| rfc9677.original | rfc9677.txt | |||
|---|---|---|---|---|
| Network Working Group F. Fieau | Internet Engineering Task Force (IETF) F. Fieau | |||
| Internet-Draft E. Stephan | Request for Comments: 9677 E. Stephan | |||
| Intended status: Standards Track Orange | Category: Standards Track Orange | |||
| Expires: 9 March 2025 G. Guillaume | ISSN: 2070-1721 G. Bichot | |||
| C. Christoph | C. Neumann | |||
| Broadpeak | Broadpeak | |||
| 5 September 2024 | October 2024 | |||
| CDNI Metadata for Delegated Credentials | Content Delivery Network Interconnection (CDNI) Metadata for Delegated | |||
| draft-ietf-cdni-https-delegation-subcerts-12 | Credentials | |||
| Abstract | Abstract | |||
| The delivery of content over HTTPS involving multiple Content | The delivery of content over HTTPS involving multiple Content | |||
| Delivery Networks (CDNs) raises credential management issues. This | Delivery Networks (CDNs) raises credential management issues. This | |||
| document defines metadata in the CDNI Control and Metadata interface | document defines metadata in the Content Delivery Network | |||
| to setup HTTPS delegation using delegated credentials from an | Interconnection (CDNI) Control and Metadata interface to set up HTTPS | |||
| Upstream CDN (uCDN) to a Downstream CDN (dCDN). | delegation using delegated credentials from an upstream CDN (uCDN) to | |||
| a downstream CDN (dCDN). | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This is an Internet Standards Track document. | |||
| provisions of BCP 78 and BCP 79. | ||||
| Internet-Drafts are working documents of the Internet Engineering | ||||
| Task Force (IETF). Note that other groups may also distribute | ||||
| working documents as Internet-Drafts. The list of current Internet- | ||||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | ||||
| Internet-Drafts are draft documents valid for a maximum of six months | This document is a product of the Internet Engineering Task Force | |||
| and may be updated, replaced, or obsoleted by other documents at any | (IETF). It represents the consensus of the IETF community. It has | |||
| time. It is inappropriate to use Internet-Drafts as reference | received public review and has been approved for publication by the | |||
| material or to cite them other than as "work in progress." | Internet Engineering Steering Group (IESG). Further information on | |||
| Internet Standards is available in Section 2 of RFC 7841. | ||||
| This Internet-Draft will expire on 9 March 2025. | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | ||||
| https://www.rfc-editor.org/info/rfc9677. | ||||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2024 IETF Trust and the persons identified as the | Copyright (c) 2024 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents | |||
| license-info) in effect on the date of publication of this document. | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| Please review these documents carefully, as they describe your rights | publication of this document. Please review these documents | |||
| and restrictions with respect to this document. Code Components | carefully, as they describe your rights and restrictions with respect | |||
| extracted from this document must include Revised BSD License text as | to this document. Code Components extracted from this document must | |||
| described in Section 4.e of the Trust Legal Provisions and are | include Revised BSD License text as described in Section 4.e of the | |||
| provided without warranty as described in the Revised BSD License. | Trust Legal Provisions and are provided without warranty as described | |||
| in the Revised BSD License. | ||||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology | |||
| 3. CDNI Footprint and Capabilities Advertisement interface (FCI) | 3. CDNI Footprint and Capabilities Advertisement Interface (FCI) | |||
| capabilities object for delegated credentials . . . . . . 3 | Capabilities Object for Delegated Credentials | |||
| 3.1. FCI.DelegatedCredentials . . . . . . . . . . . . . . . . 4 | 3.1. FCI.DelegatedCredentials | |||
| 3.2. Expected usage of the property number of supported | 3.2. Expected Usage of the Property Number of Supported | |||
| delegated credentials . . . . . . . . . . . . . . . . . . 5 | Delegated Credentials | |||
| 4. CDNI Metadata interface (MI) metadata object for delegated | 4. CDNI Metadata Interface (MI) Metadata Object for Delegated | |||
| credentials . . . . . . . . . . . . . . . . . . . . . . . 5 | Credentials | |||
