<?xmlversion="1.0" encoding="utf-8"?> <?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc compact="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc linkmailto="no" ?> <?rfc rfcedstyle="yes"?> <?rfc-ext allow-markup-in-artwork="yes" ?> <?rfc-ext include-references-in-index="yes" ?>version='1.0' encoding='UTF-8'?> <!DOCTYPE rfc[]>[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-cdni-https-delegation-subcerts-12"category="std">number="9677" submissionType="IETF" consensus="true" category="std" tocInclude="true" symRefs="true" sortRefs="true" version="3" xml:lang="en" obsoletes="" updates=""> <front> <titleabbrev="RFC XML Examples">CDNIabbrev="CDNI Metadata for Delegated Credentials">Content Delivery Network Interconnection (CDNI) Metadata for Delegated Credentials</title> <seriesInfo name="RFC" value="9677"/> <author initials="F." surname="Fieau"fullname="Fredericfullname="Frédéric Fieau"> <organization>Orange</organization> <address> <postal> <street>40-48, avenue de laRepublique</street> <city>Chatillon</city>République</street> <city>Châtillon</city> <code>92320</code> <country>France</country> </postal><email>frederic.fieau@orange.com</email></address><email>frederic.fieau@orange.com</email> </address> </author> <authorinitials='E.' surname='Stephan' fullname='Emile Stephan'>initials="E." surname="Stephan" fullname="Emile Stephan"> <organization>Orange</organization> <address> <postal> <street>2, avenue Pierre Marzin</street> <city>Lannion</city> <code>22300</code> <country>France</country> </postal><email>emile.stephan@orange.com</email></address><email>emile.stephan@orange.com</email> </address> </author> <authorinitials='G.' surname='Guillaume' fullname='Guillaume Bichot'>initials="G." surname="Bichot" fullname="Guillaume Bichot"> <organization>Broadpeak</organization> <address> <postal><street>15, rue Claude Chappe</street> <city>Cesson-Sevigne</city><street>3771 Boulevard des Alliés</street> <city>Cesson-Sévigné</city> <code>35510</code> <country>France</country> </postal><email>guillaume.bichot@broadpeak.tv</email></address><email>guillaume.bichot@broadpeak.tv</email> </address> </author> <authorinitials='C.' surname='Christoph' fullname='Christoph Neumann'>initials="C." surname="Neumann" fullname="Christoph Neumann"> <organization>Broadpeak</organization> <address> <postal><street>15, rue Claude Chappe</street> <city>Cesson-Sevigne</city><street>3771 Boulevard des Alliés</street> <city>Cesson-Sévigné</city> <code>35510</code> <country>France</country> </postal><email>christoph.neumann@broadpeak.tv</email></address><email>christoph.neumann@broadpeak.tv</email> </address> </author><date/><date month="October" year="2024"/> <area>WIT</area> <workgroup>cdni</workgroup> <keyword>HTTPS</keyword> <keyword>TLS</keyword> <abstract> <t> The delivery of content over HTTPS involving multiple Content Delivery Networks (CDNs) raises credential management issues. This document defines metadata in theCDNIContent Delivery Network Interconnection (CDNI) Control and Metadata interface tosetupset up HTTPS delegation using delegated credentials from anUpstreamupstream CDN (uCDN) to aDownstreamdownstream CDN (dCDN). </t> </abstract> </front> <middle><section title="Introduction"><section> <name>Introduction</name> <t> Content delivery over HTTPS utilizing one or more Content Delivery Networks (CDNs) along the delivery path necessitates the management of credentials. This requirement is particularly pertinent when an entity delegates the delivery of content via HTTPS to another trusted entity. </t> <t> This document specifies the CDNI Metadata interface for establishing HTTPS delegation through the use of delegated credentials, as defined in <xreftarget="RFC9345"/>)target="RFC9345"/>, between an upstream CDN (uCDN) and a downstream CDN (dCDN). </t> </section> <sectionanchor="terminology" title="Terminology"> <t>Theanchor="terminology"> <name>Terminology</name> <t> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> <t> This