draft-ietf-acme-star-delegation-08.txt   draft-ietf-acme-star-delegation-09.txt 
ACME Y. Sheffer ACME Y. Sheffer
Internet-Draft Intuit Internet-Draft Intuit
Intended status: Standards Track D. López Intended status: Standards Track D. López
Expires: 11 November 2021 A. Pastor Perales Expires: 13 December 2021 A. Pastor Perales
Telefonica I+D Telefonica I+D
T. Fossati T. Fossati
ARM ARM
10 May 2021 11 June 2021
An ACME Profile for Generating Delegated Certificates An ACME Profile for Generating Delegated Certificates
draft-ietf-acme-star-delegation-08 draft-ietf-acme-star-delegation-09
Abstract Abstract
This document defines a profile of the Automatic Certificate This document defines a profile of the Automatic Certificate
Management Environment (ACME) protocol by which the holder of an Management Environment (ACME) protocol by which the holder of an
identifier (e.g., a domain name) can allow a third party to obtain an identifier (e.g., a domain name) can allow a third party to obtain an
X.509 certificate such that the certificate subject is the delegated X.509 certificate such that the certificate subject is the delegated
identifier while the certified public key corresponds to a private identifier while the certified public key corresponds to a private
key controlled by the third party. A primary use case is that of a key controlled by the third party. A primary use case is that of a
Content Delivery Network (CDN, the third party) terminating TLS Content Delivery Network (CDN, the third party) terminating TLS
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 11 November 2021. This Internet-Draft will expire on 13 December 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 14 skipping to change at page 3, line 14
7. Security Considerations . . . . . . . . . . . . . . . . . . . 32 7. Security Considerations . . . . . . . . . . . . . . . . . . . 32
7.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 32 7.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 32
7.2. Delegation Security Goal . . . . . . . . . . . . . . . . 32 7.2. Delegation Security Goal . . . . . . . . . . . . . . . . 32
7.3. New ACME Channels . . . . . . . . . . . . . . . . . . . . 33 7.3. New ACME Channels . . . . . . . . . . . . . . . . . . . . 33
7.4. Restricting CDNs to the Delegation Mechanism . . . . . . 35 7.4. Restricting CDNs to the Delegation Mechanism . . . . . . 35
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 36
9.1. Normative References . . . . . . . . . . . . . . . . . . 36 9.1. Normative References . . . . . . . . . . . . . . . . . . 36
9.2. Informative References . . . . . . . . . . . . . . . . . 37 9.2. Informative References . . . . . . . . . . . . . . . . . 37
Appendix A. Document History . . . . . . . . . . . . . . . . . . 39 Appendix A. Document History . . . . . . . . . . . . . . . . . . 38
A.1. draft-ietf-acme-star-delegation-08 . . . . . . . . . . . 39 A.1. draft-ietf-acme-star-delegation-09 . . . . . . . . . . . 38
A.2. draft-ietf-acme-star-delegation-07 . . . . . . . . . . . 39 A.2. draft-ietf-acme-star-delegation-08 . . . . . . . . . . . 39
A.3. draft-ietf-acme-star-delegation-06 . . . . . . . . . . . 39 A.3. draft-ietf-acme-star-delegation-07 . . . . . . . . . . . 39
A.4. draft-ietf-acme-star-delegation-05 . . . . . . . . . . . 39 A.4. draft-ietf-acme-star-delegation-06 . . . . . . . . . . . 39
A.5. draft-ietf-acme-star-delegation-04 . . . . . . . . . . . 39 A.5. draft-ietf-acme-star-delegation-05 . . . . . . . . . . . 39
A.6. draft-ietf-acme-star-delegation-03 . . . . . . . . . . . 40 A.6. draft-ietf-acme-star-delegation-04 . . . . . . . . . . . 39
A.7. draft-ietf-acme-star-delegation-02 . . . . . . . . . . . 40 A.7. draft-ietf-acme-star-delegation-03 . . . . . . . . . . . 40
A.8. draft-ietf-acme-star-delegation-01 . . . . . . . . . . . 40 A.8. draft-ietf-acme-star-delegation-02 . . . . . . . . . . . 40
A.9. draft-ietf-acme-star-delegation-00 . . . . . . . . . . . 40 A.9. draft-ietf-acme-star-delegation-01 . . . . . . . . . . . 40
A.10. draft-sheffer-acme-star-delegation-01 . . . . . . . . . . 40 A.10. draft-ietf-acme-star-delegation-00 . . . . . . . . . . . 40
A.11. draft-sheffer-acme-star-delegation-00 . . . . . . . . . . 40 A.11. draft-sheffer-acme-star-delegation-01 . . . . . . . . . . 40
A.12. draft-sheffer-acme-star-delegation-00 . . . . . . . . . . 40
Appendix B. CSR Template: CDDL . . . . . . . . . . . . . . . . . 40 Appendix B. CSR Template: CDDL . . . . . . . . . . . . . . . . . 40
Appendix C. CSR Template: JSON Schema . . . . . . . . . . . . . 43 Appendix C. CSR Template: JSON Schema . . . . . . . . . . . . . 43
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 48 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction 1. Introduction
This document is related to [RFC8739], in that some important use This document is related to [RFC8739], in that some important use
cases require both documents to be implemented. To avoid cases require both documents to be implemented. To avoid
duplication, we give here a bare-bones description of the motivation duplication, we give here a bare-bones description of the motivation
for this solution. For more details, please refer to the for this solution. For more details, please refer to the
introductory sections of [RFC8739]. introductory sections of [RFC8739].
