Technical Summary
The delivery of content over HTTPS involving multiple CDNs raises
credential management issues. This document defines metadata in the
CDNI Control and Metadata interface to setup HTTPS delegation using
delegated credentials from an Upstream CDN (uCDN) to a Downstream CDN
(dCDN).
Working Group Summary and Document Quality
The content of draft-cdni-https-delegation-subcerts has broad concensus within
the WG. The content was originally part of the HTTP delegation draft that was
split into two separate drafts, the other having been recently published as
RFC9538. The original draft was created seven years ago, but had to wait for
the underlying protocols (i.e., RFC9345 and RFC9115) to solidify. The draft
was split to decouple those waiting periods.
There were no major controversies. CDNI is not chartered to create security
protocols, its only goal is to communicate the necessary metadata between CDNs
to enable existing security protocols to work properly across CDNs. Much of
the discussion was around making sure that the draft is only using the
constructs provided by RFC9345 and not creating any additional interfaces or
security constructs. Special attention was paid to the security section, to
clarify proper usage of the metadata.
The one major concern was the inclusion of support for an in-band private key.
The chairs requested an early SECDIR review for the private key issue. Mike
Ounsworth provided valuable (and much appreciated) feedback on protecting the
private key. Though use of the private key is NOT RECOMMENDED, for those that
choose to use it, JWE encapsulation is now required, to keep it secure.
Personnel
The Document Shepherd for this document is Kevin J. Ma. The Responsible
Area Director is Francesca Palombini.