document uses terminology from the CDNIframework documents:specifications -- CDNI frameworkdocument<xref target="RFC7336"/>, CDNI requirements <xreftarget="RFC7337"/>target="RFC7337"/>, and CDNIinterface specifications documents: CDNIMetadata interface <xref target="RFC8006"/>. </t> </section> <sectionanchor="FCI" title="CDNIanchor="FCI"> <name>CDNI Footprint and Capabilities AdvertisementinterfaceInterface (FCI)capabilities objectCapabilities Object fordelegated credentials">Delegated Credentials</name> <t> A dCDN should advertise its supported delegation methods using the Footprint and Capabilities Advertisement interface (FCI) as defined in <xref target="RFC8008"/>. The FCI.Metadata object enables a dCDN to communicate its capabilities and the MetadataInterfaceinterface (MI) objects it supports. To indicate support for delegated credentials, the dCDN should announce the support for MI.DelegatedCredentials, as illustrated in the example below. </t><figure><artwork align="left"><sourcecode><![CDATA[ { "capabilities": [ { "capability-type": "FCI.Metadata", "capability-value": { "metadata": [ "MI.DelegatedCredentials", "... other supported MI objects ..." ] }, "footprints": [ "Footprint objects" ] } ] }</artwork></figure>]]></sourcecode> <t> This document also defines an object that informs the uCDN of the number of delegated credentials supported by the dCDN, enabling the uCDN to supply the appropriate number of delegated credentials. To this end, the FCI object, FCI.DelegationCredentials, is introduced. </t> <sectionanchor="FCI_DelegatedCredentials" title="FCI.DelegatedCredentials">anchor="FCI_DelegatedCredentials"> <name>FCI.DelegatedCredentials</name> <t> The FCI.DelegationCredentials object enables advertising the maximum number of delegated credentials supported by the dCDN. This number typically (but not necessarily) corresponds to the number of servers designated by the dCDN to support delegated credentials. </t> <t> The property PrivateKeyEncryptionKey contains a public key provided by the dCDN thatMUST<bcp14>MUST</bcp14> be used by the uCDN to encrypt private keys whenever such private keys are transmitted to the dCDN using MI.DelegatedCredentials (see <xref target="MI"/>). </t><t> <dl><dl newline="false" spacing="compact"> <dt>Property: </dt><dd>number-delegated-certs-supported <dl><dd>number-delegated-certs-supported</dd> <dt>Description:</dt> <dd>Number of delegated credentials supported by the dCDN.</dd> <dt>Type:</dt> <dd>integer</dd> <dt>Mandatory-to-Specify:</dt> <dd>Yes</dd> </dl></dd> </dl> <dl><dl newline="false" spacing="compact"> <dt>Property: </dt><dd>PrivateKeyEncryptionKey <dl><dd>PrivateKeyEncryptionKey</dd> <dt>Description:</dt> <dd>Public key inJWKJSON Web Key (JWK) format(<xref target="RFC7517"/>)<xref target="RFC7517"/> of the dCDN to be used by the uCDN to encrypt private keys.</dd> <dt>Type:</dt> <dd>string</dd> <dt>Mandatory-to-Specify:</dt> <dd>No</dd> </dl></dd> </dl> </t><t> The following is an example of the FCI.DelegatedCredentials. </t><figure><artwork align="left"><sourcecode><![CDATA[ { "capabilities": [ { "capability-type": "FCI.DelegatedCredentials", "capability-value": { "number-delegated-certs-supported": 10 } "footprints": [<Footprint<Footprint objects> ] } ] }</artwork></figure>]]></sourcecode> </section> <sectionanchor="usage_FCI" title="Expected usageanchor="usage_FCI"> <name>Expected Usage of theproperty numberProperty Number ofsupported delegated credentials">Supported Delegated Credentials</name> <t>The dCDN uses the FCI.DelegatedCredentials object to announce the number of servers that support delegatedcredentials</t>credentials.