4lLzBrUggo8xJDUusQYuOFwkxfRbr9DZB17lE2qE2TZM5/+tRE/ HOFz6B/Q9aHNZovUzWUssH6GbnfrFJI81T3i6FMRsRkD1pestHbiZASX5KGS +VnJXsm51alWjfq7hMTPxvoTQVssqXY5cRduZ8R+z/NzGQWJKuFW83HjiaKf pfVuRXil6ttBRlHukzgFbORV8SnbZyjhhsF6na2yyInk4ijNXAoJh76EjJjn bU2chXXsqPEQNhmsQHNDidSmP+r7ksEaxZEqlkWS4X9+3uinT0oN3F8rwLTL wDVbziZFUfitlXlVYvGEGvi5bwKDwR98AY9l3Xv1fu2fTQHSmcyuZIX1Fg9a WrA15Y5qhK4bhOYaqoKubRI1dEC7N2oSKH+uHaXPE/O0PsEne+0bdmX1eDda i7MuXYl4GQCiSOoKjvjz0LX1IcOX0K1o7kZ7FEJcUyT3VCFs5yNI3vskUfwT RPCG8maD6H2rVmtJ6L61ngRyNjImlKG3xKwVl1mrQGqzWDaz4dmIICH1hhzk p+eVYFGVf0hvDXS2iH1XREkGR+EDLikbUkQMViKKGiQ4td4uHoWhqKvS+uqx j1E8Pk+TC41MKykRhnFk3guJ8d1OoqPBqwFKBF7+YWN++AH4rejpJK3yYh9E 4QTDwlG+R5+e38EPx96p/Qg/Zvay/+4dCQAYyfKMg3UEzW+h/L+lhViQ6SDj gUvtwm+0uJXd48mknq9SK5LIijifg+3mpeonZHgN6wEG8Iqfsc1I/0CPavjj WAkW3hkftNb+gXerJRnrleZMw05hX2i38Nv2XGtrPm/fQ7+WzWduVFAO59O2 6EB55NHs83asZQOv3xRMKFffSu+aXknsZeuX7bs4kCRHf9U+hp18MrCJyuAz dnE9CJb+ZmQo8oWbEbDtfpBQ6YW2EdKCm27zt3ix7iIWYHiUacu665fnkc0G 4YYSZL7WtHlyIk+pkCkFb3zmAbgewl2XLT4ktL0QGGnZ5RAw67u6zMjgeOgD 2iDTxzVxEUNsbB355t66mOwwFk7uYgNi/Sj86KkNtuCsn20RixEmxEU07orj Sjx+icGOaXlOpnb5mGsMeisLov7deFtdFg23hn4cIcEuigBb5JRXWZj3kulM lgXSFoo3dASIv6MQLApeFWdnjtfOvA/ZXF17yPGtXc65ZKULFpMoaNcFzyOM akJfItieloBTbNgHt0p1C9cMTtHv+g92vlyrZDghBSLWAJk5CUpDlOwWx+J5 4SJl2uKMzbURxQCI9jwYkSBz5B5x4H1U/7mKXsqiYEm8ngNvPa59+w/Cf6/2 EzUffcYnm5vDsBr24y2FE0qv3yX4hOO1m0HEe/3d/hozWbjaeuzQXz/s7t4N hq15d/wNVvsQsxYqlidUbmMOyVTBmm9J8cJ85T46wrAzD2uPggDlDuIkil1N kOmUjN1BYkoOGU6nmUuX4d0FSWCecAkuuAAYc15Umi/ORrCjM/oynWD2S+v+ zbkzOLsGYgxNHBCT9luuvf2m63zKdRBKKqSap/41vZKRjNOSXbBtJUsk62eF a6XIB+xk4AKzghAjVv8VCYcsx4uK9PJ+YgFvaO8EIqANkSbS8XJo2jBY4tOH moCkzquj3zilG3yJuQVt8Iafb5DxFpFNPzOhr5/TK8DCiObsb8uFaGq5EEUf /MqDu7GkKOfGszR7j6TJUqOEymqYhctdCjMY5+jrX+AqS9hz1uJphdeKnNmc 71S8aV5+Gjj0ubKMn8c2klv5E04jo65fXvordoRCWCdXdY309SJNXOx/sHY2 92j5WlFcP9wldbxNrEdB3kpPK5tnMctdxIBv7XLxQ4Zy5HDoNT2TZMMtRkk5 