| 5. Delegated credentials call flow . . . . . . . . . . . . . . . 7 | 5. Delegated Credentials Call Flow | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 6. IANA Considerations | |||
| 6.1. CDNI MI DelegatedCredentials Payload Type . . . . . . . . 9 | 6.1. CDNI MI.DelegatedCredentials Payload Type | |||
| 6.2. CDNI FCI DelegatedCredentials Payload Type . . . . . . . 9 | 6.2. CDNI FCI.DelegatedCredentials Payload Type | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 7. Security Considerations | |||
| 8. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 | 8. Privacy Considerations | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 9. References | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 9.1. Normative References | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 12 | 9.2. Informative References | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses | |||
| 1. Introduction | 1. Introduction | |||
| Content delivery over HTTPS utilizing one or more Content Delivery | Content delivery over HTTPS utilizing one or more Content Delivery | |||
| Networks (CDNs) along the delivery path necessitates the management | Networks (CDNs) along the delivery path necessitates the management | |||
| of credentials. This requirement is particularly pertinent when an | of credentials. This requirement is particularly pertinent when an | |||
| entity delegates the delivery of content via HTTPS to another trusted | entity delegates the delivery of content via HTTPS to another trusted | |||
| entity. | entity. | |||
| This document specifies the CDNI Metadata interface for establishing | This document specifies the CDNI Metadata interface for establishing | |||
| HTTPS delegation through the use of delegated credentials, as defined | HTTPS delegation through the use of delegated credentials, as defined | |||
| in [RFC9345]) between an upstream CDN (uCDN) and a downstream CDN | in [RFC9345], between an upstream CDN (uCDN) and a downstream CDN | |||
| (dCDN). | (dCDN). | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| This document uses terminology from CDNI framework documents: CDNI | This document uses terminology from the CDNI specifications -- CDNI | |||
| framework document [RFC7336], CDNI requirements [RFC7337] and CDNI | framework [RFC7336], CDNI requirements [RFC7337], and CDNI Metadata | |||
| interface specifications documents: CDNI Metadata interface | interface [RFC8006]. | |||
| [RFC8006]. | ||||
| 3. CDNI Footprint and Capabilities Advertisement interface (FCI) | 3. CDNI Footprint and Capabilities Advertisement Interface (FCI) | |||
| capabilities object for delegated credentials | Capabilities Object for Delegated Credentials | |||
| A dCDN should advertise its supported delegation methods using the | A dCDN should advertise its supported delegation methods using the | |||
| Footprint and Capabilities Advertisement interface (FCI) as defined | Footprint and Capabilities Advertisement interface (FCI) as defined | |||
| in [RFC8008]. The FCI.Metadata object enables a dCDN to communicate | in [RFC8008]. The FCI.Metadata object enables a dCDN to communicate | |||
| its capabilities and the Metadata Interface (MI) objects it supports. | its capabilities and the Metadata interface (MI) objects it supports. | |||
| To indicate support for delegated credentials, the dCDN should | To indicate support for delegated credentials, the dCDN should | |||
| announce the support for MI.DelegatedCredentials, as illustrated in | announce the support for MI.DelegatedCredentials, as illustrated in | |||
| the example below. | the example below. | |||
| { | { | |||
| "capabilities": [ | "capabilities": [ | |||
| { | { | |||
| "capability-type": "FCI.Metadata", | "capability-type": "FCI.Metadata", | |||
| "capability-value": { | "capability-value": { | |||
| "metadata": [ | "metadata": [ | |||
| skipping to change at page 4, line 18 ¶ | skipping to change at line 144 ¶ | |||
| number of delegated credentials supported by the dCDN. This number | number of delegated credentials supported by the dCDN. This number | |||
| typically (but not necessarily) corresponds to the number of servers | typically (but not necessarily) corresponds to the number of servers | |||
| designated by the dCDN to support delegated credentials. | designated by the dCDN to support delegated credentials. | |||
| The property PrivateKeyEncryptionKey contains a public key provided | The property PrivateKeyEncryptionKey contains a public key provided | |||