An Identifier Owner (IdO) has agreements in place with one or more An Identifier Owner (IdO) has agreements in place with one or more
skipping to change at page 7, line 20 skipping to change at page 7, line 20
Note that the interactive identifier authorization phase described in Note that the interactive identifier authorization phase described in
Section 7.5 of [RFC8555] is suppressed on the NDC-IdO side because Section 7.5 of [RFC8555] is suppressed on the NDC-IdO side because
the delegated identity contained in the CSR presented to the IdO is the delegated identity contained in the CSR presented to the IdO is
validated against the configured CSR template (Section 4.1). validated against the configured CSR template (Section 4.1).
Therefore, the NDC sends the finalize request, including the CSR, to Therefore, the NDC sends the finalize request, including the CSR, to
the IdO immediately after Order1 has been acknowledged. The IdO the IdO immediately after Order1 has been acknowledged. The IdO
SHALL buffer a (valid) CSR until the Validation phase completes SHALL buffer a (valid) CSR until the Validation phase completes
successfully. successfully.
Also note that the successful negotiation of the "unauthenticated Also note that the successful negotiation of the "unauthenticated
GET" (Section 3.4 of [RFC8793]) is required in order to allow the NDC GET" (Section 3.4 of [RFC8739]) is required in order to allow the NDC
to access the "star-certificate" URL on the CA. to access the "star-certificate" URL on the CA.
.------. .---------------. .------. .------. .---------------. .------.
| NDC | | IdO | | ACME | | NDC | | IdO | | ACME |
+--------+ +--------+--------+ +--------+ +--------+ +--------+--------+ +--------+
| Client | | Server | Client | | Server | | Client | | Server | Client | | Server |
'---+----' '----+---+---+----' '----+---' '---+----' '----+---+---+----' '----+---'
| | | | | | | |
| Order1 | | | | Order1 | | |
| Signature | | | | Signature | | |
skipping to change at page 11, line 7 skipping to change at page 11, line 7
}, },
"cname-map": { "cname-map": {
"abc.ido.example.": "abc.ndc.example." "abc.ido.example.": "abc.ndc.example."
} }
} }
Figure 3: Example Delegation Configuration object Figure 3: Example Delegation Configuration object
In order to indicate which specific delegation applies to the In order to indicate which specific delegation applies to the
requested certificate a new "delegation" attribute is added to the requested certificate a new "delegation" attribute is added to the
Order object on the NDC-IdO side (see Figure 4). The value of this request object on the NDC-IdO side (see Figure 4 and Figure 7). The
attribute is the URL pointing to the delegation configuration object value of this attribute is the URL pointing to the delegation
that is to be used for this certificate request. If the "delegation" configuration object that is to be used for this certificate request.
attribute in the Order object contains a URL that does not correspond If the "delegation" attribute in the Order object contains a URL that
to a configuration available to the requesting ACME account, the IdO does not correspond to a configuration available to the requesting
MUST return an error response with status code 403 (Forbidden), ACME account, the IdO MUST return an error response with status code
providing a problem document [RFC7807] with type 403 (Forbidden), providing a problem document [RFC7807] with type
"urn:ietf:params:acme:error:unknownDelegation". "urn:ietf:params:acme:error:unknownDelegation".
