| RFC 9115 | ACME Delegation | September 2021 |
| Sheffer, et al. | Standards Track | [Page] |
This document defines a profile of the Automatic Certificate Management Environment(ACME) protocol by which the holder of an identifier (e.g., a domain name) canallow a third party to obtain an X.509 certificate such that the certificatesubject is the delegated identifier while the certified public key correspondsto a private key controlled by the third party.A primary use case is that of a Content Delivery Network (CDN), the third party,terminating TLS sessions on behalf of a content provider (the holder of a domainname). The presented mechanism allows the holder of the identifier to retaincontrol over the delegation and revoke it at any time. Importantly, thismechanism does not require any modification to the deployed TLSclients and servers.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9115.¶
Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
This document is related to[RFC8739], in that some important use cases require both documents to be implemented. To avoid duplication,we give here a bare-bones description of the motivation for this solution. Formore details, please refer to the introductory sectionsof[RFC8739].¶
An Identifier Owner (IdO) has agreementsin place with one or more Name Delegation Consumer (NDC) to use and attest itsidentity.¶
In the primary use case, the IdO is a content provider, and we consider a Content Delivery Network (CDN) provider contracted toserve the content over HTTPS. The CDN terminates the HTTPS connection atone of its edge cache servers and needs to present its clients (browsers,mobile apps, set-top boxes) a certificate whose name matches the domain name ofthe URL that is requested, i.e., that of the IdO. Understandably, some IdOs may balk at sharing their long-term private keys with another organization;equally, delegates would rather not have to handle other parties' long-termsecrets. Other relevant use cases are discussed inSection 5.¶
This document describes a profile of the ACME protocol[RFC8555] that allowsthe NDC to request from the IdO, acting as a profiled ACME server, a certificate fora delegated identity -- i.e., one belonging to the IdO. The IdO then uses theACME protocol (with the extensions described in[RFC8739]) to requestissuance of a Short-Term, Automatically Renewed (STAR) certificate for the same delegated identity. The generatedshort-term certificate is automatically renewed by the ACME CertificationAuthority (CA), is periodically fetched by the NDC, and is used to terminate HTTPSconnections in lieu of the IdO. The IdO can end the delegation at any time bysimply instructing the CA to stop the automatic renewal and letting thecertificate expire shortly thereafter.¶
While the primary use case we address is a delegation of STAR certificates, themechanism proposed here also accommodates long-lived certificates managed withthe ACME protocol. The most noticeable difference between long-lived and STARcertificates is the way the termination of the delegation is managed. In thecase of long-lived certificates, the IdO uses therevokeCert URL exposed by theCA and waits for the explicit revocation based on the Certificate RevocationList (CRL) and Online Certificate Status Protocol (OCSP) to propagate to therelying parties.¶
In case the delegated identity is a domain name, this document also provides away for the NDC to inform the IdO about the CNAME mappings that need to beinstalled in the IdO's DNS zone to enable the aliasing of the delegated name,thus allowing the complete name delegation workflow to be handled using asingle interface.¶
We note that other standardization efforts address the problem of certificate delegation for TLS connections, specifically[TLS-SUBCERTS] and[MGLT-LURK-TLS13]. The former extends the TLS certificate chain with a customer-owned signing certificate; the latter separates the server's private key into a dedicated, more-secure component. Compared to these other approaches, the current document does not require changes to the TLS network stack of the client or the server, nor does it introduce additional latency to the TLS connection.¶
Identifier Owner, the holder (current owner) of an identifier (e.g., a domainname) that needs to be delegated. Depending on the context, the term IdO mayalso be used to designate the (profiled) ACME server deployed by the IdentifierOwner or the ACME client used by the Identifier Owner to interact with the CA.¶
Name Delegation Consumer, the entity to which the domain name isdelegated for a limited time. This is a CDN in the primary usecase (in fact, readers may note the similarity of the twoabbreviations). Depending on the context, the term NDC mayalso be used to designate the (profiled) ACME client used by the NameDelegation Consumer.¶
Content Delivery Network, a widely distributed network thatserves the domain's web content to a wide audience at highperformance.¶
Short-Term, Automatically Renewed, as applied to X.509 certificates.¶
Automated Certificate Management Environment, acertificate management protocol[RFC8555].¶