| by the dCDN that MUST be used by the uCDN to encrypt private keys | by the dCDN that MUST be used by the uCDN to encrypt private keys | |||
| whenever such private keys are transmitted to the dCDN using | whenever such private keys are transmitted to the dCDN using | |||
| MI.DelegatedCredentials (see Section 4). | MI.DelegatedCredentials (see Section 4). | |||
| Property: number-delegated-certs-supported | Property: number-delegated-certs-supported | |||
| Description: Number of delegated credentials supported by the dCDN. | ||||
| Description: Number of delegated credentials supported by the | Type: integer | |||
| dCDN. | Mandatory-to-Specify: Yes | |||
| Type: integer | ||||
| Mandatory-to-Specify: Yes | ||||
| Property: PrivateKeyEncryptionKey | Property: PrivateKeyEncryptionKey | |||
| Description: Public key in JSON Web Key (JWK) format [RFC7517] of | ||||
| Description: Public key in JWK format ([RFC7517]) of the dCDN to | the dCDN to be used by the uCDN to encrypt private keys. | |||
| be used by the uCDN to encrypt private keys. | Type: string | |||
| Mandatory-to-Specify: No | ||||
| Type: string | ||||
| Mandatory-to-Specify: No | ||||
| The following is an example of the FCI.DelegatedCredentials. | The following is an example of the FCI.DelegatedCredentials. | |||
| { | { | |||
| "capabilities": [ | "capabilities": [ | |||
| { | { | |||
| "capability-type": "FCI.DelegatedCredentials", | "capability-type": "FCI.DelegatedCredentials", | |||
| "capability-value": { | "capability-value": { | |||
| "number-delegated-certs-supported": 10 | "number-delegated-certs-supported": 10 | |||
| } | } | |||
| "footprints": [ | "footprints": [ | |||
| <Footprint objects> | <Footprint objects> | |||
| ] | ] | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| 3.2. Expected usage of the property number of supported delegated | 3.2. Expected Usage of the Property Number of Supported Delegated | |||
| credentials | Credentials | |||
| The dCDN uses the FCI.DelegatedCredentials object to announce the | The dCDN uses the FCI.DelegatedCredentials object to announce the | |||
| number of servers that support delegated credentials | number of servers that support delegated credentials. | |||
| When the uCDN receives the FCI.DelegatedCredentials object it can | When the uCDN receives the FCI.DelegatedCredentials object, it can | |||
| issue the supported number of delegated credentials to the dCDN. | issue the supported number of delegated credentials to the dCDN. | |||
| When configuring the dCDN, the uCDN MAY decide to provide less than | When configuring the dCDN, the uCDN MAY decide to provide less than | |||
| the maximum supported delegated credentials to the dCDN. Note that, | the maximum supported delegated credentials to the dCDN. Note that, | |||
| within a dCDN, different deployment possibilities of the delegated | within a dCDN, different deployment possibilities of the delegated | |||
| credentials on the endpoints exist. The dCDN MAY use one single | credentials on the endpoints exist. The dCDN MAY use one single | |||
| delegated credential and deploy it on multiple endpoints. | delegated credential and deploy it on multiple endpoints. | |||
| Alternatively, the dCDN MAY deploy a different delegated credential | Alternatively, the dCDN MAY deploy a different delegated credential | |||
| for each endpoint (provided that the uCDN delivers enough different | for each endpoint (provided that the uCDN delivers enough different | |||
| delegated credentials). This choice is at the discretion of the dCDN | delegated credentials). This choice is at the discretion of the dCDN | |||
| and depends on the number of delegated credentials provided by the | and depends on the number of delegated credentials provided by the | |||
| uCDN. | uCDN. | |||
| The FCI.DelegationCredentials object does not address expiry and | The FCI.DelegationCredentials object does not address expiry or | |||
| renewal of delegated credentials. Once the uCDN has provided | renewal of delegated credentials. Once the uCDN has provided | |||
| delegated credentials via the MI, uCDN SHOULD monitor the provided | delegated credentials via the MI, the uCDN SHOULD monitor the | |||
| credentials and their expiry times and timely refresh dCDN | provided credentials and their expiry times and SHOULD refresh dCDN | |||
| credentials via the MI. The uCDN may decide not to monitor the | credentials via the MI in a timely manner. The uCDN may decide not | |||