</t> <t>When the uCDN receives the FCI.DelegatedCredentialsobjectobject, it can issue the supported number of delegated credentials to the dCDN. When configuring the dCDN, the uCDNMAY<bcp14>MAY</bcp14> decide to provide less than the maximum supported delegated credentials to the dCDN. Note that, within a dCDN, different deployment possibilities of the delegated credentials on the endpoints exist. The dCDNMAY<bcp14>MAY</bcp14> use one single delegated credential and deploy it on multiple endpoints. Alternatively, the dCDNMAY<bcp14>MAY</bcp14> deploy a different delegated credential for each endpoint (provided that the uCDN delivers enough different delegated credentials). This choice is at the discretion of the dCDN and depends on the number of delegated credentials provided by the uCDN.</t> <t>The FCI.DelegationCredentials object does not address expiryandor renewal of delegated credentials. Once the uCDN has provided delegated credentials via the MI, the uCDNSHOULD<bcp14>SHOULD</bcp14> monitor the provided credentials and their expiry times andtimely<bcp14>SHOULD</bcp14> refresh dCDN credentials via theMI.MI in a timely manner. The uCDN may decide not to monitor the validity period of delegated credentials and not to refresh the credentials, forexampleexample, in cases of short-termone shotone-shot deployments or once it has decided to deprovision a dCDN. If the delegated credential is not renewed on time by the uCDN, the servers of the dCDN that only have expired delegated credentialsMUST<bcp14>MUST</bcp14> refuse any new TLS connection that requires an up-to-date delegated credential. </t> </section> </section> <sectionanchor="MI" title="CDNIanchor="MI"> <name>CDNI MetadatainterfaceInterface (MI)metadata objectMetadata Object fordelegated credentials">Delegated Credentials</name> <t>As expressed in <xref target="RFC9345"/>, when an uCDN has delegated to a dCDN, the dCDN presents the "delegated_credential" (rather than its own certificate) during the TLS handshake <xref target="RFC8446"/> to the UserAgent, instead of its own certificate.Agent. This implies that the dCDN is also in the possession of the private key corresponding to the public key in DelegatedCredential.cred <xref target="RFC9345"/>. This allows the User Agent to verify the signature in a CertificateVerify message (<xreftarget="RFC8446"/> Section 4.4.3.)target="RFC8446" sectionFormat="of" section="4.4.3"/>) sent and signed by the dCDN.</t> <t> This section defines the MI.DelegatedCredentials object containing an array of delegated credentials and optionally the corresponding private keys. The CDNI MI <xref target="RFC8006"/> describes the CDNI metadata distribution mechanisms according to which a dCDN can retrieve the MI.DelegatedCredentials object from the uCDN. </t> <t> The properties of the MI.DelegatedCredentials object are as follows: </t><t> <dl><dl newline="false" spacing="compact"> <dt>Property: </dt><dd>delegated-credentials <dl><dd>delegated-credentials</dd> <dt>Description:</dt> <dd>Array of delegated credentials</dd> <dt>Type:</dt> <dd>Array of DelegatedCredentialObject objects</dd> <dt>Mandatory-to-Specify:</dt> <dd>Yes</dd> </dl></dd> </dl> </t><t> The DelegatedCredentialObject object is composed of the following properties: </t><t> <dl><dl newline="false" spacing="compact"> <dt>Property: </dt><dd>delegated-credential <dl><dd>delegated-credential</dd> <dt>Description:</dt> <dd>Base64-encoded (as defined inSection 4 of<xreftarget="RFC4648"/>)target="RFC4648" sectionFormat="of" section="4"/>) version of a CertificateEntry as defined in <xreftarget="RFC8446"/> Section 4.4.2.target="RFC8446" sectionFormat="of" section="4.4.2"/>. The CertificateEntryMUST<bcp14>MUST</bcp14> contain a DelegatedCredential structure (as defined in <xref target="RFC9345"/>) using the extension in the CertificateEntry of its end-entity certificate (see <xreftarget="RFC9345"/> section 4.1.1)</dd>target="RFC9345" sectionFormat="of" section="4.1.1"/>).