Certification Authority, specifically one that implements the ACME protocol. In this document, the term is synonymous with "ACME server deployed by the Certification Authority".¶
Certificate Signing Request, specifically a PKCS#10[RFC2986] Certificate Signing Request, as supported by ACME.¶
Fully Qualified Domain Name.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted asdescribed in BCP 14[RFC2119][RFC8174] when, and only when, theyappear in all capitals, as shown here.¶
This section presents the protocol flow. For completeness, we include the ACMEprofile proposed in this document as well as the ACME STAR protocol describedin[RFC8739].¶
The protocol assumes the following preconditions are met:¶
abc.ido.example), requested algorithms and keylength, key usage, and extensions. The NDC will usethis template for every CSR created under the same delegation.¶Note that even if the IdO implements the ACME server role, it is not acting asa CA; in fact, from the point of view of the certificate issuance process, theIdO only works as a "policing" forwarder of the NDC's key pair and isresponsible for completing the identity verification process towards the CA.¶
For clarity, the protocol overview presented here covers the main use case of this protocol,namely delegation of STAR certificates. Protocol behavior for non-STAR certificates is similar,and the detailed differences are listed in the following sections.¶
The interaction between the NDC and the IdO is governed by the profiled ACMEworkflow detailed inSection 2.3. The interaction between the IdO and theCA is ruled by ACME[RFC8555], ACME STAR[RFC8739], and any other ACME extension thatapplies (e.g.,[TOKEN-TNAUTHLIST] for Secure Telephone Identity Revisited (STIR)).¶
The outline of the combined protocol for STAR certificates is as follows (Figure 1):¶
ready with afinalize URL.¶finalize request (which includes the CSR) to the IdO.¶invalid state andeverything stops.¶processing and sends a new Order2 (using its own account) for the delegatedidentifier to the CA.¶invalid, and the same stateis reflected in Order1 (i.e., the NDC Order).¶valid), IdO copies thestar-certificate URL from Order2 to Order1 and updates the Order1 state tovalid.¶The NDC can now download, install, and use the short-term certificate bearing the name delegated by the IdO. The STAR certificate can be used until it expires, at which time the NDC is guaranteed to find a new certificate it can download, install, and use. This continues with subsequent certificates until either Order1 expires or the IdO decides to cancel the automatic renewal process with the CA.¶
Note that the interactive identifier authorization phase described inSection 7.5 of [RFC8555] is suppressed on the NDC-IdO side because the delegatedidentity contained in the CSR presented to the IdO is validated against theconfigured CSR template (Section 4.1). Therefore, the NDCsends thefinalize request, including the CSR, to the IdO immediately afterOrder1 has been acknowledged. The IdOSHALL buffer a (valid) CSR until theValidation phase completes successfully.¶
Also note that the successful negotiation of the unauthenticated GET (Section 3.4 of [RFC8739]) is required in order to allow the NDC to access thestar-certificate URL on the CA.¶
This section defines a profile of the ACME protocol to be used between the NDCand IdO.¶
The IdO must be preconfigured to recognize one or more NDCs and present them withdetails about certificate delegations that apply to each one.¶
An NDC identifies itself to the IdO as an ACME account. The IdO can delegatemultiple names to an NDC, and these configurations are described throughdelegation objects associated with the NDC's account object on the IdO.¶
As shown inFigure 2, the ACME account resource on the IdO isextended with a newdelegations attribute:¶
{ "status": "valid", "contact": [ "mailto:delegation-admin@ido.example" ], "termsOfServiceAgreed": true, "orders": "https://example.com/acme/orders/saHpfB", "delegations": "https://acme.ido.example/acme/delegations/adFqoz"}Each account object includes adelegations URL from which a list ofdelegation configurations created by the IdO can be fetched via a POST-as-GETrequest. The result of the requestMUST be a JSON object whosedelegationsfield is an array of URLs, each identifying a delegation configuration madeavailable to the NDC account (Section 2.3.1.3). The serverMAYreturn an incomplete list, along with aLink header field with anext linkrelation indicating where further entries can be acquired.¶
HTTP/1.1 200 OKContent-Type: application/jsonLink: <https://acme.ido.example/acme/directory>;rel="index"Link: <https://acme.ido.example/acme/delegations/adFqoz?/ cursor=2>;rel="next"{ "delegations": [ "https://acme.ido.example/acme/delegation/ogfr8EcolOT", "https://acme.ido.example/acme/delegation/wSi5Lbb61E4", /* more URLs not shown for example brevity */ "https://acme.ido.example/acme/delegation/gm0wfLYHBen" ]}¶Note that in the figure above, https://acme.ido.example/acme/delegations/adFqoz?cursor=2 includes a line breakfor the sake of presentation.¶
This profile extends the ACME resource model with a new read-onlydelegationobject that represents a delegation configuration that applies to a given NDC.¶