| validity period of delegated credentials and not to refresh the | to monitor the validity period of delegated credentials and not to | |||
| credentials, for example in cases of short-term one shot deployments | refresh the credentials, for example, in cases of short-term one-shot | |||
| or once it decided to deprovision a dCDN. If the delegated | deployments or once it has decided to deprovision a dCDN. If the | |||
| credential is not renewed on time by the uCDN, the servers of the | delegated credential is not renewed on time by the uCDN, the servers | |||
| dCDN that only have expired delegated credentials MUST refuse any new | of the dCDN that only have expired delegated credentials MUST refuse | |||
| TLS connection that requires an up-to-date delegated credential. | any new TLS connection that requires an up-to-date delegated | |||
| credential. | ||||
| 4. CDNI Metadata interface (MI) metadata object for delegated | 4. CDNI Metadata Interface (MI) Metadata Object for Delegated | |||
| credentials | Credentials | |||
| As expressed in [RFC9345], when an uCDN has delegated to a dCDN, the | As expressed in [RFC9345], when an uCDN has delegated to a dCDN, the | |||
| dCDN presents the "delegated_credential" during the TLS handshake | dCDN presents the "delegated_credential" (rather than its own | |||
| [RFC8446] to the User Agent, instead of its own certificate. This | certificate) during the TLS handshake [RFC8446] to the User Agent. | |||
| implies that the dCDN is also in the possession of the private key | This implies that the dCDN is also in the possession of the private | |||
| corresponding to the public key in DelegatedCredential.cred | key corresponding to the public key in DelegatedCredential.cred | |||
| [RFC9345]. This allows the User Agent to verify the signature in | [RFC9345]. This allows the User Agent to verify the signature in a | |||
| CertificateVerify message ([RFC8446] Section 4.4.3.) sent and signed | CertificateVerify message (Section 4.4.3 of [RFC8446]) sent and | |||
| by the dCDN. | signed by the dCDN. | |||
| This section defines the MI.DelegatedCredentials object containing an | This section defines the MI.DelegatedCredentials object containing an | |||
| array of delegated credentials and optionally the corresponding | array of delegated credentials and optionally the corresponding | |||
| private keys. The CDNI MI [RFC8006] describes the CDNI metadata | private keys. The CDNI MI [RFC8006] describes the CDNI metadata | |||
| distribution mechanisms according to which a dCDN can retrieve the | distribution mechanisms according to which a dCDN can retrieve the | |||
| MI.DelegatedCredentials object from the uCDN. | MI.DelegatedCredentials object from the uCDN. | |||
| The properties of the MI.DelegatedCredentials object are as follows: | The properties of the MI.DelegatedCredentials object are as follows: | |||
| Property: delegated-credentials | Property: delegated-credentials | |||
| Description: Array of delegated credentials | ||||
| Description: Array of delegated credentials | Type: Array of DelegatedCredentialObject objects | |||
| Mandatory-to-Specify: Yes | ||||
| Type: Array of DelegatedCredentialObject objects | ||||
| Mandatory-to-Specify: Yes | ||||
| The DelegatedCredentialObject object is composed of the following | The DelegatedCredentialObject object is composed of the following | |||
| properties: | properties: | |||
| Property: delegated-credential | Property: delegated-credential | |||
| Description: Base64-encoded (as defined in Section 4 of [RFC4648]) | ||||
| Description: Base64-encoded (as defined in Section 4 of | version of a CertificateEntry as defined in Section 4.4.2 of | |||
| [RFC4648]) version of a CertificateEntry as defined in | [RFC8446]. The CertificateEntry MUST contain a | |||
| [RFC8446] Section 4.4.2. The CertificateEntry MUST contain a | DelegatedCredential structure (as defined in [RFC9345]) using the | |||
| DelegatedCredential structure (as defined in [RFC9345]) using | extension in the CertificateEntry of its end-entity certificate | |||
| the extension in the CertificateEntry of its end-entity | (see Section 4.1.1 of [RFC9345]). | |||
| certificate (see [RFC9345] section 4.1.1) | Type: string | |||
| Mandatory-to-Specify: Yes | ||||
| Type: string | ||||
| Mandatory-to-Specify: Yes | ||||
| Property: private-key | Property: private-key | |||
| Description: Encrypted private key corresponding to the public key | ||||
| Description: Encrypted private key corresponding to the public | contained in the DelegatedCredential. The envelope format for | |||
