1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
|
Internet Engineering Task Force (IETF) Y. Sheffer
Request for Comments: 9115 Intuit
Category: Standards Track D. López
ISSN: 2070-1721 A. Pastor Perales
Telefonica I+D
T. Fossati
ARM
September 2021
An Automatic Certificate Management Environment (ACME) Profile for
Generating Delegated Certificates
Abstract
This document defines a profile of the Automatic Certificate
Management Environment (ACME) protocol by which the holder of an
identifier (e.g., a domain name) can allow a third party to obtain an
X.509 certificate such that the certificate subject is the delegated
identifier while the certified public key corresponds to a private
key controlled by the third party. A primary use case is that of a
Content Delivery Network (CDN), the third party, terminating TLS
sessions on behalf of a content provider (the holder of a domain
name). The presented mechanism allows the holder of the identifier
to retain control over the delegation and revoke it at any time.
Importantly, this mechanism does not require any modification to the
deployed TLS clients and servers.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9115.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction
1.1. Terminology
1.2. Conventions Used in This Document
2. Protocol Flow
2.1. Preconditions
2.2. Overview
2.3. Delegated Identity Profile
2.3.1. Delegation Configuration
2.3.2. Order Object Transmitted from NDC to IdO and to ACME
Server (STAR)
2.3.3. Order Object Transmitted from NDC to IdO and to ACME
Server (Non-STAR)
2.3.4. Capability Discovery
2.3.5. Negotiating an Unauthenticated GET
2.3.6. Terminating the Delegation
2.4. Proxy Behavior
3. CA Behavior
4. CSR Template
4.1. Template Syntax
4.2. Example
5. Further Use Cases
5.1. CDN Interconnection (CDNI)
5.1.1. Multiple Parallel Delegates
5.1.2. Chained Delegation
5.2. Secure Telephone Identity Revisited (STIR)
6. IANA Considerations
6.1. New Fields in the "meta" Object within a Directory Object
6.2. New Fields in the Order Object
6.3. New Fields in the Account Object
6.4. New Error Types
6.5. CSR Template Extensions
7. Security Considerations
7.1. Trust Model
7.2. Delegation Security Goal
7.3. New ACME Channels
7.4. Restricting CDNs to the Delegation Mechanism
8. References
8.1. Normative References
8.2. Informative References
Appendix A. CSR Template: CDDL
Appendix B. CSR Template: JSON Schema
Acknowledgements
Authors' Addresses
1. Introduction
This document is related to [RFC8739], in that some important use
cases require both documents to be implemented. To avoid
duplication, we give here a bare-bones description of the motivation
for this solution. For more details, please refer to the
introductory sections of [RFC8739].
An Identifier Owner (IdO) has agreements in place with one or more
Name Delegation Consumer (NDC) to use and attest its identity.
In the primary use case, the IdO is a content provider, and we
consider a Content Delivery Network (CDN) provider contracted to
serve the content over HTTPS. The CDN terminates the HTTPS
connection at one of its edge cache servers and needs to present its
clients (browsers, mobile apps, set-top boxes) a certificate whose
name matches the domain name of the URL that is requested, i.e., that
of the IdO. Understandably, some IdOs may balk at sharing their
long-term private keys with another organization; equally, delegates
would rather not have to handle other parties' long-term secrets.
Other relevant use cases are discussed in Section 5.
This document describes a profile of the ACME protocol [RFC8555] that
allows the NDC to request from the IdO, acting as a profiled ACME
server, a certificate for a delegated identity -- i.e., one belonging
to the IdO. The IdO then uses the ACME protocol (with the extensions
described in [RFC8739]) to request issuance of a Short-Term,
Automatically Renewed (STAR) certificate for the same delegated
identity. The generated short-term certificate is automatically
renewed by the ACME Certification Authority (CA), is periodically
fetched by the NDC, and is used to terminate HTTPS connections in
lieu of the IdO. The IdO can end the delegation at any time by
simply instructing the CA to stop the automatic renewal and letting
the certificate expire shortly thereafter.
While the primary use case we address is a delegation of STAR
certificates, the mechanism proposed here also accommodates long-
lived certificates managed with the ACME protocol. The most
noticeable difference between long-lived and STAR certificates is the
way the termination of the delegation is managed. In the case of
long-lived certificates, the IdO uses the "revokeCert" URL exposed by
the CA and waits for the explicit revocation based on the Certificate
Revocation List (CRL) and Online Certificate Status Protocol (OCSP)
to propagate to the relying parties.
In case the delegated identity is a domain name, this document also
provides a way for the NDC to inform the IdO about the CNAME mappings
that need to be installed in the IdO's DNS zone to enable the
aliasing of the delegated name, thus allowing the complete name
delegation workflow to be handled using a single interface.
We note that other standardization efforts address the problem of
certificate delegation for TLS connections, specifically
[TLS-SUBCERTS] and [MGLT-LURK-TLS13]. The former extends the TLS
certificate chain with a customer-owned signing certificate; the
latter separates the server's private key into a dedicated, more-
secure component. Compared to these other approaches, the current
document does not require changes to the TLS network stack of the
client or the server, nor does it introduce additional latency to the
TLS connection.
1.1. Terminology
IdO Identifier Owner, the holder (current owner) of an identifier
(e.g., a domain name) that needs to be delegated. Depending
on the context, the term IdO may also be used to designate
the (profiled) ACME server deployed by the Identifier Owner
or the ACME client used by the Identifier Owner to interact
with the CA.
NDC Name Delegation Consumer, the entity to which the domain name
is delegated for a limited time. This is a CDN in the
primary use case (in fact, readers may note the similarity of
the two abbreviations). Depending on the context, the term
NDC may also be used to designate the (profiled) ACME client
used by the Name Delegation Consumer.
CDN Content Delivery Network, a widely distributed network that
serves the domain's web content to a wide audience at high
performance.
STAR Short-Term, Automatically Renewed, as applied to X.509
certificates.
ACME Automated Certificate Management Environment, a certificate
management protocol [RFC8555].
CA Certification Authority, specifically one that implements the
ACME protocol. In this document, the term is synonymous with
"ACME server deployed by the Certification Authority".
CSR Certificate Signing Request, specifically a PKCS#10 [RFC2986]
Certificate Signing Request, as supported by ACME.
FQDN Fully Qualified Domain Name.
1.2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Protocol Flow
This section presents the protocol flow. For completeness, we
include the ACME profile proposed in this document as well as the
ACME STAR protocol described in [RFC8739].
2.1. Preconditions
The protocol assumes the following preconditions are met:
* The IdO exposes an ACME server interface to the NDC(s) comprising
the account management interface.
* The NDC has registered an ACME account with the IdO.
* The NDC and IdO have agreed on a "CSR template" to use, including
at a minimum: subject name (e.g., "abc.ido.example"), requested
algorithms and key length, key usage, and extensions. The NDC
will use this template for every CSR created under the same
delegation.
* The IdO has registered an ACME account with the Certification
Authority (CA).
Note that even if the IdO implements the ACME server role, it is not
acting as a CA; in fact, from the point of view of the certificate
issuance process, the IdO only works as a "policing" forwarder of the
NDC's key pair and is responsible for completing the identity
verification process towards the CA.
2.2. Overview
For clarity, the protocol overview presented here covers the main use
case of this protocol, namely delegation of STAR certificates.
Protocol behavior for non-STAR certificates is similar, and the
detailed differences are listed in the following sections.
The interaction between the NDC and the IdO is governed by the
profiled ACME workflow detailed in Section 2.3. The interaction
between the IdO and the CA is ruled by ACME [RFC8555], ACME STAR
[RFC8739], and any other ACME extension that applies (e.g.,
[TOKEN-TNAUTHLIST] for Secure Telephone Identity Revisited (STIR)).
The outline of the combined protocol for STAR certificates is as
follows (Figure 1):
* NDC sends an Order1 for the delegated identifier to IdO.
* IdO creates an Order1 resource in state "ready" with a "finalize"
URL.