Adelegation object contains the CSR template (seeSection 4) thatapplies to that delegation and, optionally, any related CNAME mapping for thedelegated identifiers. Its structure is as follows:¶
dns.¶An exampledelegation object in JSON format is shown inFigure 3.¶
{ "csr-template": { "keyTypes": [ { "PublicKeyType": "id-ecPublicKey", "namedCurve": "secp256r1", "SignatureType": "ecdsa-with-SHA256" } ], "subject": { "country": "CA", "stateOrProvince": "**", "locality": "**" }, "extensions": { "subjectAltName": { "DNS": [ "abc.ido.example" ] }, "keyUsage": [ "digitalSignature" ], "extendedKeyUsage": [ "serverAuth" ] } }, "cname-map": { "abc.ido.example.": "abc.ndc.example." }}In order to indicate which specific delegation applies to the requestedcertificate, a newdelegation attribute is added to theorder object on the NDC-IdO side (see Figures4and7). Thevalue of this attribute is the URL pointing to the delegation configurationobject that is to be used for this certificate request. If thedelegationattribute in the order object contains a URL that does not correspond to aconfiguration available to the requesting ACME account, the IdOMUST return an errorresponse with status code 403 (Forbidden), providing a problem document[RFC7807] with typeurn:ietf:params:acme:error:unknownDelegation.¶
If the delegation is for a STAR certificate, the request object created by theNDC:¶
delegation attribute indicating the preconfigured delegationthat applies to this Order;¶identifiers field for each delegated namepresent in the configuration;¶notBefore andnotAfter fields; and¶auto-renewal object and, inside it, the fieldslisted inSection 3.1.1 of [RFC8739]. In particular, theallow-certificate-get attributeMUST be present and set to true.¶POST /acme/new-order HTTP/1.1Host: acme.ido.exampleContent-Type: application/jose+json{ "protected": base64url({ "alg": "ES256", "kid": "https://acme.ido.example/acme/acct/evOfKhNU60wg", "nonce": "Alc00Ap6Rt7GMkEl3L1JX5", "url": "https://acme.ido.example/acme/new-order" }), "payload": base64url({ "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "auto-renewal": { "end-date": "2021-04-20T00:00:00Z", "lifetime": 345600, // 4 days "allow-certificate-get": true }, "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen" }), "signature": "g454e3hdBlkT4AEw...nKePnUyZTjGtXZ6H"}The order object that is created on the IdO:¶
ready state;¶authorizations array with zero elements;¶delegation configuration;¶auto-renewal settings; and¶notBefore andnotAfter fields.¶{ "status": "ready", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "auto-renewal": { "end-date": "2021-04-20T00:00:00Z", "lifetime": 345600, "allow-certificate-get": true }, "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "authorizations": [], "finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize"}The Order is then finalized by the NDC supplying the CSR containing thedelegated identifiers. The IdO checks the provided CSR against the templatecontained in thedelegation object that applies to this request, as described inSection 4.1. If the CSR fails validation for any of theidentifiers, the IdOMUST return an error response with status code 403(Forbidden) and an appropriate type, e.g.,rejectedIdentifier orbadCSR.The error responseSHOULD contain subproblems (Section 6.7.1 of [RFC8555])for each failed identifier. If the CSR is successfully validated, the orderobject status moves toprocessing and the twin ACME protocol instance isinitiated on the IdO-CA side.¶
The request object created by the IdO:¶
delegation attribute; and¶auto-renewal object sent by the NDC.¶When the identifiers' authorization has been successfully completed and thecertificate has been issued by the CA, the IdO:¶
valid and¶star-certificate field from the STAR Order returned by the CAinto its Order resource. When dereferenced, thestar-certificate URLincludes (via theCert-Not-Before andCert-Not-After HTTP header fields) the renewal timersneeded by the NDC to inform its certificate reload logic.¶{ "status": "valid", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "auto-renewal": { "end-date": "2021-04-20T00:00:00Z", "lifetime": 345600, "allow-certificate-get": true }, "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "authorizations": [], "finalize": "https://acme.ido.example/acme/order/TO8rfgo/finalize", "star-certificate": "https://acme.ca.example/acme/order/yTr23sSDg9"}This delegation protocol is predicated on the NDC being able to fetchcertificates periodically using an unauthenticated HTTP GET, since, in general,the NDC does not possess an account on the CA; as a consequence, it cannot issue thestandard POST-as-GET ACME request. Therefore, before forwarding the Orderrequest to the CA, the IdOSHOULD ensure that the selected CA supportsunauthenticated GET by inspecting the relevant settings in the CA'sdirectory object, as perSection 3.4 of [RFC8739]. If the CA does notsupport unauthenticated GET of STAR certificates, the IdOMUST NOT forwardthe Order request. Instead, itMUST move the Order status toinvalid and settheallow-certificate-get in theauto-renewal object tofalse. The sameoccurs in case the Order request is forwarded and the CA does not reflect theallow-certificate-get setting in its Order resource. The combination ofinvalid status and deniedallow-certificate-get in the Order resource atthe IdO provides an unambiguous (asynchronous) signal to the NDC about thefailure reason.¶