| key contained in the DelegatedCredential. The envelope format | this property is JSON Web Encryption (JWE) [RFC7516] using the | |||
| for this property is JWE [RFC7516] using the base64 compact | base64 compact serialization (Section 7.1 of [RFC7516]). | |||
| serialization (Section 7.1 of [RFC7516]). | Type: string | |||
| Mandatory-to-Specify: No | ||||
| Type: string | ||||
| Mandatory-to-Specify: No | ||||
| The private-key property is not mandatory. If not specified, it is | The private-key property is not mandatory. If not specified, it is | |||
| assumed that the dCDN generated the public-private key pair for the | assumed that the dCDN generated the public-private key pair for the | |||
| delegated credential itself and provided the public key information | delegated credential itself and provided the public key information | |||
| with an out-of-band mechanism to the uCDN. See Section 7 for | with an out-of-band mechanism to the uCDN. See Section 7 for | |||
| constraints regarding the usage of the private key. | constraints regarding the usage of the private key. | |||
| If the private-key property is used, the transported private key MUST | If the private-key property is used, the transported private key MUST | |||
| be encrypted using the PrivateKeyEncryptionKey specified in | be encrypted using the PrivateKeyEncryptionKey specified in | |||
| FCI.DelegatedCredentials. The envelope format for this property MUST | FCI.DelegatedCredentials. The envelope format for this property MUST | |||
| use JWE [RFC7516] using the base64 compact serialization (Section 7.1 | use JWE [RFC7516] using the base64 compact serialization (Section 7.1 | |||
| of [RFC7516]), whereas the private key is included as JWE Ciphertext | of [RFC7516]), whereas the private key is included as JWE Ciphertext | |||
| in the JWE. The JWE content-type field MAY be used signal the media | in the JWE. The JWE content-type field MAY be used to signal the | |||
| type of the encrypted key. | media type of the encrypted key. | |||
| Below, please see an example MI.DelegatedCredential Object. | Below, please see an example of an MI.DelegatedCredentials object. | |||
| { | { | |||
| "generic-metadata-type": "MI.DelegatedCredentials", | "generic-metadata-type": "MI.DelegatedCredentials", | |||
| "generic-metadata-value": { | "generic-metadata-value": { | |||
| "delegated-credentials": [ | "delegated-credentials": [ | |||
| {"delegated-credential": | {"delegated-credential": | |||
| "cBBfm8KK6pPz/tdgKyedwA... | "cBBfm8KK6pPz/tdgKyedwA... | |||
| iXCCIAmzMM0R8FLI3Ba0UQ=="}, | iXCCIAmzMM0R8FLI3Ba0UQ=="}, | |||
| {"delegated-credential": | {"delegated-credential": | |||
| "4pyIGtjFdys1+9y/4sS/Fg... | "4pyIGtjFdys1+9y/4sS/Fg... | |||
| J+h9lnRY/xgmi65RLGKoRw=="}, | J+h9lnRY/xgmi65RLGKoRw=="}, | |||
| {"delegated-credential": | {"delegated-credential": | |||
| "6PWFO0g2AXvUaULXLObcVA... | "6PWFO0g2AXvUaULXLObcVA... | |||
| HXoldT/qaYCCNEyCc8JM2A=="} | HXoldT/qaYCCNEyCc8JM2A=="} | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| 5. Delegated credentials call flow | 5. Delegated Credentials Call Flow | |||
| An example call-flow using delegated credentials is depicted in | An example call-flow using delegated credentials is depicted in | |||
| Figure 1. | Figure 1. The steps are as follows. | |||
| 1. It is assumed that the uCDN has been provisioned and configured | 1. It is assumed that the uCDN has been provisioned and configured | |||
| with a certificate. Note that it is out of scope of CDNI and the | with a certificate. Note that it is out of scope of CDNI and the | |||
| present document how and from where (e.g., CSP) the uCDN acquired its | present document how and from where (e.g., which Content Service | |||
| certificate. | Provider) the uCDN acquired its certificate. | |||
| 2. The uCDN generates a set of delegated credentials (here it is | 2. The uCDN generates a set of delegated credentials (here it is | |||
| assumed that public keys of the dCDN are known). Note that the uCDN | assumed that public keys of the dCDN are known). Note that the | |||
| may generate this material at different points in time, e.g., in | uCDN may generate this material at different points in time, | |||
| advance to have a pool of delegated credentials or on-demand when the | e.g., in advance to have a pool of delegated credentials or on | |||
| dCDN announces its maximum number of supported delegated credentials. | demand when the dCDN announces its maximum number of supported | |||