</dd> <dt>Type:</dt> <dd>string</dd> <dt>Mandatory-to-Specify:</dt> <dd>Yes</dd> </dl></dd> </dl> <dl><dl newline="false" spacing="compact"> <dt>Property: </dt><dd>private-key <dl><dd>private-key</dd> <dt>Description:</dt> <dd>Encrypted private key corresponding to the public key contained in the DelegatedCredential. The envelope format for this property isJWEJSON Web Encryption (JWE) <xref target="RFC7516"/> using the base64 compact serialization(Section 7.1 of <xref target="RFC7516"/>).</dd>(<xref target="RFC7516" sectionFormat="of" section="7.1"/>).</dd> <dt>Type:</dt> <dd>string</dd> <dt>Mandatory-to-Specify:</dt> <dd>No</dd> </dl></dd> </dl> </t><t> The private-key property is not mandatory. If not specified, it is assumed that the dCDN generated the public-private key pair for the delegated credential itself and provided the public key information with an out-of-band mechanism to the uCDN. See <xreftarget="security" />target="security"/> for constraints regarding the usage of the private key. </t> <t> If the private-key property is used, the transported private keyMUST<bcp14>MUST</bcp14> be encrypted using the PrivateKeyEncryptionKey specified in FCI.DelegatedCredentials. The envelope format for this propertyMUST<bcp14>MUST</bcp14> use JWE <xref target="RFC7516"/> using the base64 compact serialization(Section 7.1 of <xref target="RFC7516"/>),(<xref target="RFC7516" sectionFormat="of" section="7.1"/>), whereas the private key is included as JWE Ciphertext in the JWE. The JWE content-type fieldMAY<bcp14>MAY</bcp14> be used to signal the media type of the encrypted key. </t> <t> Below, please see an exampleMI.DelegatedCredential Object.of an MI.DelegatedCredentials object. </t><figure><artwork align="left"><sourcecode><![CDATA[ { "generic-metadata-type": "MI.DelegatedCredentials", "generic-metadata-value": { "delegated-credentials": [ {"delegated-credential": "cBBfm8KK6pPz/tdgKyedwA... iXCCIAmzMM0R8FLI3Ba0UQ=="}, {"delegated-credential": "4pyIGtjFdys1+9y/4sS/Fg... J+h9lnRY/xgmi65RLGKoRw=="}, {"delegated-credential": "6PWFO0g2AXvUaULXLObcVA... HXoldT/qaYCCNEyCc8JM2A=="} ] } }</artwork></figure>]]></sourcecode> </section> <sectionanchor="callflow" title="Delegated credentials call flow">anchor="callflow"> <name>Delegated Credentials Call Flow</name> <t>An example call-flow using delegated credentials is depicted inFigure 1.</t> <t> 1. It<xref target="call-flow"/>. The steps are as follows.</t> <ol type="1"> <li>It is assumed that the uCDN has been provisioned and configured with a certificate. Note that it is out of scope of CDNI and the present document how and from where (e.g.,CSP)which Content Service Provider) the uCDN acquired its certificate.</t> <t> 2. The</li> <li>The uCDN generates a set of delegated credentials (here it is assumed that public keys of the dCDN are known). Note that the uCDN may generate this material at different points in time, e.g., in advance to have a pool of delegated credentials oron-demandon demand when the dCDN announces its maximum number of supported delegated credentials.</t> <t> 3. Using</li> <li>Using the CDNI FCI <xref target="RFC8008"/>, the dCDN advertises MI.DelegatedCredentials capabilities to the uCDN. The dCDN further uses FCI.DelegatedCredentials to advertise the maximum number of supported delegated credentials.</t> <t> 4. Using</li> <li>Using the CDNI MI <xref target="RFC8006"/>, the dCDN acquires the MI.DelegatedCredentials, retrieving an array of delegated credentials.</t> <t> 5. The</li> <li>The client establishes a TLS connection with an endpoint of the dCDN according to <xref target="RFC9345"/> using the delegated credentials retrieved in step 4.</t> <t> 6. When</li> <li>When some delegated credentials are about to expire, the uCDN uses the CDNI MI <xref target="RFC8006"/> to provide new, valid delegated credentials.