* NDC immediately sends a "finalize" request (which includes the
CSR) to the IdO.
* IdO verifies the CSR according to the agreed upon CSR template.
* If the CSR verification fails, Order1 is moved to an "invalid"
state and everything stops.
* If the CSR verification is successful, IdO moves Order1 to state
"processing" and sends a new Order2 (using its own account) for
the delegated identifier to the CA.
* If the ACME STAR protocol fails, Order2 moves to "invalid", and
the same state is reflected in Order1 (i.e., the NDC Order).
* If the ACME STAR run is successful (i.e., Order2 is "valid"), IdO
copies the "star-certificate" URL from Order2 to Order1 and
updates the Order1 state to "valid".
The NDC can now download, install, and use the short-term certificate
bearing the name delegated by the IdO. The STAR certificate can be
used until it expires, at which time the NDC is guaranteed to find a
new certificate it can download, install, and use. This continues
with subsequent certificates until either Order1 expires or the IdO
decides to cancel the automatic renewal process with the CA.
Note that the interactive identifier authorization phase described in
Section 7.5 of [RFC8555] is suppressed on the NDC-IdO side because
the delegated identity contained in the CSR presented to the IdO is
validated against the configured CSR template (Section 4.1).
Therefore, the NDC sends the "finalize" request, including the CSR,
to the IdO immediately after Order1 has been acknowledged. The IdO
SHALL buffer a (valid) CSR until the Validation phase completes
successfully.
Also note that the successful negotiation of the unauthenticated GET
(Section 3.4 of [RFC8739]) is required in order to allow the NDC to
access the "star-certificate" URL on the CA.
.------. .---------------. .------.
| NDC | | IdO | | ACME |
+--------+ +--------+--------+ +--------+
| Client | | Server | Client | | Server |
'---+----' '----+---+---+----' '----+---'
| | | |
| Order1 | | |
| Signature | | |
o------------------->| | |
| | | |
| [ No identity ] | | |
| [ validation via ] | | |
| [ authorizations ] | | |
| | | |
| CSR | | |
| Signature | | |
o------------------->| | |
| Acknowledgement | | Order2 |
|<-------------------o | Signature |
| | o------------------->|
| | | Required |
| | | Authorizations |
| | |<-------------------o
| | | Responses |
| | | Signature |
| | o------------------->|
| | | |
| | |<~~~~Validation~~~~>|
| | | |
| | | CSR |
| | | Signature |
| | o------------------->|
| | | Acknowledgement |
| | |<-------------------o
| | | |
|<~~Await issuance~->| |<~~Await issuance~~>|
| |
| (unauthenticated) GET STAR certificate |
o------------------------------------------------>|
| Certificate #1 |
|<------------------------------------------------o
| (unauthenticated) GET STAR certificate |
o------------------------------------------------>|
| Certificate #2 |
|<------------------------------------------------o
| [...] |
| (unauthenticated) GET STAR certificate |
o------------------------------------------------>|
| Certificate #n |
|<------------------------------------------------o
Figure 1: End-to-End STAR Delegation Flow
2.3. Delegated Identity Profile
This section defines a profile of the ACME protocol to be used
between the NDC and IdO.
2.3.1. Delegation Configuration
The IdO must be preconfigured to recognize one or more NDCs and
present them with details about certificate delegations that apply to
each one.
2.3.1.1. Account Object Extensions
An NDC identifies itself to the IdO as an ACME account. The IdO can
delegate multiple names to an NDC, and these configurations are
described through "delegation" objects associated with the NDC's
account object on the IdO.
As shown in Figure 2, the ACME account resource on the IdO is
extended with a new "delegations" attribute:
delegations (required, string): A URL from which a list of
delegations configured for this account (Section 2.3.1.3) can be
fetched via a POST-as-GET request.
{
"status": "valid",
"contact": [
"mailto:delegation-admin@ido.example"
],
"termsOfServiceAgreed": true,
"orders": "https://example.com/acme/orders/saHpfB",
"delegations": "https://acme.ido.example/acme/delegations/adFqoz"
}
Figure 2: Example Account Object with Delegations
2.3.1.2. Delegation Lists
Each account object includes a "delegations" URL from which a list of
delegation configurations created by the IdO can be fetched via a
POST-as-GET request. The result of the request MUST be a JSON object
whose "delegations" field is an array of URLs, each identifying a
delegation configuration made available to the NDC account
(Section 2.3.1.3). The server MAY return an incomplete list, along
with a "Link" header field with a "next" link relation indicating
where further entries can be acquired.
HTTP/1.1 200 OK
Content-Type: application/json
Link: <https://acme.ido.example/acme/directory>;rel="index"
Link: <https://acme.ido.example/acme/delegations/adFqoz?/
cursor=2>;rel="next"
{
"delegations": [
"https://acme.ido.example/acme/delegation/ogfr8EcolOT",
"https://acme.ido.example/acme/delegation/wSi5Lbb61E4",
/* more URLs not shown for example brevity */
"https://acme.ido.example/acme/delegation/gm0wfLYHBen"
]
}
Note that in the figure above,
https://acme.ido.example/acme/delegations/adFqoz?cursor=2 includes a
line break for the sake of presentation.
2.3.1.3. Delegation Objects
This profile extends the ACME resource model with a new read-only
"delegation" object that represents a delegation configuration that
applies to a given NDC.
A "delegation" object contains the CSR template (see Section 4) that
applies to that delegation and, optionally, any related CNAME mapping
for the delegated identifiers. Its structure is as follows:
csr-template (required, object): CSR template, as defined in
Section 4.
cname-map (optional, object): A map of FQDN pairs. In each pair,
the name is the delegated identifier; the value is the
corresponding NDC name that is aliased in the IdO's zone file to
redirect the resolvers to the delegated entity. Both names and
values MUST be FQDNs with a terminating '.'. This field is only
meaningful for identifiers of type "dns".
An example "delegation" object in JSON format is shown in Figure 3.
{
"csr-template": {
"keyTypes": [
{
"PublicKeyType": "id-ecPublicKey",
"namedCurve": "secp256r1",
"SignatureType": "ecdsa-with-SHA256"
}
],
"subject": {
"country": "CA",
"stateOrProvince": "**",
"locality": "**"
},
"extensions": {
"subjectAltName": {
"DNS": [
"abc.ido.example"
]
},
"keyUsage": [
"digitalSignature"
],
"extendedKeyUsage": [
"serverAuth"
]
}
},
"cname-map": {
"abc.ido.example.": "abc.ndc.example."
}
}
Figure 3: Example Delegation Configuration Object
In order to indicate which specific delegation applies to the
requested certificate, a new "delegation" attribute is added to the
order object on the NDC-IdO side (see Figures 4 and 7). The value of
this attribute is the URL pointing to the delegation configuration
object that is to be used for this certificate request. If the
"delegation" attribute in the order object contains a URL that does
not correspond to a configuration available to the requesting ACME
account, the IdO MUST return an error response with status code 403
(Forbidden), providing a problem document [RFC7807] with type
"urn:ietf:params:acme:error:unknownDelegation".
2.3.2. Order Object Transmitted from NDC to IdO and to ACME Server
(STAR)
If the delegation is for a STAR certificate, the request object
created by the NDC:
* MUST have a "delegation" attribute indicating the preconfigured
delegation that applies to this Order;
* MUST have entries in the "identifiers" field for each delegated
name present in the configuration;
* MUST NOT contain the "notBefore" and "notAfter" fields; and
* MUST contain an "auto-renewal" object and, inside it, the fields
listed in Section 3.1.1 of [RFC8739]. In particular, the "allow-
certificate-get" attribute MUST be present and set to true.
