An ACME Profile for Generating Delegated STAR CertificatesIntuityaronf.ietf@gmail.comTelefonica I+Ddiego.r.lopez@telefonica.comTelefonica I+Dantonio.pastorperales@telefonica.comNokiathomas.fossati@nokia.com
Security
ACMEInternet-DraftThis memo proposes a profile of the ACME protocol that allows the owner of an
identifier (e.g., a domain name) to delegate to a third party access to a
certificate associated with said identifier. A primary use case is that of a
CDN (the third party) terminating TLS sessions on behalf of a content provider
(the owner of a domain name). The presented mechanism allows the owner of the
identifier to retain control over the delegation and revoke it at any time by
cancelling the associated STAR certificate renewal with the ACME CA. Another
key property of this mechanism is it does not require any modification to the
deployed TLS ecosystem.This document is a companion document to . To avoid
duplication, we give here a bare-bones description of the motivation for this
solution. For more details and further use cases, please refer to the
introductory sections of .An Identifier Owner (IdO), that we can associate in the primary use case to a
content provider (also referred to as Domain Name Owner, DNO), has agreements
in place with one or more NDC (Name Delegation Consumer) to use and attest its
identity. In the primary use case, we consider a CDN provider contracted to
serve the IdO content over HTTPS. The CDN terminates the HTTPS connection at
one of its edge cache servers and needs to present its clients (browsers,
mobile apps, set-top-boxes) a certificate whose name matches the authority of
the URL that is requested, i.e., that of the IdO. Understandably, most IdOs
balk at sharing their long-term private keys with another organization and,
equally, delegates would rather not have to handle other parties’ long-term
secrets.This document describes a profile of the ACME protocol
that allows the NDC to request the IdO, acting as a profiled ACME server, a
certificate for a delegated identity - i.e., one belonging to the IdO. The IdO
then uses the ACME protocol (with the extensions described in
) to request issuance of a STAR certificate for the same
delegated identity. The generated short-term certificate is automatically
renewed by the ACME Certification Authority (CA), periodically fetched by the NDC
and used to terminate HTTPS connections in lieu of the IdO. The IdO can end
the delegation at any time by simply instructing the CA to stop the automatic
renewal and letting the certificate expire shortly thereafter.In case the delegated identity is a domain name, this document also provides a
way for the NDC to inform the IdO about the CNAME mappings that need to be
installed in the IdO’s DNS zone to enable the aliasing of the delegated name,
thus allowing the complete name delegation workflow to be handled using a
single interface.
Identifier Owner, the owner of an identifier (e.g., a domain
name) that needs to be delegated.
Domain Name Owner, a specific kind of IdO whose identifier is a
domain name
Name Delegation Consumer, the entity to which the domain name is
delegated for a limited time. This is a CDN in the primary use
case (in fact, readers may note the symmetry of the two
acronyms).
Content Delivery Network, a widely distributed network that
serves the domain’s web content to a wide audience at high
performance.
Short-Term, Automatically Renewed X.509 certificates.
The IETF Automated Certificate Management Environment, a
certificate management protocol.
A Certificate Authority that implements the ACME protocol.The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”,
“MAY”, and “OPTIONAL” in this document are to be interpreted as
described in BCP 14 when, and only when, they
appear in all capitals, as shown here.This section presents the protocol flow. For completeness, we include the ACME
profile proposed in this draft as well as the extended ACME protocol described
in .The protocol assumes the following preconditions are met:The IdO exposes an ACME server interface to the NDC(s) comprising the account
management interface;The NDC has registered an ACME account with the IdO;NDC and IdO have agreed on a “CSR template” to use, including at a minimum:
subject name (e.g., “somesite.example.com”), requested algorithms, key
length, key usage. The NDC is required to use this template for every CSR
created under the same delegation;IdO has registered an ACME account with the Certificate Authority (CA)Note that even if the IdO implements the ACME server role, it is not acting as
a CA: in fact, from the point of view of the certificate issuance process, the
IdO only works as a “policing” forwarder of the NDC’s key-pair and is
responsible for completing the identity verification process towards the ACME
CA.The interaction between the NDC and the IdO is governed by the profiled ACME
workflow detailed in . The interaction between the IdO and the
CA is ruled by ACME STAR .The outline of the combined protocol is as follow ():NDC sends an Order for the delegated identifier to IdO;IdO creates an Order resource in state “ready” with a “finalize” URL;NDC immediately sends a finalize request (which includes the CSR) to the IdO;IdO verifies the CSR according to the agreed CSR template;If the CSR verification fails, the Order is moved to an “invalid” state and
everything stops;If the CSR verification is successful, IdO moves the Order to state
“processing”, and sends an Order’ (using its own account) for the delegated
identifier to the ACME STAR CA;If the ACME STAR protocol fails, Order’ moves to “invalid” and the same state
is reflected in the NDC Order;If the ACME STAR run is successful (i.e., Order’ is “valid”), IdO copies the
“star-certificate” URL from Order’ to Order and moves its state “valid”.The NDC can now download, install and use the certificate bearing the name
delegated by the IdO.Note that, because the identity validation is suppressed, the NDC sends the
finalize request, including the CSR, to the IdO immediately after the Order has
been acknowledged. The IdO must buffer a (valid) CSR until the Validation
phase completes successfully.