</t></li> </ol> <figuretitle="Example call-flowanchor="call-flow"> <name>Example Call Flow of DelegatedcredentialsCredentials inCDNI"><artwork align="center">CDNI</name> <artwork align="center"><![CDATA[ User-Agent dCDN uCDN | | | | |[1.uCDN[1. uCDN acquires its certificate | | out of scope of CDNI] | | | | |[2.generation[2. generation of | | delegated credentials] | | | | 3. CDNI FCI used to | advertise support of MI.DelegatedCredentials | and announce number of delegated credentials | supported using FCI.DelegatedCredentials | |-------------------->+ | | | | 4. CDNI MI used to | provide theMI.DelegatedCredentialMI.DelegatedCredentials object ||<--------------------+|<--------------------+ | | | . . . [5. TLS handshake according | to [RFC9345]] . ||<------------------->||<------------------->| | | | | . . . |6.Some6. Some delegated credentials about to expire. | CDNI MI used to | provide newMI.DelegatedCredentialMI.DelegatedCredentials object ||<--------------------+|<--------------------+ | | |</artwork></figure>]]></artwork> </figure> </section> <sectionanchor="iana" title="IANA Considerations">anchor="iana"> <name>IANA Considerations</name> <t>This document requestsIANAregistration ofhas registered the followingentries underpayload types in the "CDNI Payload Types" registryhosted by IANA regarding "CDNI delegation":in the "Content Delivery Network Interconnection (CDNI) Parameters" registry group. </t> <table><tbody><thead> <tr><td>Payload Type</td> <td>Specification</td><th>Payload Type</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>MI.DelegatedCredentials</td><td>RFCthis</td><td>RFC 9677</td> </tr> <tr> <td>FCI.DelegatedCredentials</td><td>RFCthis</td><td>RFC 9677</td> </tr> </tbody> </table> <t>[RFC Editor: Please replace RFCthis with the published RFC number for this document.] </t> <t> TheSections <xref target="iana_MI"/>format="counter"/> and <xref target="iana_FCI"/> belowformat="counter"/> provide additional necessary information for theIANAregistration of those CDNIpayload-types parameterspayload types (see <xreftarget="RFC7736"/> Section 2.2).target="RFC7736" sectionFormat="of" section="2.2"/>). </t> <sectionanchor="iana_MI" title="CDNI MI DelegatedCredentialsanchor="iana_MI"> <name>CDNI MI.DelegatedCredentials PayloadType"> <t>Type</name> <dl> <dt>Purpose:</dt> <dd>The purpose of thisPayload Typepayload type is to distinguish delegated credentials MIObjectsobjects. </dd> <dt>Interface:</dt> <dd>MI/FCI</dd> <dt>Encoding:</dt><dd>see<dd>See <xreftarget="MI" /></dd>target="MI"/>.</dd> </dl></t></section> <sectionanchor="iana_FCI" title="CDNI FCI DelegatedCredentialsanchor="iana_FCI"> <name>CDNI FCI.DelegatedCredentials PayloadType"> <t>Type</name> <dl> <dt>Purpose:</dt> <dd>The purpose of thisPayload Typepayload type is to advertise the number of delegated credentials needed (and any associated capabilityadvertisement)advertisement). </dd> <dt>Interface:</dt> <dd>FCI</dd> <dt>Encoding:</dt><dd>see<dd>See <xreftarget="FCI_DelegatedCredentials" /></dd>target="FCI_DelegatedCredentials"/>.</dd> </dl></t></section> </section> <sectionanchor="security" title="Security Considerations">anchor="security"> <name>Security Considerations</name> <t> The extensions defined enable providing delegated credentials to dCDNs. A delegated credential can only be used by a dCDN if it is in possession of the associated private key. Similarly, an attacker requires access to the private key in order to exploit a delegated credential and impersonate dCDN nodes. Thus, leakage of only the delegated credential without the private key represents a limited security risk. </t> <t> Delegated credentials and associated private keys are short-lived (perdefaultdefault, the maximum validity period is set to 7 days in <xref target="RFC9345"/>) and as such a single leaked delegated credential with its private key represents a limited security risk. Still, it isNOT RECOMMENDED<bcp14>NOT RECOMMENDED</bcp14> to send private keys through the MI. Omitting the private key further limits thepossibility exploits bypossible ways an attackerto exploitcould exploits the delegated credential. </t> <t> Ifdespitethisrecommendation,recommendation is not followed, i.e., the private key is communicated via