POST /acme/new-order HTTP/1.1
Host: acme.ido.example
Content-Type: application/jose+json
{
"protected": base64url({
"alg": "ES256",
"kid": "https://acme.ido.example/acme/acct/evOfKhNU60wg",
"nonce": "Alc00Ap6Rt7GMkEl3L1JX5",
"url": "https://acme.ido.example/acme/new-order"
}),
"payload": base64url({
"identifiers": [
{
"type": "dns",
"value": "abc.ido.example"
}
],
"auto-renewal": {
"end-date": "2021-04-20T00:00:00Z",
"lifetime": 345600, // 4 days
"allow-certificate-get": true
},
"delegation":
"https://acme.ido.example/acme/delegation/gm0wfLYHBen"
}),
"signature": "g454e3hdBlkT4AEw...nKePnUyZTjGtXZ6H"
}
Figure 4: New STAR Order from NDC
The order object that is created on the IdO:
* MUST start in the "ready" state;
* MUST contain an "authorizations" array with zero elements;
* MUST contain the indicated "delegation" configuration;
* MUST contain the indicated "auto-renewal" settings; and
* MUST NOT contain the "notBefore" and "notAfter" fields.
{
"status": "ready",
"expires": "2021-05-01T00:00:00Z",
"identifiers": [
{
"type": "dns",
"value": "abc.ido.example"
}
],
"auto-renewal": {
"end-date": "2021-04-20T00:00:00Z",
"lifetime": 345600,
"allow-certificate-get": true
},
"delegation":
"https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"authorizations": [],
"finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize"
}
Figure 5: STAR Order Resource Created on IdO
The Order is then finalized by the NDC supplying the CSR containing
the delegated identifiers. The IdO checks the provided CSR against
the template contained in the "delegation" object that applies to
this request, as described in Section 4.1. If the CSR fails
validation for any of the identifiers, the IdO MUST return an error
response with status code 403 (Forbidden) and an appropriate type,
e.g., "rejectedIdentifier" or "badCSR". The error response SHOULD
contain subproblems (Section 6.7.1 of [RFC8555]) for each failed
identifier. If the CSR is successfully validated, the order object
status moves to "processing" and the twin ACME protocol instance is
initiated on the IdO-CA side.
The request object created by the IdO:
* MUST copy the identifiers sent by the NDC;
* MUST strip the "delegation" attribute; and
* MUST carry a copy of the "auto-renewal" object sent by the NDC.
When the identifiers' authorization has been successfully completed
and the certificate has been issued by the CA, the IdO:
* MUST move its Order resource status to "valid" and
* MUST copy the "star-certificate" field from the STAR Order
returned by the CA into its Order resource. When dereferenced,
the "star-certificate" URL includes (via the "Cert-Not-Before" and
"Cert-Not-After" HTTP header fields) the renewal timers needed by
the NDC to inform its certificate reload logic.
{
"status": "valid",
"expires": "2021-05-01T00:00:00Z",
"identifiers": [
{
"type": "dns",
"value": "abc.ido.example"
}
],
"auto-renewal": {
"end-date": "2021-04-20T00:00:00Z",
"lifetime": 345600,
"allow-certificate-get": true
},
"delegation":
"https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"authorizations": [],
"finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize",
"star-certificate": "https://acme.ca.example/acme/order/yTr23sSDg9"
}
Figure 6: STAR Order Resource Updated on IdO
This delegation protocol is predicated on the NDC being able to fetch
certificates periodically using an unauthenticated HTTP GET, since,
in general, the NDC does not possess an account on the CA; as a
consequence, it cannot issue the standard POST-as-GET ACME request.
Therefore, before forwarding the Order request to the CA, the IdO
SHOULD ensure that the selected CA supports unauthenticated GET by
inspecting the relevant settings in the CA's directory object, as per
Section 3.4 of [RFC8739]. If the CA does not support unauthenticated
GET of STAR certificates, the IdO MUST NOT forward the Order request.
Instead, it MUST move the Order status to "invalid" and set the
"allow-certificate-get" in the "auto-renewal" object to "false". The
same occurs in case the Order request is forwarded and the CA does
not reflect the "allow-certificate-get" setting in its Order
resource. The combination of "invalid" status and denied "allow-
certificate-get" in the Order resource at the IdO provides an
unambiguous (asynchronous) signal to the NDC about the failure
reason.
2.3.2.1. CNAME Installation
If one of the objects in the "identifiers" list is of type "dns", the
IdO can add the CNAME records specified in the "delegation" object to
its zone, for example:
abc.ido.example. CNAME abc.ndc.example.
2.3.3. Order Object Transmitted from NDC to IdO and to ACME Server
(Non-STAR)
If the delegation is for a non-STAR certificate, the request object
created by the NDC:
* MUST have a "delegation" attribute indicating the preconfigured
delegation that applies to this Order;
* MUST have entries in the "identifiers" field for each delegated
name present in the configuration; and
* MUST have the "allow-certificate-get" attribute set to true.
POST /acme/new-order HTTP/1.1
Host: acme.ido.example
Content-Type: application/jose+json
{
"protected": base64url({
"alg": "ES256",
"kid": "https://acme.ido.example/acme/acct/evOfKhNU60wg",
"nonce": "IYBkoQfaCS80UcCn9qH8Gt",
"url": "https://acme.ido.example/acme/new-order"
}),
"payload": base64url({
"identifiers": [
{
"type": "dns",
"value": "abc.ido.example"
}
],
"delegation":
"https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"allow-certificate-get": true
}),
"signature": "j9JBUvMigi4zodud...acYkEKaa8gqWyZ6H"
}
Figure 7: New Non-STAR Order from NDC
The order object that is created on the IdO:
* MUST start in the "ready" state;
* MUST contain an "authorizations" array with zero elements;
* MUST contain the indicated "delegation" configuration; and
* MUST contain the indicated "allow-certificate-get" setting.
{
"status": "ready",
"expires": "2021-05-01T00:00:00Z",
"identifiers": [
{
"type": "dns",
"value": "abc.ido.example"
}
],
"delegation":
"https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"allow-certificate-get": true,
"authorizations": [],
"finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize"
}
Figure 8: Non-STAR Order Resource Created on IdO
The Order finalization by the NDC and the subsequent validation of
the CSR by the IdO proceed in the same way as for the STAR case. If
the CSR is successfully validated, the order object status moves to
"processing" and the twin ACME protocol instance is initiated on the
IdO-CA side.
The request object created by the IdO:
* MUST copy the identifiers sent by the NDC;
* MUST strip the "delegation" attribute; and
* MUST copy the "allow-certificate-get" attribute.
When the identifiers' authorization has been successfully completed
and the certificate has been issued by the CA, the IdO:
* MUST move its Order resource status to "valid" and
* MUST copy the "certificate" field from the Order returned by the
CA into its Order resource, as well as "notBefore" and "notAfter"
if these fields exist.
{
"status": "valid",
"expires": "2021-05-01T00:00:00Z",
"identifiers": [
{
"type": "dns",
"value": "abc.ido.example"
}
],
"delegation":
"https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"allow-certificate-get": true,
"authorizations": [],
"finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize",
"certificate": "https://acme.ca.example/acme/order/YtR23SsdG9"
}
Figure 9: Non-STAR Order Resource Updated on IdO
At this point of the protocol flow, the same considerations as in
Section 2.3.2.1 apply.
Before forwarding the Order request to the CA, the IdO SHOULD ensure
that the selected CA supports unauthenticated GET by inspecting the
relevant settings in the CA's directory object, as per Section 2.3.5.
If the CA does not support unauthenticated GET of certificate
resources, the IdO MUST NOT forward the Order request. Instead, it
MUST move the Order status to "invalid" and set the "allow-
certificate-get" attribute to "false". The same occurs in case the
Order request is forwarded and the CA does not reflect the "allow-
certificate-get" setting in its Order resource. The combination of
"invalid" status and denied "allow-certificate-get" in the Order
resource at the IdO provides an unambiguous (asynchronous) signal to
the NDC about the failure reason.
2.3.4. Capability Discovery
In order to help a client discover support for this profile, the
directory object of an ACME server (typically, one deployed by the
IdO) contains the following attribute in the "meta" field:
delegation-enabled (optional, boolean): Boolean flag indicating
support for the profile specified in this memo. An ACME server
that supports this delegation profile MUST include this key and
MUST set it to true.