2.3.2. Order Object Transmitted from NDC to IdO and to ACME Server 2.3.2. Order Object Transmitted from NDC to IdO and to ACME Server
(STAR) (STAR)
If the delegation is for a STAR certificate, the request object If the delegation is for a STAR certificate, the request object
created by the NDC: created by the NDC:
* MUST have a "delegation" attribute indicating the preconfigured * MUST have a "delegation" attribute indicating the preconfigured
delegation that applies to this Order; delegation that applies to this Order;
skipping to change at page 12, line 29 skipping to change at page 12, line 29
"type": "dns", "type": "dns",
"value": "abc.ido.example" "value": "abc.ido.example"
} }
], ],
"auto-renewal": { "auto-renewal": {
"end-date": "2021-04-20T00:00:00Z", "end-date": "2021-04-20T00:00:00Z",
"lifetime": 345600, // 4 days "lifetime": 345600, // 4 days
"allow-certificate-get": true "allow-certificate-get": true
}, },
"delegation": "delegation":
"https://acme.ido.example/acme/delegations/adFqoz/2" "https://acme.ido.example/acme/delegation/gm0wfLYHBen"
}), }),
"signature": "g454e3hdBlkT4AEw...nKePnUyZTjGtXZ6H" "signature": "g454e3hdBlkT4AEw...nKePnUyZTjGtXZ6H"
} }
Figure 4: New STAR Order from NDC Figure 4: New STAR Order from NDC
The Order object that is created on the IdO: The Order object that is created on the IdO:
* MUST start in the "ready" state; * MUST start in the "ready" state;
* MUST contain an "authorizations" array with zero elements; * MUST contain an "authorizations" array with zero elements;
skipping to change at page 13, line 23 skipping to change at page 13, line 23
} }
], ],
"auto-renewal": { "auto-renewal": {
"end-date": "2021-04-20T00:00:00Z", "end-date": "2021-04-20T00:00:00Z",
"lifetime": 345600, "lifetime": 345600,
"allow-certificate-get": true "allow-certificate-get": true
}, },
"delegation": "delegation":
"https://acme.ido.example/acme/delegations/adFqoz/2", "https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"authorizations": [], "authorizations": [],
"finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize" "finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize"
} }
Figure 5: STAR Order Resource Created on IdO Figure 5: STAR Order Resource Created on IdO
The Order is then finalized by the NDC supplying the CSR containing The Order is then finalized by the NDC supplying the CSR containing
the delegated identifiers. The IdO checks the provided CSR against the delegated identifiers. The IdO checks the provided CSR against
skipping to change at page 14, line 30 skipping to change at page 14, line 30
} }
], ],
"auto-renewal": { "auto-renewal": {
"end-date": "2021-04-20T00:00:00Z", "end-date": "2021-04-20T00:00:00Z",
"lifetime": 345600, "lifetime": 345600,
"allow-certificate-get": true "allow-certificate-get": true
}, },
"delegation": "delegation":
"https://acme.ido.example/acme/delegations/adFqoz/2", "https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"authorizations": [], "authorizations": [],
"finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize", "finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize",
"star-certificate": "https://acme.ca.example/acme/order/yTr23sSDg9" "star-certificate": "https://acme.ca.example/acme/order/yTr23sSDg9"
} }
Figure 6: STAR Order Resource Updated on IdO Figure 6: STAR Order Resource Updated on IdO
skipping to change at page 16, line 24 skipping to change at page 16, line 24
"url": "https://acme.ido.example/acme/new-order" "url": "https://acme.ido.example/acme/new-order"
}), }),
"payload": base64url({ "payload": base64url({
"identifiers": [ "identifiers": [
{ {
"type": "dns", "type": "dns",
"value": "abc.ido.example" "value": "abc.ido.example"
} }
], ],
"delegation": "delegation":
"https://acme.ido.example/acme/delegations/adFqoz/2", "https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"allow-certificate-get": true "allow-certificate-get": true
}), }),
"signature": "j9JBUvMigi4zodud...acYkEKaa8gqWyZ6H" "signature": "j9JBUvMigi4zodud...acYkEKaa8gqWyZ6H"
} }
Figure 7: New Non-STAR Order from NDC Figure 7: New Non-STAR Order from NDC
The Order object that is created on the IdO: The Order object that is created on the IdO:
* MUST start in the "ready" state; * MUST start in the "ready" state;
skipping to change at page 17, line 17 skipping to change at page 17, line 17
"expires": "2021-05-01T00:00:00Z", "expires": "2021-05-01T00:00:00Z",
"identifiers": [ "identifiers": [
{ {
"type": "dns", "type": "dns",
"value": "abc.ido.example" "value": "abc.ido.example"
} }
], ],
"delegation": "delegation":
"https://acme.ido.example/acme/delegations/adFqoz/2", "https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"allow-certificate-get": true, "allow-certificate-get": true,
"authorizations": [], "authorizations": [],
"finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize" "finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize"
} }