| delegated credentials. | ||||
| 3. Using the CDNI FCI [RFC8008], the dCDN advertises | 3. Using the CDNI FCI [RFC8008], the dCDN advertises | |||
| MI.DelegatedCredentials capabilities to the uCDN. The dCDN further | MI.DelegatedCredentials capabilities to the uCDN. The dCDN | |||
| uses FCI.DelegatedCredentials to advertise the maximum number of | further uses FCI.DelegatedCredentials to advertise the maximum | |||
| supported delegated credentials. | number of supported delegated credentials. | |||
| 4. Using the CDNI MI [RFC8006], the dCDN acquires the | 4. Using the CDNI MI [RFC8006], the dCDN acquires the | |||
| MI.DelegatedCredentials, retrieving an array of delegated | MI.DelegatedCredentials, retrieving an array of delegated | |||
| credentials. | credentials. | |||
| 5. The client establishes a TLS connection with an endpoint of the | 5. The client establishes a TLS connection with an endpoint of the | |||
| dCDN according to [RFC9345] using the delegated credentials retrieved | dCDN according to [RFC9345] using the delegated credentials | |||
| in step 4. | retrieved in step 4. | |||
| 6. When some delegated credentials are about to expire, the uCDN | 6. When some delegated credentials are about to expire, the uCDN | |||
| uses the CDNI MI [RFC8006] to provide new, valid delegated | uses the CDNI MI [RFC8006] to provide new, valid delegated | |||
| credentials. | credentials. | |||
| User-Agent dCDN uCDN | User-Agent dCDN uCDN | |||
| | | | | | | | | |||
| | | [1.uCDN acquires its certificate | | | [1. uCDN acquires its certificate | |||
| | | out of scope of CDNI] | | | out of scope of CDNI] | |||
| | | | | | | | | |||
| | | [2.generation of | | | [2. generation of | |||
| | | delegated credentials] | | | delegated credentials] | |||
| | | | | | | | | |||
| | 3. CDNI FCI used to | | 3. CDNI FCI used to | |||
| | advertise support of MI.DelegatedCredentials | | advertise support of MI.DelegatedCredentials | |||
| | and announce number of delegated credentials | | and announce number of delegated credentials | |||
| | supported using FCI.DelegatedCredentials | | supported using FCI.DelegatedCredentials | |||
| | |-------------------->+ | | |-------------------->+ | |||
| | | | | | | | | |||
| | 4. CDNI MI used to | | 4. CDNI MI used to | |||
| | provide the MI.DelegatedCredential object | | provide the MI.DelegatedCredentials object | |||
| | |<--------------------+ | | |<--------------------+ | |||
| | | | | | | | | |||
| . | . | |||
| . | . | |||
| . | . | |||
| [5. TLS handshake according | | [5. TLS handshake according | | |||
| to [RFC9345]] . | | to [RFC9345]] . | | |||
| |<------------------->| | | |<------------------->| | | |||
| | | | | | | | | |||
| . | . | |||
| . | . | |||
| . | . | |||
| | 6.Some delegated credentials about to expire. | | 6. Some delegated credentials about to expire. | |||
| | CDNI MI used to | | CDNI MI used to | |||
| | provide new MI.DelegatedCredential object | | provide new MI.DelegatedCredentials object | |||
| | |<--------------------+ | | |<--------------------+ | |||
| | | | | | | | | |||
| Figure 1: Example call-flow of Delegated credentials in CDNI | Figure 1: Example Call Flow of Delegated Credentials in CDNI | |||
| 6. IANA Considerations | 6. IANA Considerations | |||
| This document requests IANA registration of the following entries | IANA has registered the following payload types in the "CDNI Payload | |||
| under the "CDNI Payload Types" registry hosted by IANA regarding | Types" registry in the "Content Delivery Network Interconnection | |||
| "CDNI delegation": | (CDNI) Parameters" registry group. | |||
| +--------------------------+---------------+ | +==========================+===========+ | |||
| | Payload Type | Specification | | | Payload Type | Reference | | |||
| +--------------------------+---------------+ | +==========================+===========+ | |||
| | MI.DelegatedCredentials | RFCthis | | | MI.DelegatedCredentials | RFC 9677 | | |||
| +--------------------------+---------------+ | +--------------------------+-----------+ | |||
| | FCI.DelegatedCredentials | RFCthis | | | FCI.DelegatedCredentials | RFC 9677 | | |||
| +--------------------------+---------------+ | +--------------------------+-----------+ | |||
| Table 1 | Table 1 | |||
| [RFC Editor: Please replace RFCthis with the published RFC number for | Sections 6.1 and 6.2 provide additional necessary information for the | |||
| this document.] | registration of those CDNI payload types (see Section 2.2 of | |||
| [RFC7736]). | ||||