The IdO MUST declare its support for delegation using "delegation-
enabled" regardless of whether it supports delegation of STAR
certificates, non-STAR certificates, or both.
In order to help a client discover support for certificate fetching
using unauthenticated HTTP GET, the directory object of an ACME
server (typically, one deployed by the CA) contains the following
attribute in the "meta" field:
allow-certificate-get (optional, boolean): See Section 2.3.5.
2.3.5. Negotiating an Unauthenticated GET
In order to enable the name delegation of non-STAR certificates, this
document defines a mechanism that allows a server to advertise
support for accessing certificate resources via unauthenticated GET
(in addition to POST-as-GET) and a client to enable this service with
per-Order granularity.
It is worth pointing out that the protocol elements described in this
section have the same names and semantics as those introduced in
Section 3.4 of [RFC8739] for the STAR use case (except, of course,
they apply to the certificate resource rather than the star-
certificate resource). However, they differ in terms of their
position in the directory meta and order objects; rather than being
wrapped in an "auto-renewal" subobject, they are located at the top
level.
A server states its availability to grant unauthenticated access to a
client's Order certificate by setting the "allow-certificate-get"
attribute to "true" in the "meta" field inside the directory object:
allow-certificate-get (optional, boolean): If this field is present
and set to "true", the server allows GET (and HEAD) requests to
certificate URLs.
A client states its desire to access the issued certificate via
unauthenticated GET by adding an "allow-certificate-get" attribute to
the payload of its newOrder request and setting it to "true".
allow-certificate-get (optional, boolean): If this field is present
and set to "true", the client requests the server to allow
unauthenticated GET (and HEAD) to the certificate associated with
this Order.
If the server accepts the request, it MUST reflect the attribute
setting in the resulting order object.
Note that even when the use of unauthenticated GET has been agreed
upon, the server MUST also allow POST-as-GET requests to the
certificate resource.
2.3.6. Terminating the Delegation
Identity delegation is terminated differently depending on whether or
not this is a STAR certificate.
2.3.6.1. By Cancellation (STAR)
The IdO can terminate the delegation of a STAR certificate by
requesting its cancellation (see Section 3.1.2 of [RFC8739]).
Cancellation of the ACME STAR certificate is a prerogative of the
IdO. The NDC does not own the relevant account key on the CA;
therefore, it can't issue a cancellation request for the STAR
certificate. Potentially, since it holds the STAR certificate's
private key, it could request the revocation of a single STAR
certificate. However, STAR explicitly disables the revokeCert
interface.
Shortly after the automatic renewal process is stopped by the IdO,
the last issued STAR certificate expires and the delegation
terminates.
2.3.6.2. By Revocation (Non-STAR)
The IdO can terminate the delegation of a non-STAR certificate by
requesting it to be revoked using the "revokeCert" URL exposed by the
CA.
According to Section 7.6 of [RFC8555], the revocation endpoint can be
used with either the account key pair or the certificate key pair.
In other words, an NDC that learns the "revokeCert" URL of the CA
(which is publicly available via the CA's directory object) would be
able to revoke the certificate using the associated private key.
However, given the trust relationship between the NDC and IdO
expected by the delegation trust model (Section 7.1), as well as the
lack of incentives for the NDC to prematurely terminate the
delegation, this does not represent a significant security risk.
2.4. Proxy Behavior
There are cases where the ACME Delegation flow should be proxied,
such as the use case described in Section 5.1.2. This section
describes the behavior of such proxies.
An entity implementing the IdO server role -- an "ACME Delegation
server" -- may behave, on a per-identity case, either as a proxy into
another ACME Delegation server or as an IdO and obtain a certificate
directly. The determining factor is whether it can successfully be
authorized by the next-hop ACME server for the identity associated
with the certificate request.
The identities supported by each server and the disposition for each
of them are preconfigured.
Following is the proxy's behavior for each of the messages exchanged
in the ACME Delegation process:
New-order request:
* The complete "identifiers" attribute MUST be copied as is.
* Similarly, the "auto-renewal" object MUST be copied as is.
New-order response:
* The "status", "expires", "authorizations", "identifiers", and
"auto-renewal" attributes/objects MUST be copied as is.
* The "finalize" URL is rewritten so that the "finalize" request
will be made to the proxy.
* Similarly, the "Location" header MUST be rewritten to point to
an order object on the proxy.
* Any "Link" relations MUST be rewritten to point to the proxy.
Get Order response:
* The "status", "expires", "authorizations", "identifiers", and
"auto-renewal" attributes/objects MUST be copied as is.
* Similarly, the "star-certificate" URL (or the "certificate" URL
in case of non-STAR requests) MUST be copied as is.
* The "finalize" URL is rewritten so that the "finalize" request
will be made to the proxy.
* The "Location" header MUST be rewritten to point to an order
object on the proxy.
* Any "Link" relations MUST be rewritten to point to the proxy.
"finalize" request:
* The CSR MUST be copied as is.
"finalize" response:
* The "Location" header, "Link" relations, and the "finalize"
URLs are rewritten as for Get Order.
We note that all the above messages are authenticated; therefore,
each proxy must be able to authenticate any subordinate server.
3. CA Behavior
Although most of this document, and in particular Section 2, is
focused on the protocol between the NDC and IdO, the protocol does
affect the ACME server running in the CA. A CA that wishes to
support certificate delegation MUST also support unauthenticated
certificate fetching, which it declares using "allow-certificate-get"
(Section 2.3.5, Paragraph 3).
4. CSR Template
The CSR template is used to express and constrain the shape of the
CSR that the NDC uses to request the certificate. The CSR is used
for every certificate created under the same delegation. Its
validation by the IdO is a critical element in the security of the
whole delegation mechanism.
Instead of defining every possible CSR attribute, this document takes
a minimalist approach by declaring only the minimum attribute set and
deferring the registration of further, more-specific attributes to
future documents.
4.1. Template Syntax
The template is a JSON document. Each field (with the exception of
"keyTypes", see below) denotes one of the following:
* A mandatory field where the template specifies the literal value
of that field. This is denoted by a literal string, such as
"abc.ido.example".
* A mandatory field where the content of the field is defined by the
client. This is denoted by "**".
* An optional field where the client decides whether the field is
included in the CSR and, if so, what its value is. This is
denoted by "*".
The NDC MUST NOT include any fields in the CSR, including any
extensions, unless they are specified in the template.
The structure of the template object is defined by the Concise Data
Definition Language (CDDL) [RFC8610] document in Appendix A. An
alternative, nonnormative JSON Schema syntax is given in Appendix B.
While the CSR template must follow the syntax defined here, neither
the IdO nor the NDC are expected to validate it at runtime.
The "subject" field and its subfields are mapped into the "subject"
field of the CSR, as per Section 4.1.2.6 of [RFC5280]. Other
extension fields of the CSR template are mapped into the CSR
according to the table in Section 6.5.
The "subjectAltName" field is currently defined for the following
identifiers: DNS names, email addresses, and URIs. New identifier
types may be added in the future by documents that extend this
specification. Each new identifier type SHALL have an associated
identifier validation challenge that the CA can use to obtain proof
of the requester's control over it.
The "keyTypes" property is not copied into the CSR. Instead, this
property constrains the "SubjectPublicKeyInfo" field of the CSR,
which MUST have the type/size defined by one of the array members of
the "keyTypes" property.
When the IdO receives the CSR, it MUST verify that the CSR is
consistent with the template contained in the "delegation" object
referenced in the Order. The IdO MAY enforce additional constraints,
e.g., by restricting field lengths. In this regard, note that a
"subjectAltName" of type "DNS" can be specified using the wildcard
notation, meaning that the NDC can be required ("**") or offered the
possibility ("*") to define the delegated domain name by itself. If
this is the case, the IdO MUST apply application-specific checks on
top of the control rules already provided by the CSR template to
ensure the requested domain name is legitimate according to its local
policy.
4.2. Example
The CSR template in Figure 10 represents one possible CSR template
governing the delegation exchanges provided in the rest of this
document.