BEmJbzMPo4kIbZGchJlDANICdhLLk5PxkwOaNdOTTRCBi/MDbeYgEi4LyRal EVU4P+TfKfoHkAIwSDwNTCiReMYXDexnWRjuKiImNR55rIkF+m/zeGZMIMdL fnnyMQOO0ibomcKn+4z8YgZS4Vo1+TKrZ0sXU00hNZIqQ/MtUuZTdGEkdIAi PYrZrSka2XUto5ygesaYsxA1qbGbly0EdJEml906QGqiW5zmGQeESnQYWh1K Nl88RUabMbDF6wCbxYQ+WkXbGnxDhwxL73DE0Wieenm4ufKHBzB+ZQSyW7yM 33OpEK0OhJlYApzf3to6KIpdwE5li/I/bQWJ9evKW0od6ZXfwjHJGEUKc38Q 60jAliz0FeSgnW70gbgdP2kMhu6w/QBNWqJ5CRTKEjUl9jVS9w/seeBqya6K TcPEyOEJknr9xu0CtTTnFGAkzbdxQeUfEeFcJB4RgekBx0p4XDP1qpNkPMEo JuGv+XNDcC2OpDbha0I+GtbsVSC4u5lqYguXAwR3l/L9MhsQk+0CQDt1qMd3 2iTbKJdMDWBcysEsuaaR0elPAFlX2DoQHgL7qstxfE+zHP+TTXOsmX7YfLxm 22KumEJZFyS9Pu9kS8Sk8c1TFn4DrZlUa6qSBcExgrbCVWDPks2laFGqrGWz PKOysJHJgaYXWMckqwKP3zVIa+f1m9n4zr+DXi3zWqocg64cPlBQvnLZTYdS gDVJKeHOTRMjU8CkwKQRV3HKBUFheboh9YJldctQWMHPNCv46WXJl1TYRI69 LWGt6lhd4nby18lS3AmK5YXubW2vZinqtj41b7ciey+hu+HE55q9SoL/aXd8 /MvxgZZYeBwEsSGYjA1Vt8hZRuO0AMmWS1B6VczmBEScxksqDtkyOHQYfMOA xC9LSo5MiaNHs1zvgJsdhWvGdMssFjqrzus36TL3orgdp9INqwQwzyFZt0zT ieUZrB41EG4lJeYTUswQJsC3gaSmBSHsgXBnk55Tcv8+9a55S7stJl3Fw8aF qLaimno69Y7Govc9XlqRWBuM+KR9Fq84teByjHoDSkOt0QiUO2HWSC/orrSG Eou2v6sB012xy4oPhZ//oRwnWVykueIAe8s9YQXvasCH1hZhtL6ULlLSUHGe QNIyirKFa+IUsRWKsJkGyNMal1UvP+uNJLI49LPw1ZfCatgh8Uq73NUc7ds1 XJdO99qegbPqkyzIKRRpK8loYeUBEIB5iiYscuqyWjky1BBCXHkyr3aiIYHD n3QLPICUAdiEYpSR/lIiANGPxlIJrCVtU9kxnjpLBFwvu481/jhmSjgZuy+w 6eeY0OLk3OYQ8NO+kQSxJPpIByRARenme6qyY5GK89Abyzcgcuc8fTyW0+4S 4BwAaGTJDCTUtzaLE8udniDo37rdnf5unb6zI1iMrj3IdwArY5QwC8ayngmj uAR2uCWZBzKTZOjjoppkIcTsBjK/MF7YaKCfvwbnFYAGbtyHMK7z6yvaWlLr 3LKm3UAjJ9liyYjZND1Do5x6utX+PorWtQwe+nPe9Hng5PB1sJT+pnZr/Mc3 TK9PC7uzJhC3T6/Wjek2dc10DgZrx73SPJetbemM7qzbbA18XRu3erXhMKLQ QF03cG9uST+/cZn2FPx4VBOt8Tv/uu2hP2oYELBNpbnxyndCKP9h950x8J9G Pb5G7mFWj7WUOqGRHJnVZF1qmPeuXYttXjFGdJIvyPlSK47XyuNyZjnFKXXS GSwJ5+k21OhjTRskDpwO30h5ObiqI2gx93QvWOUbZsqIlIv2Sra6OHX5H2lw