If one of the objects in theidentifiers list is of typedns, the IdO can add theCNAME records specified in thedelegation object to its zone, for example:¶
abc.ido.example. CNAME abc.ndc.example.¶
If the delegation is for a non-STAR certificate, the request object created bythe NDC:¶
delegation attribute indicating the preconfigured delegationthat applies to this Order;¶identifiers field for each delegated namepresent in the configuration; and¶allow-certificate-get attribute set to true.¶POST /acme/new-order HTTP/1.1Host: acme.ido.exampleContent-Type: application/jose+json{ "protected": base64url({ "alg": "ES256", "kid": "https://acme.ido.example/acme/acct/evOfKhNU60wg", "nonce": "IYBkoQfaCS80UcCn9qH8Gt", "url": "https://acme.ido.example/acme/new-order" }), "payload": base64url({ "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "allow-certificate-get": true }), "signature": "j9JBUvMigi4zodud...acYkEKaa8gqWyZ6H"}The order object that is created on the IdO:¶
ready state;¶authorizations array with zero elements;¶delegation configuration; and¶allow-certificate-get setting.¶{ "status": "ready", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "allow-certificate-get": true, "authorizations": [], "finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize"}The Order finalization by the NDC and the subsequent validation of the CSR bythe IdO proceed in the same way as for the STAR case. If the CSR issuccessfully validated, the order object status moves toprocessing and thetwin ACME protocol instance is initiated on the IdO-CA side.¶
The request object created by the IdO:¶
delegation attribute; and¶allow-certificate-get attribute.¶When the identifiers' authorization has been successfully completed and thecertificate has been issued by the CA, the IdO:¶
valid and¶certificate field from the Order returned by the CA into itsOrder resource, as well asnotBefore andnotAfter if these fields exist.¶{ "status": "valid", "expires": "2021-05-01T00:00:00Z", "identifiers": [ { "type": "dns", "value": "abc.ido.example" } ], "delegation": "https://acme.ido.example/acme/delegation/gm0wfLYHBen", "allow-certificate-get": true, "authorizations": [], "finalize": "https://acme.ido.example/acme/order/3ZDlhYy/finalize", "certificate": "https://acme.ca.example/acme/order/YtR23SsdG9"}At this point of the protocol flow, the same considerations as inSection 2.3.2.1 apply.¶
Before forwarding the Order request to the CA, the IdOSHOULD ensure that theselected CA supports unauthenticated GET by inspecting the relevant settingsin the CA's directory object, as perSection 2.3.5. If the CAdoes not support unauthenticated GET of certificate resources, the IdOMUST NOT forward the Order request. Instead, itMUST move the Order status toinvalid and set theallow-certificate-get attribute tofalse. The sameoccurs in case the Order request is forwarded and the CA does not reflect theallow-certificate-get setting in its Order resource. The combination ofinvalid status and deniedallow-certificate-get in the Order resource atthe IdO provides an unambiguous (asynchronous) signal to the NDC about thefailure reason.¶
In order to help a client discover support for this profile, the directoryobject of an ACME server (typically, one deployed by the IdO) contains thefollowing attribute in themeta field:¶
The IdOMUST declare its support for delegation usingdelegation-enabledregardless of whether it supports delegation of STAR certificates, non-STARcertificates, or both.¶
In order to help a client discover support for certificate fetching usingunauthenticated HTTP GET, the directory object of an ACME server (typically,one deployed by the CA) contains the following attribute in themeta field:¶
In order to enable the name delegation of non-STAR certificates, this documentdefines a mechanism that allows a server to advertise support for accessingcertificate resources via unauthenticated GET (in addition toPOST-as-GET) and a client to enable this service with per-Order granularity.¶
It is worth pointing out that the protocol elements described in this sectionhave the same names and semantics as those introduced inSection 3.4 of [RFC8739] for the STAR use case (except, of course, they apply to thecertificate resource rather than the star-certificate resource). However, theydiffer in terms of their position in the directory meta and order objects;rather than being wrapped in anauto-renewal subobject, they are located at thetop level.¶
A server states its availability to grant unauthenticated access to a client'sOrder certificate by setting theallow-certificate-get attribute totrue in themeta field inside the directory object:¶
true, the server allows GET (and HEAD) requests to certificate URLs.¶A client states its desire to access the issued certificate via unauthenticatedGET by adding anallow-certificate-get attribute to the payload of itsnewOrder request and setting it totrue.¶