| The Section 6.1 and Section 6.2 below provide additional necessary | ||||
| information for the IANA registration of CDNI payload-types | ||||
| parameters (see [RFC7736] Section 2.2). | ||||
| 6.1. CDNI MI DelegatedCredentials Payload Type | 6.1. CDNI MI.DelegatedCredentials Payload Type | |||
| Purpose: The purpose of this Payload Type is to distinguish | Purpose: The purpose of this payload type is to distinguish | |||
| delegated credentials MI Objects | delegated credentials MI objects. | |||
| Interface: MI/FCI | Interface: MI/FCI | |||
| Encoding: see Section 4 | Encoding: See Section 4. | |||
| 6.2. CDNI FCI DelegatedCredentials Payload Type | 6.2. CDNI FCI.DelegatedCredentials Payload Type | |||
| Purpose: The purpose of this Payload Type is to advertise the number | Purpose: The purpose of this payload type is to advertise the number | |||
| of delegated credentials needed (and any associated capability | of delegated credentials needed (and any associated capability | |||
| advertisement) | advertisement). | |||
| Interface: FCI | Interface: FCI | |||
| Encoding: see Section 3.1 | Encoding: See Section 3.1. | |||
| 7. Security Considerations | 7. Security Considerations | |||
| The extensions defined enable providing delegated credentials to | The extensions defined enable providing delegated credentials to | |||
| dCDNs. A delegated credential can only be used by a dCDN if it is in | dCDNs. A delegated credential can only be used by a dCDN if it is in | |||
| possession of the associated private key. Similarly, an attacker | possession of the associated private key. Similarly, an attacker | |||
| requires access to the private key in order to exploit delegated | requires access to the private key in order to exploit a delegated | |||
| credential and impersonate dCDN nodes. Thus, leakage of only the | credential and impersonate dCDN nodes. Thus, leakage of only the | |||
| delegated credential without the private key represents a limited | delegated credential without the private key represents a limited | |||
| security risk. | security risk. | |||
| Delegated credentials and associated private keys are short-lived | Delegated credentials and associated private keys are short-lived | |||
| (per default the maximum validity period set to 7 days in [RFC9345]) | (per default, the maximum validity period is set to 7 days in | |||
| and as such a single leaked delegated credential with its private key | [RFC9345]) and as such a single leaked delegated credential with its | |||
| represents a limited security risk. Still, it is NOT RECOMMENDED to | private key represents a limited security risk. Still, it is NOT | |||
| send private keys through the MI. Omitting the private key further | RECOMMENDED to send private keys through the MI. Omitting the | |||
| limits the possibility exploits by an attacker to exploit the | private key further limits the possible ways an attacker could | |||
| delegated credential. | exploits the delegated credential. | |||
| If despite this recommendation, the private key is communicated via | If this recommendation is not followed, i.e., the private key is | |||
| the MI, the transported private key MUST be encrypted within a JWE | communicated via the MI, the transported private key MUST be | |||
| envelope using the encryption key (PrivateKeyEncryptionKey) provided | encrypted within a JWE envelope using the encryption key | |||
| within the FCI.DelegatedCredentials by the dCDN. The JWE encryption | (PrivateKeyEncryptionKey) provided within the | |||
| key (PrivateKeyEncryptionKey) MUST have a strength equal or larger | FCI.DelegatedCredentials by the dCDN. The JWE encryption key | |||
| (PrivateKeyEncryptionKey) MUST have a strength equal to or larger | ||||
| than the private key it is encrypting for transport. Note that the | than the private key it is encrypting for transport. Note that the | |||
| specified encryption method does not offer forward secrecy. If the | specified encryption method does not offer forward secrecy. If the | |||
| dCDN's encryption key becomes compromised in the future, then all | dCDN's encryption key becomes compromised in the future, then all | |||
| encrypted JWEs will become compromised. Due to the short-lived | encrypted JWEs will become compromised. Due to the short-lived | |||
| nature of delegated credentials, the impact is limited. | nature of delegated credentials, the impact is limited. | |||
| It is also important to ensure that an attacker is not able to | It is also important to ensure that an attacker is not able to | |||