WaJyQ4AvegjJ2BpDa8sZsm4zrTaXcM1cLnQXlgH2St2Fy6pz3QeDrmHiIJkC S6ncoyftunCMDwlyKeNm4O0Gb46MOo6V+6xe2gAHwJQXKSqFcQLdaOEXIrKl Mz3BFwme3z4owgL8r9No2AMNt8ME20EKo6JLulMrg47rbXzy8pDYxbD24ATL m2I2N4Epa2IE/rPC7tPKq2zCiW1V7CrIod2lAiX1HRJPUYqLqKF8uaqdavoA jtwF0FyzN6ULP4Ux84LcOTnTIU1L2WavSzxIq8ayDEhYd2q0WsSlJcthOSup Dv3q9YnrpmUYB0iNMkWaqRdr80quwUmOFQA4TZWnQcDv6zxw11fLavIpH8fU 9A2uO1cQWTgd0sTbEyqQjcHDwBQ2MKC6OreCGwuhIW6AzgPwIYg0lNTfhqZ6 RYAEizFfdOylzGSlMjfw8N9LlamM6lpsuq60DFm8mPMhsWWB0+dQxlVguiml FzBanEc0wT4M9RGzQaQr8SW0HJF9F5j4X3I4e2JFHGH28XGKJZmx8C1tYDIx OiTCkMMs257yDs5knnMaOnzX4YAEiVN3uWSN5bpZIlFn6ZqGVbErLsNlmiY3 g6DQr/GzWUvWL6dR9wQ9giiGCy/Bs2Qbs0XsgtRr3cjP98m1Hie2/gzjS+HM sfwaTgK1JaU9I2CdKbEs2a5sClyBbswjqWnRguiG+tLtvI2d97nkqkKFO1Vk tQKglwQgnBppx22SIIUso7aFZKITZOdxV8agSCpN6e/qCJD2isR2Xeyt0viL IFAqsdwbxfuME6u/8cr6xC5x6BxESWXi/by5bh5+6frYFPl0aS8C3nmupsfk S8RHX8ntLIzBrsxJZgx1a16n3p3i1AeYWk3V6W6PBZOGXQsRkWmnamYRH0Gp t2Qna6iWZm28P+UZQoCrLQ69OEmKQgcI4l0dXJog9HUmlojlSCbFvg64tt48 zuKpTRnbb90XCoyBzwcD6VPDTB4+QCzoG6VCVhCPgSxANnKO+608an8wKNW6 NF8owWLNA4YtwG6Ryw1via3u5WbwCOW3tbNW5NTzxvOzl/nd4A2N3FLs5Dkf nbb3SzraAnZyW2ZMBFMuTwKdSZ1R0rtEW5jbY2d3S2qiYcLMxM+rPQfclU/q RVpYiYlIWhNsckK6hAkBsCXACsbvKWlDTQ1HOgdj72kqSFY5EZffoVayK9Qc D/qICDUbqaBB74aKYog5ioRKBNToxhyLodtAtYOBsfXp/DNn8BIiCQSYrN6D MZ4+7OuUE07i3oS5LlED9V5YQsUmiyRHInh5nvPJkPfVxK+Ap4yk73imrFKK eQHRSEdUzGrL2IeBcnrnJWC1/egYTh8z8H0TFxkSiIO4wBzd0TeoZMpgq44B ILPoMM5Ws/SyG73AjBhPp1O4I93o55S2G+AM6QHqcr7aelb85V8mf/kX2ACE kXGaPvNeATbFF3e/RlfCeAmdgwATPYctnmGMzzcw7nfxZPm+Gz2F76LvgPHC UKA4+xHO5yWgiCLuRs/IIFuO4+hNPCM9WtqNfgWH+AYLy5V4vMcrmPJwlsAO QFdzdIEeVskCdrl1zn/5H23TfUoPYa6/WWXj94lG2qFGhmJSMJCKbOgNuHu6 xJzpMIUD2Hu4ghSYR+VcniNuRLXvzt6O4SLWNhMpAFM/evj48f29XeCiyDI9 19rEg2J8nqJFasmBLgCdL9MJsAyj/AOgWso2m2HV45eDl0cdrUAoWRotpKYE qHC/8qJMJA81ei2h9dAgpB4qGD0H8Qv4dHSiZq1+HrU6UxPjNWJ2nKO1WGQW D+pJEZ9VPQpfjMfzpEchNJ7T5c6XXOjkDOAUK0NylRkLsaOVA4n+zTp8bNT7 