true, the client requests the server to allow unauthenticated GET (andHEAD) to the certificate associated with this Order.¶If the server accepts the request, itMUST reflect the attribute setting in theresulting order object.¶
Note that even when the use of unauthenticated GET has been agreed upon, theserverMUST also allow POST-as-GET requests to the certificate resource.¶
Identity delegation is terminated differently depending on whether or not this is a STAR certificate.¶
The IdO can terminate the delegation of a STAR certificate by requesting itscancellation (seeSection 3.1.2 of [RFC8739]).¶
Cancellation of the ACME STAR certificate is aprerogative of the IdO. The NDC does not own the relevant account key on theCA; therefore, it can't issue a cancellation request for the STAR certificate.Potentially, since it holds the STAR certificate's private key, it could request therevocation of a single STAR certificate. However, STAR explicitly disables therevokeCert interface.¶
Shortly after the automatic renewal process is stopped by the IdO, the lastissued STAR certificate expires and the delegation terminates.¶
The IdO can terminate the delegation of a non-STAR certificate by requesting itto be revoked using therevokeCert URL exposed by the CA.¶
According toSection 7.6 of [RFC8555], the revocation endpoint can be usedwith either the account key pair or the certificate key pair. In other words, anNDC that learns therevokeCert URL of the CA (which is publicly available viathe CA's directory object) would be able to revoke the certificate using theassociated private key. However, given the trust relationship between the NDC andIdO expected by the delegation trust model (Section 7.1), as well asthe lack of incentives for the NDC to prematurely terminate the delegation,this does not represent a significant security risk.¶
There are cases where the ACME Delegation flow should be proxied, such as theuse case described inSection 5.1.2. This section describes the behavior ofsuch proxies.¶
An entity implementing the IdO server role -- an "ACME Delegation server" --may behave, on a per-identity case, either as a proxy into another ACME Delegationserver or as an IdO and obtain a certificate directly.The determining factor is whether it can successfully be authorized bythe next-hop ACME server for the identity associated with the certificate request.¶
The identities supported by each server and the disposition for each of themare preconfigured.¶
Following is the proxy's behavior for each of the messages exchanged in theACME Delegation process:¶
status,expires,authorizations,identifiers, andauto-renewalattributes/objectsMUST be copied as is.¶finalize URL is rewritten so that thefinalize request will bemade to the proxy.¶Location headerMUST be rewritten to point to an order object on the proxy.¶Link relationsMUST be rewritten to point to the proxy.¶status,expires,authorizations,identifiers, andauto-renewalattributes/objectsMUST be copied as is.¶star-certificate URL (or thecertificate URL in case ofnon-STAR requests)MUST be copied as is.¶finalize URL is rewritten so that thefinalize request will bemade to the proxy.¶Location headerMUST be rewritten to point to an order object on the proxy.¶Link relationsMUST be rewritten to point to the proxy.¶finalize request:finalize response:Location header,Link relations, and thefinalize URLs are rewritten as for Get Order.¶We note that all the above messages are authenticated; therefore, each proxymust be able to authenticate any subordinate server.¶
Although most of this document, and in particularSection 2, is focused on the protocol between the NDC and IdO, the protocol does affect the ACME server running in the CA. A CA that wishes to support certificate delegationMUST also support unauthenticated certificate fetching, which it declares usingallow-certificate-get (Section 2.3.5, Paragraph 3).¶
The CSR template is used to express and constrain the shape of the CSR that theNDC uses to request the certificate. The CSR is used for every certificatecreated under the same delegation. Its validation by the IdO is a criticalelement in the security of the whole delegation mechanism.¶
Instead of defining every possible CSR attribute, this document takes aminimalist approach by declaring only the minimum attribute set and deferringthe registration of further, more-specific attributes to future documents.¶
The template is a JSON document. Each field (with the exception ofkeyTypes, see below) denotes one of the following:¶
abc.ido.example.¶**.¶*.¶The NDCMUST NOT include any fields in the CSR, including any extensions, unless they are specified in thetemplate.¶
The structure of the template object is defined by the Concise Data Definition Language (CDDL)[RFC8610] document inAppendix A.An alternative, nonnormative JSON Schema syntax is given inAppendix B.While the CSR template must follow the syntax defined here, neither the IdO northe NDC are expected to validate it at runtime.¶
Thesubject field and its subfields are mapped into thesubject field of the CSR, as perSection 4.1.2.6 of [RFC5280]. Other extension fields of the CSR template are mapped into the CSR according to the table inSection 6.5.¶