Figure 8: Non-STAR Order Resource Created on IdO Figure 8: Non-STAR Order Resource Created on IdO
skipping to change at page 18, line 17 skipping to change at page 18, line 17
"expires": "2021-05-01T00:00:00Z", "expires": "2021-05-01T00:00:00Z",
"identifiers": [ "identifiers": [
{ {
"type": "dns", "type": "dns",
"value": "abc.ido.example" "value": "abc.ido.example"
} }
], ],
"delegation": "delegation":
"https://acme.ido.example/acme/delegations/adFqoz/2", "https://acme.ido.example/acme/delegation/gm0wfLYHBen",
"allow-certificate-get": true, "allow-certificate-get": true,
"authorizations": [], "authorizations": [],
"finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize", "finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize",
"certificate": "https://acme.ca.example/acme/order/YtR23SsdG9" "certificate": "https://acme.ca.example/acme/order/YtR23SsdG9"
} }
skipping to change at page 21, line 22 skipping to change at page 21, line 22
incentives for the NDC to prematurely terminate the delegation, this incentives for the NDC to prematurely terminate the delegation, this
does not represent a significant security risk. does not represent a significant security risk.
2.4. Proxy Behavior 2.4. Proxy Behavior
There are cases where the ACME Delegation flow should be proxied, There are cases where the ACME Delegation flow should be proxied,
such as the use case described in Section 5.1.2. This section such as the use case described in Section 5.1.2. This section
describes the behavior of such proxies. describes the behavior of such proxies.
An entity implementing the IdO server role - an "ACME Delegation An entity implementing the IdO server role - an "ACME Delegation
server" - can decide, on a per-identity case, whether to act as a server" - may behave, on a per-identity case, either as a proxy into
proxy into another ACME Delegation server, or to behave as an IdO and another ACME Delegation server, or it may behave as an IdO and obtain
obtain a certificate directly. The determining factor is whether it a certificate directly. The determining factor is whether it can
can successfully be authorized by the next-hop ACME server for the successfully be authorized by the next-hop ACME server for the
identity associated with the certificate request. identity associated with the certificate request.
The identities supported by each server and the disposition for each The identities supported by each server and the disposition for each
of them are preconfigured. of them are preconfigured.
Following is the proxy's behavior for each of the messages exchanged Following is the proxy's behavior for each of the messages exchanged
in the ACME Delegation process: in the ACME Delegation process:
* New-order request: * New-order request:
- The complete "identifiers" object MUST be copied as-is. - The complete "identifiers" object MUST be copied as-is.
skipping to change at page 33, line 37 skipping to change at page 33, line 37
[RFC8555]) is used. [RFC8555]) is used.
The ACME account associated with the delegation plays a crucial role The ACME account associated with the delegation plays a crucial role
in the overall security of the presented protocol. This, in turn, in the overall security of the presented protocol. This, in turn,
means that in delegation scenarios the security requirements and means that in delegation scenarios the security requirements and
verification associated with an ACME account may be more stringent verification associated with an ACME account may be more stringent
than in traditional ACME, since the out-of-band configuration of than in traditional ACME, since the out-of-band configuration of
delegations that an account is authorized to use, combined with delegations that an account is authorized to use, combined with
account authentication, takes the place of the normal ACME account authentication, takes the place of the normal ACME
authorization challenge procedures. Therefore, the IdO MUST ensure authorization challenge procedures. Therefore, the IdO MUST ensure
that each account is associated with the exact policy (via a that each account is associated with the exact policies (via their
"delegation" object) that defines which domain names can be delegated matching "delegation" objects) that define which domain names can be
to the account and how. The IdO is expected to use out of band means delegated to the account and how. The IdO is expected to use out of
to pre-register each NDC to the corresponding account. band means to pre-register each NDC to the corresponding account.
7.3. New ACME Channels 7.3. New ACME Channels
Using the model established in Section 10.1 of [RFC8555], we can Using the model established in Section 10.1 of [RFC8555], we can
decompose the interactions of the basic delegation workflow as shown decompose the interactions of the basic delegation workflow as shown
in Figure 14. in Figure 14.