[ No identity validation ]
CSR
Signature ------->
Order'
Signature ------->
<------- Required
Authorizations
Responses
Signature ------->
<~~~~~~~~Validation~~~~~~~~>
CSR
Signature ------->
<~~~~~~Await issuance~~~~~~> <~~~~~~Await issuance~~~~~~>
<------------------------------------ Certificate
]]>The Order object created by the NDC:MUST contain identifiers with the new “delegated” field set to true;MUST NOT contain the notBefore and notAfter fields;MAY contain any of the “recurrent-*” fields listed in Section 3.1.1 of
;In case the identifier type is “dns”, it MAY contain a “cname” field with the
alias of the identifier in the NDC domain. This field is used by the IdO to
create the DNS aliasing needed to redirect the resolvers to the delegated
entity.The Order object that is created on the IdO:MUST start in the “ready” state;MUST contain an “authorizations” array with zero elements;MUST NOT contain the “notBefore” and “notAfter” fields.The IdO SHOULD copy any “recurrent-*” field from the NDC request into the
related STAR request to the ACME CA.When the validation of the identifiers has been successfully completed and the
certificate has been issued by the CA, the IdO:MUST move its Order resource status to “valid”;MUST copy the “star-certificate” field from the STAR Order;The latter indirectly includes (via the NotBefore and NotAfter HTTP headers)
the renewal timers needed by the NDC to inform its certificate reload logic.If an “identifier” object of type “dns” was included,
the IdO MUST validate the specified CNAME at this point in the flow.
The NDC and IdO may have
a pre-established list of valid CNAME values. At the minimum, the IdO MUST verify that
both DNS names are syntactically valid.Following this validation, the IdO can add the CNAME records to its
zone:When sending the Order to the ACME CA, the IdO SHOULD strip the “delegated” and “cname”
attributes sent by the NDC (). The IdO MUST add
the necessary STAR extensions to the Order. In addition, to allow the NDC
to download the certificate using unauthenticated GET, the IdO MUST add the
recurrent-certificate-get attribute and set it to true.In order to help a client to discover support for this profile, the directory
object of an ACME server MUST contain the following attribute inside the “meta”
field:star-delegation-enabled: boolean flag indicating support for the profile
specified in this memo. An ACME server that supports this delegation profile
MUST include this key, and MUST set it to true.It is worth noting that cancelation of the ACME STAR certificate is a
prerogative of the IdO. The NDC does not own the relevant account key on the
ACME CA, therefore it can’t issue a cancelation request for the STAR cert.
Potentially, since it holds the STAR cert private key, it could request the
revocation of a single STAR certificate. However, STAR explicitly disables the
revokeCert interface.Members of the IETF CDNI (Content Delivery Network Interconnection) working
group are interested in delegating authority over web content to CDNs. Their
requirements are described in a draft that
considers several solutions addressing different delegation requirements. This
section discusses two of these particular requirements in the context of the
STAR delegation workflow.In some cases the content owner (IdO) would like to delegate authority over a
web site to multiple NDCs (CDNs). This could happen if the IdO has agreements
in place with different regional CDNs for different geographical regions, or if
a “backup” CDN is used to handle overflow traffic by temporarily altering some
of the CNAME mappings in place. The STAR delegation flow enables this use case
naturally, since each CDN can authenticate separately to the IdO (via its own
separate account) specifying its CSR, and the IdO is free to allow or deny each
certificate request according to its own policy.In other cases, a content owner (IdO) delegates some domains to a large CDN
(uCDN), which in turn delegates to a smaller regional CDN, dCDN. The DNO has a
contractual relationship with uCDN, and uCDN has a similar relationship with
dCDN. However IdO may not even know about dCDN.The STAR protocol does not prevent this use case, although there is no special
support for it: uCDN could forward requests from dCDN to DNO, and forward
responses back to dCDN. Whether such proxying is allowed is governed by policy
and contracts between the parties.One thing that might be necessary at the interface between uCDN and dCDN is a
mechanism by which the uCDN can advertise:The namespace that is made available to the dCDN to mint its delegated names;The policy for creating the key material (allowed algorithms, minimum key
lengths, key usage, etc.) that the dCDN needs to satisfy.[[RFC Editor: please replace XXXX below by the RFC number.]]This document adds the following entries to the ACME Directory Metadata Fields:Field NameField TypeReferencestar-delegation-enabledbooleanRCF XXXXTBDThis work is partially supported by the European Commission under Horizon 2020
grant agreement no. 688421 Measurement and Architecture for a Middleboxed
Internet (MAMI). This support does not imply endorsement.Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)Public-key certificates need to be revoked when they are compromised, that is, when the associated private key is exposed to an attacker. However the revocation process is often unreliable. An alternative to revocation is issuing a sequence of certificates, each with a short validity period, and terminating this sequence upon compromise. This memo proposes an ACME extension to enable the issuance of short- term and automatically renewed (STAR) certificates. [RFC Editor: please remove before publication] While the draft is being developed, the editor's version can be found at https://github.com/yaronf/I-D/tree/master/STAR.Automatic Certificate Management Environment (ACME)Public Key Infrastructure X.509 (PKIX) certificates are used for a number of purposes, the most significant of which is the authentication of domain names. Thus, certification authorities (CAs) in the Web PKI are trusted to verify that an applicant for a certificate legitimately represents the domain name(s) in the certificate. Today, this verification is done through a collection of ad hoc mechanisms. This document describes a protocol that a CA and an applicant can use to automate the process of verification and certificate issuance. The protocol also provides facilities for other certificate management functions, such as certificate revocation. RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/ietf-wg-acme/acme [1]. Instructions are on that page as well. Editorial changes can be managed in GitHub, but any substantive change should be discussed on the ACME mailing list (acme@ietf.org).Key words for use in RFCs to Indicate Requirement LevelsIn many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.Ambiguity of Uppercase vs Lowercase in RFC 2119 Key WordsRFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.HTTPS delegation in CDNIThis document examines probable solutions for delegating encrypted content delivery within the context of CDN interconnection. The HTTPS delegation also expects delivering content without compromising security, integrity and user privacy.[[Note to RFC Editor: please remove before publication.]]Initial version, some text extracted from draft-sheffer-acme-star-requests-02