ThesubjectAltName field is currently defined for the following identifiers:DNS names, email addresses, and URIs. New identifier types may be added in thefuture by documents that extend this specification. Each new identifier typeSHALL have an associated identifier validation challenge that the CA canuse to obtain proof of the requester's control over it.¶
ThekeyTypes property is not copied into the CSR. Instead, this property constrains theSubjectPublicKeyInfo field of the CSR, whichMUST have the type/size defined by one of the array members of thekeyTypes property.¶
When the IdO receives the CSR, itMUST verify that the CSR is consistentwith the template contained in thedelegation object referenced in the Order. The IdOMAY enforce additionalconstraints, e.g., by restricting field lengths. In this regard, note that asubjectAltName of typeDNS can be specified using the wildcard notation,meaning that the NDC can be required (**) or offered the possibility (*) todefine the delegated domain name by itself. If this is the case, the IdOMUSTapply application-specific checks on top of the control rules already providedby the CSR template to ensure the requested domain name is legitimate accordingto its local policy.¶
The CSR template inFigure 10 represents one possible CSR templategoverning the delegation exchanges provided in the rest of this document.¶
{ "keyTypes": [ { "PublicKeyType": "rsaEncryption", "PublicKeyLength": 2048, "SignatureType": "sha256WithRSAEncryption" }, { "PublicKeyType": "id-ecPublicKey", "namedCurve": "secp256r1", "SignatureType": "ecdsa-with-SHA256" } ], "subject": { "country": "CA", "stateOrProvince": "**", "locality": "**" }, "extensions": { "subjectAltName": { "DNS": [ "abc.ido.example" ] }, "keyUsage": [ "digitalSignature" ], "extendedKeyUsage": [ "serverAuth", "clientAuth" ] }}This nonnormative section describes additional use cases implementing the STAR certificatedelegation in nontrivial ways.¶
[HTTPS-DELEGATION] discusses several solutionsaddressing different delegation requirements for the CDN Interconnection (CDNI)environment. This section discusses two of the stated requirements in thecontext of the STAR delegation workflow.¶
This section uses specific CDNI terminology, e.g., Upstream CDN (uCDN) and Downstream (dCDN), as defined in[RFC7336].¶
In some cases, the content owner (IdO) would like to delegate authority over awebsite to multiple NDCs (CDNs). This could happen if the IdO has agreementsin place with different regional CDNs for different geographical regions or ifa "backup" CDN is used to handle overflow traffic by temporarily altering someof the CNAME mappings in place. The STAR delegation flow enables this use casenaturally, since each CDN can authenticate separately to the IdO (via its ownseparate account) specifying its CSR, and the IdO is free to allow or deny eachcertificate request according to its own policy.¶
In other cases, a content owner (IdO) delegates some domains to a large CDN(uCDN), which in turn delegates to a smaller regional CDN (dCDN). The IdO has acontractual relationship with uCDN, and uCDN has a similar relationship withdCDN. However, IdO may not even know about dCDN.¶
If needed, the STAR protocol can be chained to support this use case: uCDNcould forward requests from dCDN to IdO and forward responses back to dCDN.Whether such proxying is allowed is governed by policy and contracts betweenthe parties.¶
A mechanism is necessary at the interface between uCDN and dCDN, by which theuCDN can advertise:¶
Note that such mechanism is provided by the CSR template.¶
A User Agent (UA), e.g., a browser or set-top box, wants to fetch the video resource atthe following URI:https://video.cp.example/movie. Redirection between the content provider (CP) and upstream and downstream CDNs is arranged as aCNAME-based aliasing chain, as illustrated inFigure 11.¶
Unlike HTTP-based redirection, where the original URL is supplanted by the onefound in theLocation header of the 302 response, DNS redirection is completelytransparent to the User Agent. As a result, the TLS connection to the dCDNedge is done with a Server Name Indication (SNI) equal to thehost in theoriginal URI -- in the example,video.cp.example. So, in order tosuccessfully complete the handshake, the landing dCDN node has to be configuredwith a certificate whosesubjectAltName field matchesvideo.cp.example, i.e., acontent provider's name.¶
Figure 12 illustrates the cascaded delegation flow that allows dCDN toobtain a STAR certificate that bears a name belonging to the content providerwith a private key that is only known to the dCDN.¶
uCDN is configured to delegate to dCDN, and CP is configured to delegate to uCDN, both as defined inSection 2.3.1.¶
star-certificate URL.¶Note that 9 and 10 repeat until the delegation expires or is terminated.¶
As a second use case, we consider the delegation of credentials in the STIRecosystem[RFC9060].¶
This section uses STIR terminology. The term Personal Assertion Token (PASSporT) is defined in[RFC8225], and "TNAuthList" is defined in[RFC8226].¶