.-----. ACME Channel .--------. .-----. ACME Channel .--------.
| NDC +------------->| IdO | | NDC +------------->| IdO |
'--+--' | server | '--+--' | server |
skipping to change at page 37, line 12 skipping to change at page 37, line 12
JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610, JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
June 2019, <https://www.rfc-editor.org/info/rfc8610>. June 2019, <https://www.rfc-editor.org/info/rfc8610>.
[RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor [RFC8739] Sheffer, Y., Lopez, D., Gonzalez de Dios, O., Pastor
Perales, A., and T. Fossati, "Support for Short-Term, Perales, A., and T. Fossati, "Support for Short-Term,
Automatically Renewed (STAR) Certificates in the Automated Automatically Renewed (STAR) Certificates in the Automated
Certificate Management Environment (ACME)", RFC 8739, Certificate Management Environment (ACME)", RFC 8739,
DOI 10.17487/RFC8739, March 2020, DOI 10.17487/RFC8739, March 2020,
<https://www.rfc-editor.org/info/rfc8739>. <https://www.rfc-editor.org/info/rfc8739>.
[RFC8793] Wissingh, B., Wood, C., Afanasyev, A., Zhang, L., Oran,
D., and C. Tschudin, "Information-Centric Networking
(ICN): Content-Centric Networking (CCNx) and Named Data
Networking (NDN) Terminology", RFC 8793,
DOI 10.17487/RFC8793, June 2020,
<https://www.rfc-editor.org/info/rfc8793>.
9.2. Informative References 9.2. Informative References
[I-D.ietf-acme-authority-token-tnauthlist] [I-D.ietf-acme-authority-token-tnauthlist]
Wendt, C., Hancock, D., Barnes, M., and J. Peterson, Wendt, C., Hancock, D., Barnes, M., and J. Peterson,
"TNAuthList profile of ACME Authority Token", Work in "TNAuthList profile of ACME Authority Token", Work in
Progress, Internet-Draft, draft-ietf-acme-authority-token- Progress, Internet-Draft, draft-ietf-acme-authority-token-
tnauthlist-08, 27 March 2021, tnauthlist-08, 27 March 2021,
<https://www.ietf.org/archive/id/draft-ietf-acme- <https://www.ietf.org/archive/id/draft-ietf-acme-
authority-token-tnauthlist-08.txt>. authority-token-tnauthlist-08.txt>.
skipping to change at page 39, line 9 skipping to change at page 38, line 47
[RFC8659] Hallam-Baker, P., Stradling, R., and J. Hoffman-Andrews, [RFC8659] Hallam-Baker, P., Stradling, R., and J. Hoffman-Andrews,
"DNS Certification Authority Authorization (CAA) Resource "DNS Certification Authority Authorization (CAA) Resource
Record", RFC 8659, DOI 10.17487/RFC8659, November 2019, Record", RFC 8659, DOI 10.17487/RFC8659, November 2019,
<https://www.rfc-editor.org/info/rfc8659>. <https://www.rfc-editor.org/info/rfc8659>.
Appendix A. Document History Appendix A. Document History
[[Note to RFC Editor: please remove before publication.]] [[Note to RFC Editor: please remove before publication.]]
A.1. draft-ietf-acme-star-delegation-08 A.1. draft-ietf-acme-star-delegation-09
* A few remaining comments by Ben Kaduk.
A.2. draft-ietf-acme-star-delegation-08
Extensive reviews by multiple IETF contributors and IESG members Extensive reviews by multiple IETF contributors and IESG members
(many thanks to all involved, your names are in the Acknowledgments). (many thanks to all involved, your names are in the Acknowledgments).
Specifically: Specifically:
* More clarity in the Terminology, and correct distinction between * More clarity in the Terminology, and correct distinction between
CA and ACME server. CA and ACME server.
* Explicit description of "delegations list", the object returned by * Explicit description of "delegations list", the object returned by
the "delegations" URL. the "delegations" URL.
* The "delegation" is no longer part of the identifier, rather it is * The "delegation" is no longer part of the identifier, rather it is
skipping to change at page 39, line 32 skipping to change at page 39, line 28
certificates. This includes some normative changes. certificates. This includes some normative changes.
* Explicit description of the changes required on the CA: support * Explicit description of the changes required on the CA: support
for unauthenticated GET. for unauthenticated GET.
* Some changes to IANA registrations and a change to the * Some changes to IANA registrations and a change to the
registration policy of a new registry. registration policy of a new registry.