| systematically retrieve a consecutive or consistent set of delegated | systematically retrieve a consecutive or consistent set of delegated | |||
| credentials and associated private keys. Such an attack would allow | credentials and associated private keys. Such an attack would allow | |||
| the attacker to systematically impersonate dCDN nodes. The MI | the attacker to systematically impersonate dCDN nodes. The MI | |||
| objects defined in the present document are transferred via the | objects defined in the present document are transferred via the | |||
| interfaces defined in CDNI [RFC8006]. [RFC8006] describes how to | interfaces defined in CDNI [RFC8006]. [RFC8006] describes how to | |||
| secure these interfaces, protecting the integrity, confidentiality | secure these interfaces, protecting the integrity and | |||
| and ensuring the authenticity of the dCDN and uCDN, which should | confidentiality, as well as ensuring the authenticity of the dCDN and | |||
| prevent an attacker to systematically retrieve delegated credential | uCDN, which should prevent an attacker from systematically retrieving | |||
| and associated private keys. | delegated credentials and associated private keys. | |||
| 8. Privacy Considerations | 8. Privacy Considerations | |||
| The information, FCI, and MI objects defined in the present document | The FCI and MI objects and the information defined in the present | |||
| do not contain any personally identifiable information (PII). As | document do not contain any personally identifiable information | |||
| such this document does not change or alter the Confidentiality and | (PII). As such, this document does not change or alter the | |||
| Privacy Consideration outlined in the CDNI Metadata and Footprint and | confidentiality and privacy considerations outlined in Section 8.2 of | |||
| Capabilities RFCs [RFC8006]. | [RFC8006] and Section 7 of [RFC8008]. | |||
| A single or systematic retrieval of delegated credentials and | A single or systematic retrieval of delegated credentials and | |||
| associated private keys would allow the attacker to decrypt any data | associated private keys would allow the attacker to decrypt any data | |||
| sent by the end user intended for the end service, which may include | sent by the end user intended for the end service, which may include | |||
| PII. | PII. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| skipping to change at page 12, line 28 ¶ | skipping to change at line 507 ¶ | |||
| Network Interconnection (CDNI) Requirements", RFC 7337, | Network Interconnection (CDNI) Requirements", RFC 7337, | |||
| DOI 10.17487/RFC7337, August 2014, | DOI 10.17487/RFC7337, August 2014, | |||
| <https://www.rfc-editor.org/info/rfc7337>. | <https://www.rfc-editor.org/info/rfc7337>. | |||
| [RFC7736] Ma, K., "Content Delivery Network Interconnection (CDNI) | [RFC7736] Ma, K., "Content Delivery Network Interconnection (CDNI) | |||
| Media Type Registration", RFC 7736, DOI 10.17487/RFC7736, | Media Type Registration", RFC 7736, DOI 10.17487/RFC7736, | |||
| December 2015, <https://www.rfc-editor.org/info/rfc7736>. | December 2015, <https://www.rfc-editor.org/info/rfc7736>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Frederic Fieau | Frédéric Fieau | |||
| Orange | Orange | |||
| 40-48, avenue de la Republique | 40-48, avenue de la République | |||
| 92320 Chatillon | 92320 Châtillon | |||
| France | France | |||
| Email: frederic.fieau@orange.com | Email: frederic.fieau@orange.com | |||
| Emile Stephan | Emile Stephan | |||
| Orange | Orange | |||
| 2, avenue Pierre Marzin | 2, avenue Pierre Marzin | |||
| 22300 Lannion | 22300 Lannion | |||
| France | France | |||
| Email: emile.stephan@orange.com | Email: emile.stephan@orange.com | |||
| Guillaume Bichot | Guillaume Bichot | |||
| Broadpeak | Broadpeak | |||
| 15, rue Claude Chappe | 3771 Boulevard des Alliés | |||
| 35510 Cesson-Sevigne | 35510 Cesson-Sévigné | |||
| France | France | |||
| Email: guillaume.bichot@broadpeak.tv | Email: guillaume.bichot@broadpeak.tv | |||
| Christoph Neumann | Christoph Neumann | |||
| Broadpeak | Broadpeak | |||
| 15, rue Claude Chappe | 3771 Boulevard des Alliés | |||
| 35510 Cesson-Sevigne | 35510 Cesson-Sévigné | |||
| France | France | |||
| Email: christoph.neumann@broadpeak.tv | Email: christoph.neumann@broadpeak.tv | |||
| End of changes. 61 change blocks. | ||||
| 202 lines changed or deleted | 185 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||