{
"keyTypes": [
{
"PublicKeyType": "rsaEncryption",
"PublicKeyLength": 2048,
"SignatureType": "sha256WithRSAEncryption"
},
{
"PublicKeyType": "id-ecPublicKey",
"namedCurve": "secp256r1",
"SignatureType": "ecdsa-with-SHA256"
}
],
"subject": {
"country": "CA",
"stateOrProvince": "**",
"locality": "**"
},
"extensions": {
"subjectAltName": {
"DNS": [
"abc.ido.example"
]
},
"keyUsage": [
"digitalSignature"
],
"extendedKeyUsage": [
"serverAuth",
"clientAuth"
]
}
}
Figure 10: Example CSR Template
5. Further Use Cases
This nonnormative section describes additional use cases implementing
the STAR certificate delegation in nontrivial ways.
5.1. CDN Interconnection (CDNI)
[HTTPS-DELEGATION] discusses several solutions addressing different
delegation requirements for the CDN Interconnection (CDNI)
environment. This section discusses two of the stated requirements
in the context of the STAR delegation workflow.
This section uses specific CDNI terminology, e.g., Upstream CDN
(uCDN) and Downstream (dCDN), as defined in [RFC7336].
5.1.1. Multiple Parallel Delegates
In some cases, the content owner (IdO) would like to delegate
authority over a website to multiple NDCs (CDNs). This could happen
if the IdO has agreements in place with different regional CDNs for
different geographical regions or if a "backup" CDN is used to handle
overflow traffic by temporarily altering some of the CNAME mappings
in place. The STAR delegation flow enables this use case naturally,
since each CDN can authenticate separately to the IdO (via its own
separate account) specifying its CSR, and the IdO is free to allow or
deny each certificate request according to its own policy.
5.1.2. Chained Delegation
In other cases, a content owner (IdO) delegates some domains to a
large CDN (uCDN), which in turn delegates to a smaller regional CDN
(dCDN). The IdO has a contractual relationship with uCDN, and uCDN
has a similar relationship with dCDN. However, IdO may not even know
about dCDN.
If needed, the STAR protocol can be chained to support this use case:
uCDN could forward requests from dCDN to IdO and forward responses
back to dCDN. Whether such proxying is allowed is governed by policy
and contracts between the parties.
A mechanism is necessary at the interface between uCDN and dCDN, by
which the uCDN can advertise:
* the names that the dCDN is allowed to use and
* the policy for creating the key material (allowed algorithms,
minimum key lengths, key usage, etc.) that the dCDN needs to
satisfy.
Note that such mechanism is provided by the CSR template.
5.1.2.1. Two-Level Delegation in CDNI
A User Agent (UA), e.g., a browser or set-top box, wants to fetch the
video resource at the following URI: "https://video.cp.example/
movie". Redirection between the content provider (CP) and upstream
and downstream CDNs is arranged as a CNAME-based aliasing chain, as
illustrated in Figure 11.
.------------.
video.cp.example ? | .-----. |
.---------------------------------->| | |
| (a) | | DNS | CP |
| .-------------------------------+ | |
| | CNAME video.ucdn.example | '-----' |
| | '------------'
| |
| |
.-----------|---v--. .------------.
| .-----.-+-----. | video.ucdn.example ? | .-----. |
| | | +----------------------------->| | |
| UA | TLS | DNS | | (b) | | DNS | uCDN |
| | | |<-----------------------------+ | |
| '--+--'-----+-' | CNAME video.dcdn.example | '-----' |
'------|----^---|--' '------------'
| | |
| | |
| | | .------------.
| | | video.dcdn.example ? | .-----. |
| | '------------------------------>| | |
| | (c) | | DNS | |
| '-----------------------------------+ | |
| A 192.0.2.1 | +-----+ dCDN |
| | | | |
'--------------------------------------->| TLS | |
SNI: video.cp.example | | | |
| '-----' |
'------------'
Figure 11: DNS Redirection
Unlike HTTP-based redirection, where the original URL is supplanted
by the one found in the "Location" header of the 302 response, DNS
redirection is completely transparent to the User Agent. As a
result, the TLS connection to the dCDN edge is done with a Server
Name Indication (SNI) equal to the "host" in the original URI -- in
the example, "video.cp.example". So, in order to successfully
complete the handshake, the landing dCDN node has to be configured
with a certificate whose "subjectAltName" field matches
"video.cp.example", i.e., a content provider's name.
Figure 12 illustrates the cascaded delegation flow that allows dCDN
to obtain a STAR certificate that bears a name belonging to the
content provider with a private key that is only known to the dCDN.
.--------------------.
| .------.------. |
| | STAR | ACME |<-------------.
| CP | dele | STAR | | |
| | srv | cli +-----. |
| '---+--'------' | | 6
'---------|------^---' 5 |
| | | .--|-------.
| | | | .-+----. |
7 | '---->| ACME | |
| | | | STAR | C |
| 4 | +------| A |
| | | | HTTP | |
| | | '----+-' |
| .-' '--^--|----'
.--------------v--|--. | |
| .------.----+-. | | 10
| | | STAR | | | |
| uCDN | CDNI | dele | | | |
| | | fwd | | | |
| '----+-'-+----' | | |
'-------^--|---|--^--' | |
| | | | | |
| 2 8 | | |
1 | | 3 | |
| | | | 9 |
.-------|--v---v--|---------. | |
| .-+----.----+-.------. | | |
| | | STAR | +------------' |
| dCDN | CDNI | dele | HTTP | | |
| | | cli | |<--------------'
| '------'------'------' |
'---------------------------'
Figure 12: Two-Level Delegation in CDNI
uCDN is configured to delegate to dCDN, and CP is configured to
delegate to uCDN, both as defined in Section 2.3.1.
1. dCDN requests CDNI path metadata to uCDN.
2. uCDN replies with, among other CDNI metadata, the STAR
delegation configuration, which includes the delegated content
provider's name.
3. dCDN creates a key pair and the CSR with the delegated name. It
then places an order for the delegated name to uCDN.
4. uCDN forwards the received order to the content provider (CP).
5. CP creates an order for a STAR certificate and sends it to the
CA. The order also requests unauthenticated access to the
certificate resource.
6. After all authorizations complete successfully, the STAR
certificate is issued.
7. CP notifies uCDN that the STAR certificate is available at the
order's "star-certificate" URL.
8. uCDN forwards the information to dCDN. At this point, the ACME
signaling is complete.
9. dCDN requests the STAR certificate using unauthenticated GET
from the CA.
10. The CA returns the certificate. Now dCDN is fully configured to
handle HTTPS traffic in lieu of the content provider.
Note that 9 and 10 repeat until the delegation expires or is
terminated.
5.2. Secure Telephone Identity Revisited (STIR)
As a second use case, we consider the delegation of credentials in
the STIR ecosystem [RFC9060].
This section uses STIR terminology. The term Personal Assertion
Token (PASSporT) is defined in [RFC8225], and "TNAuthList" is defined
in [RFC8226].
In the STIR delegated mode, a service provider SP2 -- the NDC --
needs to sign PASSporTs [RFC8225] for telephone numbers (e.g.,
TN=+123) belonging to another service provider, SP1 -- the IdO. In
order to do that, SP2 needs a STIR certificate and a private key that
includes TN=+123 in the TNAuthList [RFC8226] certificate extension.
In detail (Figure 13):
1. SP1 and SP2 agree on the configuration of the delegation -- in
particular, the CSR template that applies.
2. SP2 generates a private/public key pair and sends a CSR to SP1,
requesting creation of a certificate with an SP1 name, an SP2
public key, and a TNAuthList extension with the list of TNs that
SP1 delegates to SP2. (Note that the CSR sent by SP2 to SP1
needs to be validated against the CSR template agreed upon in
step 1.).
3. SP1 sends an order for the CSR to the CA. The order also
requests unauthenticated access to the certificate resource.
4. Subsequently, after the required TNAuthList authorizations are
successfully completed, the CA moves the order to a "valid"
state; at the same time, the star-certificate endpoint is
populated.