7yKRG0D92DyxR09PnrkLlRd8L46eDr+1OfC352hYoDtZSppSoDYX+ewC7YEr IExaNr6wBUBqdxyOYOhl2iX/wJe4SWOuam/jA/3ku6xbZmMmSFzAZQcZClEm IVhwzqzoC/hUnG3Eyd8WmtnytdLo2rklHv2aSz+0R4Xunm+PX6ifYaDRJXEk wlhLAGYyWQnz52KXulq7nhmE2FU1kE9zLuN1OzrAvaAU+aTVTqbAVlmdemu0 MdZIlLJRAS+k/LRGYRLH6/JSS272TbtFzKCkcLfxcLmWw9q3dwmn0DI17HpI bLb0gUlO0ZvVdywVyiXfqOwUup5y/k+uwkuXgj3Q+go/HB0qkRXrpD4ybjJp dRrwMCyUlC4UhRgYSHIS+Wk0AMvCX46ahq1XL/v00a6+pCo3hBzIqVT3+0ZX 9hFejmEyPkyL4Or7tAEHOQqCV2GReTEFBgj5Yjpv8jGxPg3WkzbnOwdMqO8g 0Kb3K9lhdxJpsU2/o1ui7HPZiGerGy7wIS6QfOd4ywinsGsiU9dbZQv2u2Hn D7DzQ4IKmPHgUMk+bqBPuR2E6hZzcTeUrWbJGdVqk3ouJF16JJSmh51SNU/Y jYJ4IrrkeOgs4Clm07ppVOpjfNM9uo/SjKdGWH9EPb4IdLtkzG6Y1hwNYW2u z+r4GPjQhbY8sZdnEy1C45ugcq8II8bhBpAAPQNerNi2CFwssGG+71fo8HjD TbmHm3Lg9tILc47ZnVOup1AT1Ex4ReBtnUGYK3oZRfUBNNzHk4JBKsc6DrRe JO4TXBmXVXYJ/Leth6O3lR2vPrn1EIVj5NrCqmOw5zdRkAXZbbYqU1cQCfOs UHw75hawg3o1tWA5HMeMhu8U+Kd4ftMd3cMdHbajzX3/6jjoxxkHnicUlUZ0 a59C3qRIHrsBxkGNLKeWIfcoPAimipSAW+LbwhpyIo+pw69kEvc6veFKd3Gl x6Qtmns12Wh3dVN9R+DWelTbwuRKaT1ifZU6drC1lotYR4m2mVsmiWNKvtg3 nP4OT594SrKxUswE9oa7PAUMtOBO/P7gQzRGbNqRAVWgWjddyYkOYqVKYZz7 H3UPKEoz8Pn4qOFJqDqIm86KFnok0RgYn0TyKRE0KvJAsZckxHIG9TVdqmMO gXgYfrPPgRqNyBvfJ7+lOrVjn8L7XAeSrvgLS9U5W3Sub+tdWnDSQrIxg3cI +F0WpNPYk2LbKsL1/bLuXn0Rr8gTZ7rnOp5MzWhyRPB0DjaXgzrQAk5LFylN xGIa4ttxGbaeIjkRNCpAYWyXVePDpqH+j9aAxBFrQz2RftAddk5iKs6KO3Ol trgbtAqJBwmQEbK7sLuIb41sOcnoKypYo93tRz9Ed6KfyZ9UGuYXGq2xT8QV mlern7OkMV3SNcPlfG28zBrQjfvdAJy4hi+/hhG3X3aiPmLr7Z9gNGQDv/qa /vnYMcaWiuzZyldfcRkeLe0Yvtgy3p8tje9GjXbGPEEmma6KOg1SSWB8wC4+ JdnXoHfOa4PDa4uv+Ls+/A3gEm1t//CHf779rn+7c7X9A/xS+wv/uNPZMtq8 lxf+/LXTu5GbXGNz5ZB+EUkpo/2opTM+qrCs0foPtcTR+i+EUSb4udlX8ewt 3Pj131J8zYD5xfVfsQEFl93+DYCThc+7sIFlLHWmgsdUJkpfGPeRbGVQoKpR JCt6Er0+OtyPsBbj4/s7/d3dew/uf4nBTf1dvzGXztqXOQxBqoC3QcWq/ehn 8DJ4hAtwDWA+QCAqhMjj4WA4HPTefHcw3O1d7P63B4wNhs8Hvb0HD02jI1zm +rJcrr+D7xr93Xt8f31/8PJT+3uwu7e+P3i5sb/hMFhoN3r57bPebu0ZC8H3 MC0LclPxrLrJhkAr6Gx33Wiw0sZo9IxHu//4JqO57bpmNNiHxmj0jEd7eP8m o7nNtKMZH9bXwHet/loDwHd27j/AODpo6kqyAfBS1/RHC2TTywZse2140rao W/uo9+BWPWptBTsbtIIv72Fu9nv3Wz9/sLfb/rnOqbmhzWJy0JwT/fAZ2cnf sAuYclsXtJIbdgEn3NYFrc4YocUAI5lPGA5fDZl0t1EZpuJPEfsGH8kLqn9S f3w7+tnPwrF6lqTjKXsBvjoHDWHlzvQvj4+oB5vyh/WntkHIL/ncRzixr3E+ wXC4qc2aeY1PoEMUFiasP2z5AB48RbcC4ByR2Wz5AqNxrvkEHgxUW9/+GkOU cZ4tb8fHL9a8SWTU19ls1TaxxH9tWjeZL44tELj+I79i4PqP8kmCcwXOZcNX xAMAe1JJOv/1X2KSr2EVzxebO3x9MHxz7bB5CmwV/KeFd9vp7b3rbG//c38H OLZ/7v+w2/vyHTz88t3tTgeYPmSbG6KRJ1ivk5C01iHVkZukH5yaOd5ULLsb agI2ylAsK4mwQ/4bqejn0LscRb7oEf7q9dh1hluVoNQT8McS67SydLeDpmUv tpMiRlTOdFH/26iQ4HSYk46MqEmDWtu01QLvcwLShJO6wWeXIGNTSfk4KlmQ cUkP2JqOVipbRxyltlVSuahRcdxIuJjxGIPAMvX3JkUTzVMm5hmyrbPUCJVk oXkuz2fOAm+1cc4fsk0hsEbKtLFYviem2Rj5zu5/LL6yo5FfCpYUzFip1N9b dTtoy3hha3dSTdOf8VjYAZbA2r9714OEPrD3d1l7sPPoLj/7QtqlE68NKmXo Y1QucIvybk1tcddfonQCEO7VUg0En15Wq6cqI37R8pWtbVpJlVjWt7rn8zR7 wxallIrm7to3C/+xjhVUjXUPvQFYStyyrz52XdNmbdlP7sKrQPvJbX2R7K9t zyLd5/TiC3uf096JgTdubWq9bLkrGBz+WTwr2V9bi+46+bAN4Ly31wLaOnCq V0TetKKu/45wR7OOc+ueNWs6tw6D/qvTpGjvo15w+cYTTbLlPKh3TE/Xyafd xmetYmfzs1ZpsvlZUwbcNOL6b1rkLffBuw2wpxrvsAR0CAYbjm7ticjzd58O 5L6Y2Abmwft/Q0CvyaqtUBrUDf9rQbRRddx7wTJoywuWNtuB4e93nZoCa3fT ByiObvwAhc2/D0B7J/S3hGWjtdhb4LINJrdUs+1DvLbFKpyrgEk4Av4k5A9S eeKBeJytXp/VzuancJd/BjxrnXZ4X3zs3qBpcB/9xvZ3Pa6PwT0X6Ti44tpn C+8U4ohmhfvPwAFeDftWeA/3fe3er9n/oKuWq7Pu8kQtSoFu/YuaTqDxvq4S aHzQ0Ai0deEUAm1vrT6g8VLVAY0XgTagOadAGeC/etcKVwEfVxOp/45n2nav 8Oen2t/XHb/sSCsI0DtP6dFsGQX6jvb3nqqj9YO6lqP1o0DB0fpFoNuov31X e/Kx3sVnbduCwr9Qbtj6g1OOiHakrh75WVsPno8c9vIWJVwUR18fHUr63vpa Pn4iSIaKwXUAWUNW9G6tGMhrb0dn9O7w1bDxcCP063itN4Bett8CerXuJuBP 8/NgJmuPlr7acCvo/e01DSM2gba9qMMh/jRg8a+eOOfvI41DXlaOcNXGvf6W BH/X5rlFOvJ/xXO+/j66dRNO2Xx16st5e3z0D7qYZZFes5R13NL1PKLf/Dr2 tYZK/hqGtDGAz0x1a8yokUE2D/CRtHz/H/Le7yZuHgEA --></rfc>