the MI, the transported private keyMUST<bcp14>MUST</bcp14> be encrypted within a JWE envelope using the encryption key (PrivateKeyEncryptionKey) provided within the FCI.DelegatedCredentials by the dCDN. The JWE encryption key (PrivateKeyEncryptionKey)MUST<bcp14>MUST</bcp14> have a strength equal to or larger than the private key it is encrypting for transport. Note that the specified encryption method does not offer forward secrecy. If the dCDN's encryption key becomes compromised in the future, then all encrypted JWEs will become compromised. Due to the short-lived nature of delegated credentials, the impact is limited. </t> <t> It is also important to ensure that an attacker is not able to systematically retrieve a consecutive or consistent set of delegated credentials and associated private keys. Such an attack would allow the attacker to systematically impersonate dCDN nodes. The MI objects defined in the present document are transferred via the interfaces defined in CDNI <xref target="RFC8006"/>. <xref target="RFC8006"/> describes how to secure these interfaces, protecting theintegrity, confidentialityintegrity and confidentiality, as well as ensuring the authenticity of the dCDN and uCDN, which should prevent an attackertofrom systematicallyretrieveretrieving delegatedcredentialcredentials and associated private keys. </t> </section> <sectionanchor="privacy" title="Privacy Considerations">anchor="privacy"> <name>Privacy Considerations</name> <t> Theinformation, FCI,FCI and MI objects and the information defined in the present document do not contain any personally identifiable information (PII). Assuchsuch, this document does not change or alter theConfidentialityconfidentiality andPrivacy Considerationprivacy considerations outlined inthe CDNI Metadata and Footprint<xref target="RFC8006" section="8.2"/> andCapabilities RFCs<xreftarget="RFC8006"/>.</t>target="RFC8008" section="7"/>. </t> <t> A single or systematic retrieval of delegated credentials and associated private keys would allow the attacker to decrypt any data sent by the end user intended for the end service, which may include PII.</t> </section> </middle> <back><references title="Normative References"> <reference anchor="RFC7516" target="https://www.rfc-editor.org/info/rfc7516"> <front> <title>JSON Web Encryption (JWE)</title> <author fullname="M. Jones" initials="M." surname="Jones"/> <author fullname="J. Hildebrand" initials="J." surname="Hildebrand"/> <date month="May" year="2015"/> <abstract> <t>JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries defined by that specification. Related digital signature and Message Authentication Code (MAC) capabilities are described in the separate JSON Web Signature (JWS) specification.</t> </abstract> </front> <seriesInfo name="RFC" value="7516"/> <seriesInfo name="DOI" value="10.17487/RFC7516"/> </reference> <reference anchor="RFC7517" target="https://www.rfc-editor.org/info/rfc7517"> <front> <title>JSON Web Key (JWK)</title> <author fullname="M. Jones" initials="M." surname="Jones"/> <date month="May" year="2015"/> <abstract> <t>A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.</t> </abstract> </front> <seriesInfo name="RFC" value="7517"/> <seriesInfo name="DOI" value="10.17487/RFC7517"/> </reference> <reference anchor="RFC8006" target="https://www.rfc-editor.org/info/rfc8006"> <front> <title>Content Delivery Network Interconnection (CDNI) Metadata</title> <author fullname="B. Niven-Jenkins" initials="B." surname="Niven-Jenkins"/> <author fullname="R. Murray" initials="R." surname="Murray"/> <author fullname="M. Caulfield" initials="M." surname="Caulfield"/> <author fullname="K. Ma" initials="K." surname="Ma"/> <date month="December" year="2016"/> <abstract> <t>The Content Delivery Network Interconnection (CDNI) Metadata interface enables interconnected Content Delivery Networks (CDNs) to exchange content distribution metadata in order to enable content acquisition and delivery. The CDNI Metadata associated with a piece of content provides a downstream CDN with sufficient information for the downstream CDN to service content requests on behalf of an upstream CDN. This document describes both a base set of CDNI Metadata and the protocol for exchanging that metadata.