5. The contents of the order are forwarded from SP1 to SP2 by means
of the paired "delegation" order.
6. SP2 dereferences the "star-certificate" URL in the order to fetch
the rolling STAR certificate bearing the delegated identifiers.
7. The STAR certificate is returned to SP2.
.-------------------.
| .------.------. |
| | STAR | STAR |<--------------.
.-->| SP1 | dele | dele | | |
| | | srv | cli +-----. |
| | '----+-'------' | | 4
| '------^--|---------' 3 |
| | | | .----|-----.
| | 5 | | .---+--. |
| | | '--->| ACME | |
| | | | | STAR | C |
1 | | | +------| A |
| | | .--->| HTTP | |
| 2 | | | '---+--' |
| | | | '----|-----'
| .------|--v---------. 6 |
| | .-+----.------. | | 7
| | | STAR | +-----' |
'-->| SP2 | dele | HTTP | | |
| | cli | |<--------------'
| '----+-'-+----' |
'-------------------'
Figure 13: Delegation in STIR
As shown, the STAR delegation profile described in this document
applies straightforwardly; the only extra requirement being the
ability to instruct the NDC about the allowed TNAuthList values.
This can be achieved by a simple extension to the CSR template.
6. IANA Considerations
6.1. New Fields in the "meta" Object within a Directory Object
This document adds the following entries to the "ACME Directory
Metadata Fields" registry:
+=======================+============+===========+
| Field Name | Field Type | Reference |
+=======================+============+===========+
| delegation-enabled | boolean | RFC 9115 |
+-----------------------+------------+-----------+
| allow-certificate-get | boolean | RFC 9115 |
+-----------------------+------------+-----------+
Table 1
6.2. New Fields in the Order Object
This document adds the following entries to the "ACME Order Object
Fields" registry:
+=======================+============+==============+===========+
| Field Name | Field Type | Configurable | Reference |
+=======================+============+==============+===========+
| allow-certificate-get | boolean | true | RFC 9115 |
+-----------------------+------------+--------------+-----------+
| delegation | string | true | RFC 9115 |
+-----------------------+------------+--------------+-----------+
Table 2
6.3. New Fields in the Account Object
This document adds the following entries to the "ACME Account Object
Fields" registry:
+=============+============+==========+===========+
| Field Name | Field Type | Requests | Reference |
+=============+============+==========+===========+
| delegations | string | none | RFC 9115 |
+-------------+------------+----------+-----------+
Table 3
Note that the "delegations" field is only reported by ACME servers
that have "delegation-enabled" set to true in their meta Object.
6.4. New Error Types
This document adds the following entries to the "ACME Error Types"
registry:
+===================+================================+===========+
| Type | Description | Reference |
+===================+================================+===========+
| unknownDelegation | An unknown configuration is | RFC 9115 |
| | listed in the "delegation" | |
| | attribute of the order request | |
+-------------------+--------------------------------+-----------+
Table 4
6.5. CSR Template Extensions
IANA has established the "STAR Delegation CSR Template Extensions"
registry, with "Specification Required" as its registration
procedure.
Each extension registered must specify:
* an extension name,
* an extension syntax, as a reference to a CDDL document that
defines this extension, and
* the extension's mapping into an X.509 certificate extension.
The initial contents of this registry are the extensions defined by
the CDDL in Appendix A.
+==================+===========+===============================+
| Extension Name | Extension | Mapping to X.509 Certificate |
| | Syntax | Extension |
+==================+===========+===============================+
| keyUsage | See | [RFC5280], Section 4.2.1.3 |
| | Appendix | |
| | A | |
+------------------+-----------+-------------------------------+
| extendedKeyUsage | See | [RFC5280], Section 4.2.1.12 |
| | Appendix | |
| | A | |
+------------------+-----------+-------------------------------+
| subjectAltName | See | [RFC5280], Section 4.2.1.6 |
| | Appendix | (note that only specific name |
| | A | formats are allowed: URI, DNS |
| | | name, email address) |
+------------------+-----------+-------------------------------+
Table 5
When evaluating a request for an assignment in this registry, the
designated expert should follow this guidance:
* The definition must include a full CDDL definition, which the
expert will validate.
* The definition must include both positive and negative test cases.
* Additional requirements that are not captured by the CDDL
definition are allowed but must be explicitly specified.
7. Security Considerations
7.1. Trust Model
The ACME trust model needs to be extended to include the trust
relationship between NDC and IdO. Note that once this trust link is
established, it potentially becomes recursive. Therefore, there has
to be a trust relationship between each of the nodes in the
delegation chain; for example, in case of cascading CDNs, this is
contractually defined. Note that when using standard [RFC6125]
identity verification, there are no mechanisms available to the IdO
to restrict the use of the delegated name once the name has been
handed over to the first NDC. It is, therefore, expected that
contractual measures are in place to get some assurance that
redelegation is not being performed.
7.2. Delegation Security Goal
Delegation introduces a new security goal: only an NDC that has been
authorized by the IdO, either directly or transitively, can obtain a
certificate with an IdO identity.
From a security point of view, the delegation process has five
separate parts:
1. enabling a specific third party (the intended NDC) to submit
requests for delegated certificates
2. making sure that any request for a delegated certificate matches
the intended "shape" in terms of delegated identities as well as
any other certificate metadata, e.g., key length, x.509
extensions, etc.
3. serving the certificate back to the NDC
4. handling revocation of the delegation
5. handling revocation of the certificate itself
The first part is covered by the NDC's ACME account that is
administered by the IdO, whose security relies on the correct
handling of the associated key pair. When a compromise of the
private key is detected, the delegate MUST use the account
deactivation procedures defined in Section 7.3.6 of [RFC8555].
The second part is covered by the act of checking an NDC's
certificate request against the intended CSR template. The steps of
shaping the CSR template correctly, selecting the right CSR template
to check against the presented CSR, and making sure that the
presented CSR matches the selected CSR template are all security
relevant.
The third part builds on the trust relationship between NDC and IdO
that is responsible for correctly forwarding the certificate URL from
the Order returned by the CA.
The fourth part is associated with the ability of the IdO to
unilaterally remove the "delegation" object associated with the
revoked identity, therefore, disabling any further NDC requests for
such identity. Note that, in more extreme circumstances, the IdO
might decide to disable the NDC account, thus entirely blocking any
further interaction.
The fifth is covered by two different mechanisms, depending on the
nature of the certificate. For STAR, the IdO shall use the
cancellation interface defined in Section 2.3 of [RFC8739]. For non-
STAR, the certificate revocation interface defined in Section 7.6 of
[RFC8555]) is used.
The ACME account associated with the delegation plays a crucial role
in the overall security of the presented protocol. This, in turn,
means that (in delegation scenarios) the security requirements and
verification associated with an ACME account may be more stringent
than in base ACME deployments, since the out-of-band configuration of
delegations that an account is authorized to use (combined with
account authentication) takes the place of the normal ACME
authorization challenge procedures. Therefore, the IdO MUST ensure
that each account is associated with the exact policies (via their
matching "delegation" objects) that define which domain names can be
delegated to the account and how. The IdO is expected to use out-of-
band means to preregister each NDC to the corresponding account.
7.3. New ACME Channels
Using the model established in Section 10.1 of [RFC8555], we can
decompose the interactions of the basic delegation workflow, as shown
in Figure 14.
.-----. ACME Channel .--------.
| NDC +------------->| IdO |
'--+--' | server |
| '--o-----'
| |
| | ACME Channel
| | .------------>-------------.
| | | |
| .--o--+--. .--+---.
| | IdO | | CA |
| | client | '--+-+-'
| '-----+--' | |
| '-----------<--------------' |
| Validation Channel |
'-------------------->-------------------------------'
(subset of) ACME Channel [1]
[1] Unauthenticated certificate fetch and non-STAR certificate
revocation.
