CDNI extensions for HTTPS delegation

Introduction Content delivery over HTTPS using one or more CDNs along the path requires credential management. This specifically applies when an entity delegates delivery of encrypted content to another trusted entity. defines a mechanism where an upstream entity, that is, holder of an X.509 certificate can give a temporary delegated authority, via issuing a certificate to one or more downstream entities for the purposes of delivering content on its behalf. Furthermore, the upstream entity has the ability to extend the duration of the certificate automatically and iteratively until it allows the last renewal to end and therefore terminate the use of the certificate authority to the downstream entity. More specifically, defines a process where the upstream Content Delivery Network (uCDN), the holder of the domain, generates on-demand an X.509 certificate for the downstream CDN (dCDN). The certificate generation process ensures that the certified public key corresponds to a private key controlled by the downstream CDN. follows for Short-Term, Automatically Renewed Certificate (STAR) in the Automated Certificate Management Environment (ACME). This document defines CDNI Metadata to make use of HTTPS delegation between an uCDN and a dCDN based on the mechanism specified in . Furthermore, it includes a proposal of IANA registry to enable adding of delegation methods. Section 2 defines terminology used in this document. Section 3 presents delegation metadata for the FCI interface. Section 4 addresses the metadata for handling HTTPS delegation with the Metadata Interface. Section 5 addresses IANA registry for delegation methods. Section 6 covers the security considerations.

Terminology This document uses terminology from CDNI framework documents such as: CDNI framework document , CDNI requirements and CDNI interface specifications documents: CDNI Metadata interface and CDNI Footprint and capabilities .

Advertising delegation metadata for CDNI through FCI The Footprint and Capabilities interface as defined in , allows a dCDN to send a FCI capability type object to a uCDN. The FCI.Metadata object shall allow a dCDN to advertise the capabilities regarding the supported delegation methods and their configuration. The following is an example of the supported delegated methods capability object for a CDN supporting STAR delegation method. ] } ] } ]]>

ACME Delegation metadata for CDNI This section defines the AcmeStarDelegationMethod object which describes metadata related to the use of ACME/STAR API presented in This allows bootstrapping ACME delegation method between a uCDN and a delegate dCDN. As expressed in , when an origin has set a delegation to a specific domain (i.e., dCDN), the dCDN should present to the end-user client a short-term certificate bound to the master certificate. | | | | 200 OK + Metadata incl. CSR template [CDNI] | |<--------------------+ | | | 2. Request delegation: video.dcdn.example + dCDN public key | +-------------------->| | | | | 3. Request STAR Cert + dCDN public key | | +-------------------->| 4. Request STAR cert| | | | + Pubkey | | | |-------------------->| | | | 5. STAR certificate | | | 6. STAR certificate |<--------------------| | 7. STAR certificate |<--------------------+ | +<--------------------| | | | | | | | 8. Retrieve STAR certificate (credential-location-uri) | +---------------------------------------------------------------->| | | | 9. renew +--| | | | cert | | | 10. Star certificate | +->| |<----------------------------------------------------------------+ | ... | | | Figure 1: Example call-flow of STAR delegation in CDNI showing 2 levels of delegation ]]> Property: acme-delegations

Description: an array of delegation objects associated with the dCDN account on the uCDN ACME server (see Section 2.3.1 of for the details).
Type: Objects
Mandatory-to-Specify: Yes

Below shows both HostMatch and its Metadata related to a host, for example, here is a HostMatch object referencing "video.example.com" and a list of 2 acme-delegation objects.

IANA considerations This document requests the registration of the following entries under the "CDNI Payload Types" registry hosted by IANA regarding "CDNI delegation":

CDNI MI AcmeStarDelegationMethod Payload Type Purpose: The purpose of this Payload Type is to distinguish AcmeStarDelegationMethod MI objects (and any associated capability advertisement) Interface: MI Encoding: see Section 4

Security considerations Delegation metadata proposed here do not alter nor change Security Considerations as outlined in the following RFCs: An Automatic Certificate Management Environment (ACME) Profile for Generating Delegated Certificates ; the CDNI Metadata and CDNI Footprint and Capabilities . The delegation objects properties that are critical should be protected by the proper/mandated encryption and authentication.