Skip to main content

Shepherd writeup
draft-ietf-cdni-https-delegation-subcerts

Document Shepherd: Kevin J. Ma

Responsible AD: Francesca Palombini

This draft defines/registers a CDNI Metadata object to enable credential
delegation between an upstream and a downstream CDN. The CDNI Metadata
Interface (RFC8006) and Footprint and Capabilities Interface (RFC8008) were
designed to be extensible and registries are defined for new metadata and
capabilities objects to which the DelegatedCredentials objects are being added.

The content of draft-cdni-https-delegation-subcerts has broad concensus within
the WG.  The content was originally part of the HTTP delegation draft that was
split into two separate drafts, the other having been recently published as
RFC9538.  The original draft was created seven years ago, but had to wait for
the underlying protocols (i.e., RFC9345 and RFC9115) to solidify.  The draft
was split to decouple those waiting periods.

There were no major controversies.  CDNI is not chartered to create security
protocols, its only goal is to communicate the necessary metadata between CDNs
to enable existing security protocols to work properly across CDNs.  Much of
the discussion was around making sure that the draft is only using the
constructs provided by RFC9345 and not creating any additional interfaces or
security constructs.  Special attention was paid to the security section, to
clarify proper usage of the metadata.

The one major concern was the inclusion of support for an in-band private key. 
The chairs requested an early SECDIR review for the private key issue.  Mike
Ounsworth provided valuable (and much appreciated) feedback on protecting the
private key.  Though use of the private key is NOT RECOMMENDED, for those that
choose to use it, JWE encapsulation is now required, to keep it secure.

Having reviewed the document, I feel it is clear, complete, correct, and ready
for AD handoff.  There are no idnits, downrefs, or pending normative references.

The draft is being submitted as a proposed standard as it extends the
capabilities of proposed standard RFC8006 and RFC8008.

The authors have confirmed that there is no undisclosed IPR to their knowledge.
 Though authors do have implementations for RFC9345, they have not yet
implemented this draft.

The normative references are all freely available and normative.  There are no
downrefs or unpublished RFC references.

Publication of this draft does not change the status of any other RFCs.

The draft does not create any new IANA registries but does register a new CDNI
payload type.  I am one of the designated experts for the registry and I have
reviewed the draft, json object definition, and IANA registration request.  I
have no major concerns, but I have requested additional JSON examples (using
the optional fields) for clarity and completeness.
Back