Figure 14: Delegation Channels Topology
The considerations regarding the security of the ACME Channel and
Validation Channel discussed in [RFC8555] apply verbatim to the IdO-
CA leg. The same can be said for the ACME Channel on the NDC-IdO
leg. A slightly different set of considerations apply to the ACME
Channel between the NDC and CA, which consists of a subset of the
ACME interface comprising two API endpoints: the unauthenticated
certificate retrieval and, potentially, non-STAR revocation via
certificate private key. No specific security considerations apply
to the former, but the privacy considerations in Section 6.3 of
[RFC8739] do. With regard to the latter, it should be noted that
there is currently no means for an IdO to disable authorizing
revocation based on certificate private keys. So, in theory, an NDC
could use the revocation API directly with the CA, therefore,
bypassing the IdO. The NDC SHOULD NOT directly use the revocation
interface exposed by the CA unless failing to do so would compromise
the overall security, for example, if the certificate private key is
compromised and the IdO is not currently reachable.
All other security considerations from [RFC8555] and [RFC8739] apply
as is to the delegation topology.
7.4. Restricting CDNs to the Delegation Mechanism
When a website is delegated to a CDN, the CDN can in principle modify
the website at will, e.g., create and remove pages. This means that
a malicious or breached CDN can pass the ACME (as well as common non-
ACME) HTTPS-based validation challenges and generate a certificate
for the site. This is true regardless of whether or not the CNAME
mechanisms defined in the current document is used.
In some cases, this is the desired behavior; the domain holder trusts
the CDN to have full control of the cryptographic credentials for the
site. However, this document assumes a scenario where the domain
holder only wants to delegate restricted control and wishes to retain
the capability to cancel the CDN's credentials at a short notice.
The following is a possible mitigation when the IdO wishes to ensure
that a rogue CDN cannot issue unauthorized certificates:
* The domain holder makes sure that the CDN cannot modify the DNS
records for the domain. The domain holder should ensure it is the
only entity authorized to modify the DNS zone. Typically, it
establishes a CNAME resource record from a subdomain into a CDN-
managed domain.
* The domain holder uses a Certification Authority Authorization
(CAA) record [RFC8659] to restrict certificate issuance for the
domain to specific CAs that comply with ACME and are known to
implement [RFC8657].
* The domain holder uses the ACME-specific CAA mechanism [RFC8657]
to restrict issuance to a specific CA account that is controlled
by it and MUST require "dns-01" as the sole validation method.
We note that the above solution may need to be tweaked depending on
the exact capabilities and authorization flows supported by the
selected CA. In addition, this mitigation may be bypassed if a
malicious or misconfigured CA does not comply with CAA restrictions.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC2986] Nystrom, M. and B. Kaliski, "PKCS #10: Certification
Request Syntax Specification Version 1.7", RFC 2986,
DOI 10.17487/RFC2986, November 2000,
<https://www.rfc-editor.org/info/rfc2986>.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,
<https://www.rfc-editor.org/info/rfc5280>.
[RFC7807] Nottingham, M. and E. Wilde, "Problem Details for HTTP
APIs", RFC 7807, DOI 10.17487/RFC7807, March 2016,
<https://www.rfc-editor.org/info/rfc7807>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8555] Barnes, R., Hoffman-Andrews, J., McCarney, D., and J.
Kasten, "Automatic Certificate Management Environment
(ACME)", RFC 8555, DOI 10.17487/RFC8555, March 2019,
<https://www.rfc-editor.org/info/rfc8555>.
[RFC8610] Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor
Perales, A., and T. Fossati, "Support for Short-Term,
Automatically Renewed (STAR) Certificates in the Automated
Certificate Management Environment (ACME)", RFC 8739,
DOI 10.17487/RFC8739, March 2020,
<https://www.rfc-editor.org/info/rfc8739>.
8.2. Informative References
[HTTPS-DELEGATION]
Fieau, F., Stephan, E., and S. Mishra, "CDNI extensions
for HTTPS delegation", Work in Progress, Internet-Draft,
draft-ietf-cdni-interfaces-https-delegation-06, 10
September 2021, <https://datatracker.ietf.org/doc/html/
draft-ietf-cdni-interfaces-https-delegation-06>.
[json-schema-07]
Wright, A., Andrews, H., and B. Hutton, "JSON Schema
Validation: A Vocabulary for Structural Validation of
JSON", Work in Progress, Internet-Draft, draft-handrews-
json-schema-validation-02, 17 September 2019,
<https://datatracker.ietf.org/doc/html/draft-handrews-
json-schema-validation-02>.
[MGLT-LURK-TLS13]
Migault, D., "LURK Extension version 1 for (D)TLS 1.3
Authentication", Work in Progress, Internet-Draft, draft-
mglt-lurk-tls13-05, 26 July 2021,
<https://datatracker.ietf.org/doc/html/draft-mglt-lurk-
tls13-05>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed.,
"Framework for Content Distribution Network
Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336,
August 2014, <https://www.rfc-editor.org/info/rfc7336>.
[RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion
Token", RFC 8225, DOI 10.17487/RFC8225, February 2018,
<https://www.rfc-editor.org/info/rfc8225>.
[RFC8226] Peterson, J. and S. Turner, "Secure Telephone Identity
Credentials: Certificates", RFC 8226,
DOI 10.17487/RFC8226, February 2018,
<https://www.rfc-editor.org/info/rfc8226>.
[RFC8657] Landau, H., "Certification Authority Authorization (CAA)
Record Extensions for Account URI and Automatic
Certificate Management Environment (ACME) Method Binding",
RFC 8657, DOI 10.17487/RFC8657, November 2019,
<https://www.rfc-editor.org/info/rfc8657>.
[RFC8659] Hallam-Baker, P., Stradling, R., and J. Hoffman-Andrews,
"DNS Certification Authority Authorization (CAA) Resource
Record", RFC 8659, DOI 10.17487/RFC8659, November 2019,
<https://www.rfc-editor.org/info/rfc8659>.
[RFC9060] Peterson, J., "Secure Telephone Identity Revisited (STIR)
Certificate Delegation", RFC 9060, DOI 10.17487/RFC9060,
September 2021, <https://www.rfc-editor.org/info/rfc9060>.
[TLS-SUBCERTS]
Barnes, R., Iyengar, S., Sullivan, N., and E. Rescorla,
"Delegated Credentials for TLS", Work in Progress,
Internet-Draft, draft-ietf-tls-subcerts-10, 24 January
2021, <https://datatracker.ietf.org/doc/html/draft-ietf-
tls-subcerts-10>.
[TOKEN-TNAUTHLIST]
Wendt, C., Hancock, D., Barnes, M., and J. Peterson,
"TNAuthList profile of ACME Authority Token", Work in
Progress, Internet-Draft, draft-ietf-acme-authority-token-
tnauthlist-08, 27 March 2021,
<https://datatracker.ietf.org/doc/html/draft-ietf-acme-
authority-token-tnauthlist-08>.
Appendix A. CSR Template: CDDL
Following is the normative definition of the CSR template using CDDL
[RFC8610]. The CSR template MUST be a valid JSON document that is
compliant with the syntax defined here.