</t> </abstract> </front> <seriesInfo name="RFC" value="8006"/> <seriesInfo name="DOI" value="10.17487/RFC8006"/> </reference> <reference anchor="RFC8008" target="https://www.rfc-editor.org/info/rfc8008"> <front> <title>Content Delivery Network Interconnection (CDNI) Request Routing: Footprint and Capabilities Semantics</title> <author fullname="J. Seedorf" initials="J." surname="Seedorf"/> <author fullname="J. Peterson" initials="J." surname="Peterson"/> <author fullname="S. Previdi" initials="S." surname="Previdi"/> <author fullname="R. van Brandenburg" initials="R." surname="van Brandenburg"/> <author fullname="K. Ma" initials="K." surname="Ma"/> <date month="December" year="2016"/> <abstract> <t><p>This document captures the semantics of the "Footprint and Capabilities Advertisement" part of the Content Delivery Network Interconnection (CDNI) Request Routing interface, i.e., the desired meaning of "Footprint" and "Capabilities" in the CDNI context and what the "Footprint & Capabilities Advertisement interface (FCI)" offers within CDNI. The document also provides guidelines for the CDNI FCI protocol. It further defines a Base Advertisement Object, the necessary registries for capabilities and footprints, and guidelines on how these registries can be extended in the future.</p></t> </abstract> </front> <seriesInfo name="RFC" value="8008"/> <seriesInfo name="DOI" value="10.17487/RFC8008"/> </reference> <reference anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446"> <front> <title>The Transport Layer Security (TLS) Protocol Version 1.3</title> <author fullname="E. Rescorla" initials="E." surname="Rescorla"/> <date month="August" year="2018"/> <abstract> <t>This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.</t> </abstract> </front> <seriesInfo name="RFC" value="8446"/> <seriesInfo name="DOI" value="10.17487/RFC8446"/> </reference> <reference anchor="RFC9345" target="https://www.rfc-editor.org/info/rfc9345"> <front> <title>Delegated Credentials for TLS and DTLS</title> <author fullname="R. Barnes" initials="R." surname="Barnes"/> <author fullname="S. Iyengar" initials="S." surname="Iyengar"/> <author fullname="N. Sullivan" initials="N." surname="Sullivan"/> <author fullname="E. Rescorla" initials="E." surname="Rescorla"/> <date month="July" year="2023"/> <abstract> <t>The organizational separation between operators of TLS and DTLS endpoints and the certification authority can create limitations. For example, the lifetime of certificates, how they may be used, and the algorithms they support are ultimately determined by the Certification Authority (CA). This document describes a mechanism to overcome some of these limitations by enabling operators to delegate their own credentials for use in TLS and DTLS without breaking compatibility with peers that do not support this specification.</t> </abstract> </front> <seriesInfo name="RFC" value="9345"/> <seriesInfo name="DOI" value="10.17487/RFC9345"/> </reference> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author fullname="S. Bradner" initials="S." surname="Bradner"/> <date month="March" year="1997"/> <abstract> <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author fullname="B. Leiba" initials="B." surname="Leiba"/> <date month="May" year="2017"/> <abstract> <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC4648" target="https://www.rfc-editor.org/info/rfc4648"> <front> <title>The Base16, Base32, and Base64 Data Encodings</title> <author fullname="S. Josefsson" initials="S." surname="Josefsson"/> <date month="October" year="2006"/> <abstract> <t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4648"/> <seriesInfo name="DOI" value="10.17487/RFC4648"/> </reference><references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7516.