CDNI delegation using Automated Certificate Management Environment
draft-ietf-cdni-delegation-acme-05

Received changes through RFC Editor sync (changed state to RFC, created became rfc relationship between draft-ietf-cdni-delegation-acme and RFC 9538, changed IESG state to RFC Published)

[Ballot comment]
Thanks for this document. It is outside my area, and I've not had time to review it closely.  Just a couple of minor suggestions:

Minor level comments:

(1) p 2, sec 1.1.  Terminology

  This document uses terminology from CDNI framework documents such as:
  CDNI framework document [RFC7336] and CDNI interface specifications
  documents: CDNI Metadata interface [RFC8006] and CDNI Footprint and
  Capabilities Advertisement interface [RFC8008].  It also uses
  terminology from Section 1.1 of [RFC8739].

Please check whether you mean section 1.1 or section 1.2 of RFC8739.


(2) p 4, sec 3.  ACME Delegation Metadata for CDNI

  Figure 1: Example call-flow of STAR delegation in CDNI showing 2
                        levels of delegation

It might be helpful to define what 'CP' and 'CA' are.  Note - I did try and quickly check the references in the terminology, but I didn't check that carefully so I might have missed the definitions.

Regards,
Rob

[Ballot comment]
Thank you to Valery Smyslov for the SECDIR review.

** Section 3.  Recommend citing Figure 12 of RFC9115.  It appears that Figure 1 is reproducing it.

** Section 3.1 .  Recommend emphasizing that the URL in acme-delegation must use the https scheme.

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has completed its review of draft-ietf-cdni-delegation-acme-03. If any part of this review is inaccurate, please let us know.

IANA understands that, upon approval of this document, there is a single action which we must complete.

In the CDNI Payload Types registry in the Content Delivery Network Interconnection (CDNI) Parameters registry group located at:

https://www.iana.org/assignments/cdni-parameters/

a single new registration will be made as follows:

Payload Type: MI.ACMEDelegationMethod
Reference: [ RFC-to-be ]

As this document requests a registration in an Expert Review or Specification Required (see RFC 8126) registry, we will initiate the required Expert Review via a separate request. This review must be completed before the document's IANA state can be changed to "IANA OK."

We understand that this is the only action required to be completed upon approval of this document.

NOTE: The action requested in this document will not be completed until the document has been approved for publication as an RFC. This message is meant only to confirm the action that will be performed.

For definitions of IANA review states, please see:

https://datatracker.ietf.org/help/state/draft/iana-review

Thank you,

David Dong
IANA Services Sr. Specialist

The following Last Call announcement was sent out (ends 2023-10-18):

From: The IESG
To: IETF-Announce
CC: cdni-chairs@ietf.org, cdni@ietf.org, draft-ietf-cdni-delegation-acme@ietf.org, francesca.palombini@ericsson.com, kevin.j.ma.ietf@gmail.com
Reply-To: last-call@ietf.org
Sender:
Subject: Last Call:  (CDNI delegation using Automated Certificate Management Environment) to Proposed Standard


The IESG has received a request from the Content Delivery Networks
Interconnection WG (cdni) to consider the following document: - 'CDNI
delegation using Automated Certificate Management Environment'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits final
comments on this action. Please send substantive comments to the
last-call@ietf.org mailing lists by 2023-10-18. Exceptionally, comments may
be sent to iesg@ietf.org instead. In either case, please retain the beginning
of the Subject line to allow automated sorting.

Abstract


  This document defines metadata to support delegating the delivery of
  HTTPS content between two or more interconnected CDNs.  Specifically,
  this document defines a CDNI Metadata interface object to enable
  delegation of X.509 certificates leveraging delegation schemes
  defined in RFC9115.  RFC9115 allows delegating entities to remain in
  full control of the delegation and be able to revoke it any time and
  this avoids the need to share private cryptographic key material
  between the involved entities.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-cdni-delegation-acme/



No IPR declarations have been submitted directly on this I-D.

Document Shepherd: Kevin J. Ma

Responsible AD: Francesca Palombini

This draft defines/registers a CDNI Metadata object to enable credential delegation between an upstream and a downstream CDN.  The CDNI Metadata Interface (RFC8006) was designed to be extensible and defines a registry for new metadata objects to which the ACMEDelegationMethod object is being added.

The draft has been around for over six years.  There was broad consensus that CDNI should support credential delegation once credential delegation protocols were defined by other working groups.  CDNI is not chartered to define credential delegation protocols, therefore it was determined that the draft would wait for completion of the ACME STAR and/or TLS subcerts drafts in their respective working groups.  As ACME STAR neared completion, the draft was split into two drafts, one for ACME STAR and the other for TLS subcerts.

There were no major controversies or discontent.  Discussions were primarily around scope, specifically, minimizing the contents of the draft to only what is needed for CDNI to support delegation and avoiding any implementation of security protocols.  CDNI supports configuration and capability negotiation between CDNs; it does not implement security protocols.

The draft specifically provides for configuring ACME across CDNs and so relates to the work of the ACME WG.  The draft was reviewed by Thomas Fossati, one of the co-authors of RFC8739 and RFC9115, prior to WGLC and all his comments were addressed.

The draft is clear of any nits.

The draft does not create any new IANA registries but does register a new CDNI payload type.  I am one of the designated experts for the registry and I have reviewed the draft, json object definition, and registration.

The draft has gone through many rounds of review and I feel that the document is ready for the AD.

The draft is being submitted as a proposed standard as it extends the capabilities of proposed standard RFC8006.

The authors have confirmed that there is no undisclosed IPR to their knowledge.

The normative references are all freely available and normative.  There are no downrefs or unpublished RFC references.

Publication of this draft does not change the status of any other RFCs.

Document Shepherd: Kevin J. Ma

Responsible AD: Francesca Palombini

This draft defines/registers a CDNI Metadata object to enable credential delegation between an upstream and a downstream CDN.  The CDNI Metadata Interface (RFC8006) was designed to be extensible and defines a registry for new metadata objects to which the ACMEDelegationMethod object is being added.

The draft has been around for over six years.  There was broad consensus that CDNI should support credential delegation once credential delegation protocols were defined by other working groups.  CDNI is not chartered to define credential delegation protocols, therefore it was determined that the draft would wait for completion of the ACME STAR and/or TLS subcerts drafts in their respective working groups.  As ACME STAR neared completion, the draft was split into two drafts, one for ACME STAR and the other for TLS subcerts.

There were no major controversies or discontent.  Discussions were primarily around scope, specifically, minimizing the contents of the draft to only what is needed for CDNI to support delegation and avoiding any implementation of security protocols.  CDNI supports configuration and capability negotiation between CDNs; it does not implement security protocols.

The draft specifically provides for configuring ACME across CDNs and so relates to the work of the ACME WG.  The draft was reviewed by Thomas Fossati, one of the co-authors of RFC8739 and RFC9115, prior to WGLC and all his comments were addressed.

The draft is clear of any nits.

The draft does not create any new IANA registries but does register a new CDNI payload type.  I am one of the designated experts for the registry and I have reviewed the draft, json object definition, and registration.

The draft has gone through many rounds of review and I feel that the document is ready for the AD.

The draft is being submitted as a proposed standard as it extends the capabilities of proposed standard RFC8006.

The authors have confirmed that there is no undisclosed IPR to their knowledge.

The normative references are all freely available and normative.  There are no downrefs or unpublished RFC references.

Publication of this draft does not change the status of any other RFCs.