There are additional constraints not expressed in CDDL that MUST be
validated by the recipient, including:
* the value of each "subjectAltName" entry is compatible with its
type and
* the parameters in each "keyTypes" entry form an acceptable
combination.
csr-template-schema = {
keyTypes: [ + $keyType ]
? subject: non-empty<distinguishedName>
extensions: extensions
}
non-empty<M> = (M) .and ({ + any => any })
mandatory-wildcard = "**"
optional-wildcard = "*"
wildcard = mandatory-wildcard / optional-wildcard
; regtext matches all text strings but "*" and "**"
regtext = text .regexp "([^\*].*)|([\*][^\*].*)|([\*][\*].+)"
regtext-or-wildcard = regtext / wildcard
distinguishedName = {
? country: regtext-or-wildcard
? stateOrProvince: regtext-or-wildcard
? locality: regtext-or-wildcard
? organization: regtext-or-wildcard
? organizationalUnit: regtext-or-wildcard
? emailAddress: regtext-or-wildcard
? commonName: regtext-or-wildcard
}
$keyType /= rsaKeyType
$keyType /= ecdsaKeyType
rsaKeyType = {
PublicKeyType: "rsaEncryption" ; OID: 1.2.840.113549.1.1.1
PublicKeyLength: rsaKeySize
SignatureType: $rsaSignatureType
}
rsaKeySize = uint
; RSASSA-PKCS1-v1_5 with SHA-256
$rsaSignatureType /= "sha256WithRSAEncryption"
; RSASSA-PCKS1-v1_5 with SHA-384
$rsaSignatureType /= "sha384WithRSAEncryption"
; RSASSA-PCKS1-v1_5 with SHA-512
$rsaSignatureType /= "sha512WithRSAEncryption"
; RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a 32 byte salt
$rsaSignatureType /= "sha256WithRSAandMGF1"
; RSASSA-PSS with SHA-384, MGF-1 with SHA-384, and a 48 byte salt
$rsaSignatureType /= "sha384WithRSAandMGF1"
; RSASSA-PSS with SHA-512, MGF-1 with SHA-512, and a 64 byte salt
$rsaSignatureType /= "sha512WithRSAandMGF1"
ecdsaKeyType = {
PublicKeyType: "id-ecPublicKey" ; OID: 1.2.840.10045.2.1
namedCurve: $ecdsaCurve
SignatureType: $ecdsaSignatureType
}
$ecdsaCurve /= "secp256r1" ; OID: 1.2.840.10045.3.1.7
$ecdsaCurve /= "secp384r1" ; OID: 1.3.132.0.34
$ecdsaCurve /= "secp521r1" ; OID: 1.3.132.0.3
$ecdsaSignatureType /= "ecdsa-with-SHA256" ; paired with secp256r1
$ecdsaSignatureType /= "ecdsa-with-SHA384" ; paired with secp384r1
$ecdsaSignatureType /= "ecdsa-with-SHA512" ; paired with secp521r1
subjectaltname = {
? DNS: [ + regtext-or-wildcard ]
? Email: [ + regtext ]
? URI: [ + regtext ]
* $$subjectaltname-extension
}
extensions = {
? keyUsage: [ + keyUsageType ]
? extendedKeyUsage: [ + extendedKeyUsageType ]
subjectAltName: non-empty<subjectaltname>
}
keyUsageType /= "digitalSignature"
keyUsageType /= "nonRepudiation"
keyUsageType /= "keyEncipherment"
keyUsageType /= "dataEncipherment"
keyUsageType /= "keyAgreement"
keyUsageType /= "keyCertSign"
keyUsageType /= "cRLSign"
keyUsageType /= "encipherOnly"
keyUsageType /= "decipherOnly"
extendedKeyUsageType /= "serverAuth"
extendedKeyUsageType /= "clientAuth"
extendedKeyUsageType /= "codeSigning"
extendedKeyUsageType /= "emailProtection"
extendedKeyUsageType /= "timeStamping"
extendedKeyUsageType /= "OCSPSigning"
extendedKeyUsageType /= oid
oid = text .regexp "([0-2])((\.0)|(\.[1-9][0-9]*))*"
Appendix B. CSR Template: JSON Schema
This appendix includes an alternative, nonnormative JSON Schema
definition of the CSR template. The syntax used is that of draft 7
of JSON Schema, which is documented in [json-schema-07]. Note that
later versions of this (now-expired) draft describe later versions of
the JSON Schema syntax. At the time of writing, a stable reference
for this syntax is not yet available, and we have chosen to use the
draft version, which is currently best supported by tool
implementations.
The same considerations about additional constraints checking
discussed in Appendix A apply here as well.
{
"title": "JSON Schema for the STAR Delegation CSR template",
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "http://ietf.org/acme/drafts/star-delegation/csr-template",
"$defs": {
"distinguished-name": {
"$id": "#distinguished-name",
"type": "object",
"minProperties": 1,
"properties": {
"country": {
"type": "string"
},
"stateOrProvince": {
"type": "string"
},
"locality": {
"type": "string"
},
"organization": {
"type": "string"
},
"organizationalUnit": {
"type": "string"
},
"emailAddress": {
"type": "string"
},
"commonName": {
"type": "string"
}
},
"additionalProperties": false
},
"rsaKeyType": {
"$id": "#rsaKeyType",
"type": "object",
"properties": {
"PublicKeyType": {
"type": "string",
"const": "rsaEncryption"
},
"PublicKeyLength": {
"type": "integer"
},
"SignatureType": {
"type": "string",
"enum": [
"sha256WithRSAEncryption",
"sha384WithRSAEncryption",
"sha512WithRSAEncryption",
"sha256WithRSAandMGF1",
"sha384WithRSAandMGF1",
"sha512WithRSAandMGF1"
]
}
},
"required": [
"PublicKeyType",
"PublicKeyLength",
"SignatureType"
],
"additionalProperties": false
},
"ecdsaKeyType": {
"$id": "#ecdsaKeyType",
"type": "object",
"properties": {
"PublicKeyType": {
"type": "string",
"const": "id-ecPublicKey"
},
"namedCurve": {
"type": "string",
"enum": [
"secp256r1",
"secp384r1",
"secp521r1"
]
},
"SignatureType": {
"type": "string",
"enum": [
"ecdsa-with-SHA256",
"ecdsa-with-SHA384",
"ecdsa-with-SHA512"
]
}
},
"required": [
"PublicKeyType",
"namedCurve",
"SignatureType"
],
"additionalProperties": false
}
},
"type": "object",
"properties": {
"keyTypes": {
"type": "array",
"minItems": 1,
"items": {
"anyOf": [
{
"$ref": "#rsaKeyType"
},
{
"$ref": "#ecdsaKeyType"
}
]
}
},
"subject": {
"$ref": "#distinguished-name"
},
"extensions": {
"type": "object",
"properties": {
"keyUsage": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"enum": [
"digitalSignature",
"nonRepudiation",
"keyEncipherment",
"dataEncipherment",
"keyAgreement",
"keyCertSign",
"cRLSign",
"encipherOnly",
"decipherOnly"
]
}
},
"extendedKeyUsage": {
"type": "array",
"minItems": 1,
"items": {
"anyOf": [
{
"type": "string",
"enum": [
"serverAuth",
"clientAuth",
"codeSigning",
"emailProtection",
"timeStamping",
"OCSPSigning"
]
},
{
"type": "string",
"pattern": "^([0-2])((\\.0)|(\\.[1-9][0-9]*))*$",
"description": "Used for OID values"
}
]
}
},
"subjectAltName": {
"type": "object",
"minProperties": 1,
"properties": {
"DNS": {
"type": "array",
"minItems": 1,
"items": {
"anyOf": [
{
"type": "string",
"enum": [
"*",
"**"
]
},
{
"type": "string",
"format": "hostname"
}
]
}
},
"Email": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"format": "email"
}
},
"URI": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"format": "uri"
}
}
},
"additionalProperties": false
}
},
"required": [
"subjectAltName"
],
"additionalProperties": false
}
},
"required": [
"extensions",
"keyTypes"
],
"additionalProperties": false
}
Acknowledgements
We would like to thank the following people who contributed
significantly to this document with their review comments and design
proposals: Richard Barnes, Carsten Bormann, Roman Danyliw, Lars
Eggert, Frédéric Fieau, Russ Housley, Ben Kaduk, Eric Kline, Sanjay
Mishra, Francesca Palombini, Jon Peterson, Ryan Sleevi, Emile
Stephan, and Éric Vyncke.
This work is partially supported by the European Commission under
Horizon 2020 grant agreement no. 688421 Measurement and Architecture
for a Middleboxed Internet (MAMI). This support does not imply
endorsement.
Authors' Addresses
Yaron Sheffer
Intuit
Email: yaronf.ietf@gmail.com
Diego López
Telefonica I+D
Email: diego.r.lopez@telefonica.com
Antonio Agustín Pastor Perales
Telefonica I+D
Email: antonio.pastorperales@telefonica.com
Thomas Fossati
ARM
Email: thomas.fossati@arm.com
|