In the STIR delegated mode, a service provider SP2 -- the NDC -- needs to signPASSporTs[RFC8225] for telephone numbers (e.g., TN=+123) belonging toanother service provider, SP1 -- the IdO. In order to do that, SP2 needs a STIRcertificate and a private key that includes TN=+123 in the TNAuthList[RFC8226] certificate extension.¶
star-certificate URL in the order to fetch the rollingSTAR certificate bearing the delegated identifiers.¶As shown, the STAR delegation profile described in this document appliesstraightforwardly; the only extra requirement being the ability to instruct theNDC about the allowed TNAuthList values. This can be achieved by a simpleextension to the CSR template.¶
This document adds the following entries to the "ACME Directory Metadata Fields" registry:¶
| Field Name | Field Type | Reference |
|---|---|---|
| delegation-enabled | boolean | RFC 9115 |
| allow-certificate-get | boolean | RFC 9115 |
This document adds the following entries to the "ACME Order Object Fields" registry:¶
| Field Name | Field Type | Configurable | Reference |
|---|---|---|---|
| allow-certificate-get | boolean | true | RFC 9115 |
| delegation | string | true | RFC 9115 |
This document adds the following entries to the "ACME Account Object Fields" registry:¶
| Field Name | Field Type | Requests | Reference |
|---|---|---|---|
| delegations | string | none | RFC 9115 |
Note that thedelegations field is only reported by ACME servers that havedelegation-enabled set to true in their meta Object.¶
This document adds the following entries to the "ACME Error Types" registry:¶
| Type | Description | Reference |
|---|---|---|
| unknownDelegation | An unknown configuration is listed in thedelegation attribute of the order request | RFC 9115 |
IANA has established the "STAR Delegation CSR TemplateExtensions" registry, with "Specification Required" as its registration procedure.¶
Each extension registered must specify:¶
The initial contents of this registry are the extensions defined by the CDDLinAppendix A.¶
| Extension Name | Extension Syntax | Mapping to X.509 Certificate Extension |
|---|---|---|
| keyUsage | SeeAppendix A | [RFC5280],Section 4.2.1.3 |
| extendedKeyUsage | SeeAppendix A | [RFC5280],Section 4.2.1.12 |
| subjectAltName | SeeAppendix A | [RFC5280],Section 4.2.1.6 (note that only specific name formats are allowed: URI, DNS name, email address) |
When evaluating a request for an assignment in this registry, the designated expert should follow this guidance:¶
The ACME trust model needs to be extended to include the trust relationshipbetween NDC and IdO. Note that once this trust link is established, itpotentially becomes recursive. Therefore, there has to be a trust relationshipbetween each of the nodes in the delegation chain; for example, in case ofcascading CDNs, this is contractually defined. Note that when using standard[RFC6125] identity verification, there are no mechanisms available to the IdOto restrict the use of the delegated name once the name has been handed over tothe first NDC. It is, therefore, expected that contractual measures are in placeto get some assurance that redelegation is not being performed.¶
Delegation introduces a new security goal: only an NDC that has been authorizedby the IdO, either directly or transitively, can obtain a certificate with anIdO identity.¶
From a security point of view, the delegation process has five separate parts:¶
The first part is covered by the NDC's ACME account that is administered by theIdO, whose security relies on the correct handling of the associated key pair.When a compromise of the private key is detected, the delegateMUST use theaccount deactivation procedures defined inSection 7.3.6 of [RFC8555].¶
The second part is covered by the act of checking an NDC's certificate requestagainst the intended CSR template. The steps of shaping the CSR templatecorrectly, selecting the right CSR template to check against the presented CSR,and making sure that the presented CSR matches the selected CSR template areall security relevant.¶
The third part builds on the trust relationship between NDC and IdO that isresponsible for correctly forwarding the certificate URL from the Orderreturned by the CA.¶
The fourth part is associated with the ability of the IdO to unilaterallyremove thedelegation object associated with the revoked identity, therefore,disabling any further NDC requests for such identity. Note that, in moreextreme circumstances, the IdO might decide to disable the NDC account,thus entirely blocking any further interaction.¶
The fifth is covered by two different mechanisms, depending on the nature ofthe certificate. For STAR, the IdO shall use the cancellation interfacedefined inSection 2.3 of [RFC8739]. For non-STAR, the certificate revocationinterface defined inSection 7.6 of [RFC8555]) is used.¶