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7517.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8006.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8008.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.9345.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.4648.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7336.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7337.xml"/> <xi:include href="https://bib.ietf.org/public/rfc/bibxml/reference.RFC.7736.xml"/> </references><references title="Informative References"> <reference anchor="RFC7336" target="https://www.rfc-editor.org/info/rfc7336"> <front> <title>Framework for Content Distribution Network Interconnection (CDNI)</title> <author fullname="L. Peterson" initials="L." surname="Peterson"/> <author fullname="B. Davie" initials="B." surname="Davie"/> <author fullname="R. van Brandenburg" initials="R." role="editor" surname="van Brandenburg"/> <date month="August" year="2014"/> <abstract> <t>This document presents a framework for Content Distribution Network Interconnection (CDNI). The purpose of the framework is to provide an overall picture of the problem space of CDNI and to describe the relationships among the various components necessary to interconnect CDNs. CDNI requires the specification of interfaces and mechanisms to address issues such as request routing, distribution metadata exchange, and logging information exchange across CDNs. The intent of this document is to outline what each interface needs to accomplish and to describe how these interfaces and mechanisms fit together, while leaving their detailed specification to other documents. This document, in combination with RFC 6707, obsoletes RFC 3466.</t> </abstract> </front> <seriesInfo name="RFC" value="7336"/> <seriesInfo name="DOI" value="10.17487/RFC7336"/> </reference> <reference anchor="RFC7337" target="https://www.rfc-editor.org/info/rfc7337"> <front> <title>Content Distribution Network Interconnection (CDNI) Requirements</title> <author fullname="K. Leung" initials="K." role="editor" surname="Leung"/> <author fullname="Y. Lee" initials="Y." role="editor" surname="Lee"/> <date month="August" year="2014"/> <abstract> <t>Content delivery is frequently provided by specifically architected and provisioned Content Delivery Networks (CDNs). As a result of significant growth in content delivered over IP networks, existing CDN providers are scaling up their infrastructure. Many Network Service Providers (NSPs) and Enterprise Service Providers (ESPs) are also deploying their own CDNs. To deliver contents from the Content Service Provider (CSP) to end users, the contents may traverse across multiple CDNs. This creates a need for interconnecting (previously) standalone CDNs so that they can collectively act as a single delivery platform from the CSP to the end users.</t> <t>The goal of the present document is to outline the requirements for the solution and interfaces to be specified by the CDNI working group.</t> </abstract> </front> <seriesInfo name="RFC" value="7337"/> <seriesInfo name="DOI" value="10.17487/RFC7337"/> </reference> <reference anchor="RFC7736" target="https://www.rfc-editor.org/info/rfc7736"> <front> <title>Content Delivery Network Interconnection (CDNI) Media Type Registration</title> <author fullname="K. Ma" initials="K." surname="Ma"/> <date month="December" year="2015"/> <abstract> <t>This document defines the standard media type used by the Content Delivery Network Interconnection (CDNI) protocol suite, including the registration procedure and recommended usage of the required payload- type parameter.</t> </abstract> </front> <seriesInfo name="RFC" value="7736"/> <seriesInfo name="DOI" value="10.17487/RFC7736"/> </reference></references> </back> </rfc>