* More detail about security considerations related to pre- * More detail about security considerations related to pre-
registration of the NDC as an ACME account on IdO. registration of the NDC as an ACME account on IdO.
* Minor changes to the CSR Template schemas. * Minor changes to the CSR Template schemas.
* Many editorial changes. * Many editorial changes.
A.2. draft-ietf-acme-star-delegation-07 A.3. draft-ietf-acme-star-delegation-07
* SecDir comments by Russ Housley. * SecDir comments by Russ Housley.
* In particular, reorganized some parts of the document to clarify * In particular, reorganized some parts of the document to clarify
handling of non-STAR certificates. handling of non-STAR certificates.
* And changed the document's title accordingly. * And changed the document's title accordingly.
A.3. draft-ietf-acme-star-delegation-06 A.4. draft-ietf-acme-star-delegation-06
* CDDL schema to address Roman's remaining comments. * CDDL schema to address Roman's remaining comments.
A.4. draft-ietf-acme-star-delegation-05 A.5. draft-ietf-acme-star-delegation-05
* Detailed AD review by Roman Danyliw. * Detailed AD review by Roman Danyliw.
* Some comments that were left unaddressed in Ryan Sleevi's review. * Some comments that were left unaddressed in Ryan Sleevi's review.
* Numerous other edits for clarity and consistency. * Numerous other edits for clarity and consistency.
A.5. draft-ietf-acme-star-delegation-04 A.6. draft-ietf-acme-star-delegation-04
* Delegation of non-STAR certificates. * Delegation of non-STAR certificates.
* More IANA clarity, specifically on certificate extensions. * More IANA clarity, specifically on certificate extensions.
* Add delegation configuration object and extend account and order * Add delegation configuration object and extend account and order
objects accordingly. objects accordingly.
* A lot more depth on Security Considerations. * A lot more depth on Security Considerations.
A.6. draft-ietf-acme-star-delegation-03 A.7. draft-ietf-acme-star-delegation-03
* Consistency with the latest changes in the base ACME STAR * Consistency with the latest changes in the base ACME STAR
document, e.g. star-delegation-enabled capability renamed and document, e.g. star-delegation-enabled capability renamed and
moved. moved.
* Proxy use cases (recursive delegation) and the definition of proxy * Proxy use cases (recursive delegation) and the definition of proxy
behavior. behavior.
* More detailed analysis of the CDNI and STIR use cases, including * More detailed analysis of the CDNI and STIR use cases, including
sequence diagrams. sequence diagrams.
A.7. draft-ietf-acme-star-delegation-02 A.8. draft-ietf-acme-star-delegation-02
* Security considerations: review by Ryan Sleevi. * Security considerations: review by Ryan Sleevi.
* CSR template simplified: instead of being a JSON Schema document * CSR template simplified: instead of being a JSON Schema document
itself, it is now a simple JSON document which validates to a JSON itself, it is now a simple JSON document which validates to a JSON
Schema. Schema.
A.8. draft-ietf-acme-star-delegation-01 A.9. draft-ietf-acme-star-delegation-01
* Refinement of the CDNI use case. * Refinement of the CDNI use case.
* Addition of the CSR template (partial, more work required). * Addition of the CSR template (partial, more work required).
* Further security considerations (work in progress). * Further security considerations (work in progress).
A.9. draft-ietf-acme-star-delegation-00 A.10. draft-ietf-acme-star-delegation-00
* Republished as a working group draft. * Republished as a working group draft.
A.10. draft-sheffer-acme-star-delegation-01 A.11. draft-sheffer-acme-star-delegation-01
* Added security considerations about disallowing CDNs from issuing * Added security considerations about disallowing CDNs from issuing
certificates for a delegated domain. certificates for a delegated domain.
A.11. draft-sheffer-acme-star-delegation-00 A.12. draft-sheffer-acme-star-delegation-00
* Initial version, some text extracted from draft-sheffer-acme-star- * Initial version, some text extracted from draft-sheffer-acme-star-
requests-02 requests-02
Appendix B. CSR Template: CDDL Appendix B. CSR Template: CDDL
Following is the normative definition of the CSR template, using CDDL Following is the normative definition of the CSR template, using CDDL
[RFC8610]. The CSR template MUST be a valid JSON document, compliant [RFC8610]. The CSR template MUST be a valid JSON document, compliant
with the syntax defined here. with the syntax defined here.
 End of changes. 29 change blocks. 
58 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/