The ACME account associated with the delegation plays a crucial role in theoverall security of the presented protocol. This, in turn, means that (indelegation scenarios) the security requirements and verification associated withan ACME account may be more stringent than in base ACME deployments, since theout-of-band configuration of delegations that an account is authorized to use(combined with account authentication) takes the place of the normal ACMEauthorization challenge procedures. Therefore, the IdOMUST ensure thateach account is associated with the exact policies (via their matchingdelegation objects)that define which domain names can be delegated to the account and how.The IdO is expected to use out-of-band means to preregister each NDC tothe corresponding account.¶
Using the model established inSection 10.1 of [RFC8555], we can decomposethe interactions of the basic delegation workflow, as shown inFigure 14.¶
The considerations regarding the security of the ACME Channel and ValidationChannel discussed in[RFC8555] apply verbatim to the IdO-CA leg.The same can be said for the ACME Channel on the NDC-IdO leg. A slightlydifferent set of considerations apply to the ACME Channel between the NDC and CA,which consists of a subset of the ACME interface comprising two APIendpoints: the unauthenticated certificate retrieval and, potentially, non-STARrevocation via certificate private key. No specific security considerationsapply to the former, but the privacy considerations inSection 6.3 of [RFC8739] do. With regard to the latter, it should be noted that there iscurrently no means for an IdO to disable authorizing revocation based oncertificate private keys. So, in theory, an NDC could use the revocation APIdirectly with the CA, therefore, bypassing the IdO. The NDCSHOULD NOTdirectly use the revocation interface exposed by the CA unless failingto do so would compromise the overall security, for example, if the certificateprivate key is compromised and the IdO is not currently reachable.¶
All other security considerations from[RFC8555] and[RFC8739] applyas is to the delegation topology.¶
When a website is delegated to a CDN, the CDN can in principle modify the website at will, e.g., create and remove pages. This means that a malicious or breachedCDN can pass the ACME (as well as common non-ACME) HTTPS-based validationchallenges and generate a certificate for the site. This is true regardless ofwhether or not the CNAME mechanisms defined in the current document is used.¶
In some cases, this is the desired behavior; the domain holder trusts the CDN tohave full control of the cryptographic credentials for the site. However, thisdocument assumes a scenario where the domain holder only wants to delegaterestricted control and wishes to retain the capability to cancel the CDN'scredentials at a short notice.¶
The following is a possible mitigation when the IdO wishes to ensure that arogue CDN cannot issue unauthorized certificates:¶
We note that the above solution may need to be tweaked depending on the exactcapabilities and authorization flows supported by the selected CA.In addition, this mitigation may be bypassed if a malicious or misconfigured CAdoes not comply with CAA restrictions.¶
Following is the normative definition of the CSR template using CDDL[RFC8610]. The CSR templateMUST be a valid JSON document that is compliant with the syntax defined here.¶
There are additional constraints not expressed in CDDL thatMUST be validatedby the recipient, including:¶
subjectAltName entry is compatible with its type and¶keyTypes entry form an acceptable combination.¶csr-template-schema = { keyTypes: [ + $keyType ] ? subject: non-empty<distinguishedName> extensions: extensions}non-empty<M> = (M) .and ({ + any => any })mandatory-wildcard = "**"optional-wildcard = "*"wildcard = mandatory-wildcard / optional-wildcard; regtext matches all text strings but "*" and "**"regtext = text .regexp "([^\*].*)|([\*][^\*].*)|([\*][\*].+)"regtext-or-wildcard = regtext / wildcarddistinguishedName = { ? country: regtext-or-wildcard ? stateOrProvince: regtext-or-wildcard ? locality: regtext-or-wildcard ? organization: regtext-or-wildcard ? organizationalUnit: regtext-or-wildcard ? emailAddress: regtext-or-wildcard ? commonName: regtext-or-wildcard}$keyType /= rsaKeyType$keyType /= ecdsaKeyTypersaKeyType = { PublicKeyType: "rsaEncryption" ; OID: 1.2.840.113549.1.1.1 PublicKeyLength: rsaKeySize SignatureType: $rsaSignatureType}rsaKeySize = uint; RSASSA-PKCS1-v1_5 with SHA-256$rsaSignatureType /= "sha256WithRSAEncryption"; RSASSA-PCKS1-v1_5 with SHA-384$rsaSignatureType /= "sha384WithRSAEncryption"; RSASSA-PCKS1-v1_5 with SHA-512$rsaSignatureType /= "sha512WithRSAEncryption"; RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a 32 byte salt$rsaSignatureType /= "sha256WithRSAandMGF1"; RSASSA-PSS with SHA-384, MGF-1 with SHA-384, and a 48 byte salt$rsaSignatureType /= "sha384WithRSAandMGF1"; RSASSA-PSS with SHA-512, MGF-1 with SHA-512, and a 64 byte salt$rsaSignatureType /= "sha512WithRSAandMGF1"ecdsaKeyType = { PublicKeyType: "id-ecPublicKey" ; OID: 1.2.840.10045.2.1 namedCurve: $ecdsaCurve SignatureType: $ecdsaSignatureType}$ecdsaCurve /= "secp256r1" ; OID: 1.2.840.10045.3.1.7$ecdsaCurve /= "secp384r1" ; OID: 1.3.132.0.34$ecdsaCurve /= "secp521r1" ; OID: 1.3.132.0.3$ecdsaSignatureType /= "ecdsa-with-SHA256" ; paired with secp256r1$ecdsaSignatureType /= "ecdsa-with-SHA384" ; paired with secp384r1$ecdsaSignatureType /= "ecdsa-with-SHA512" ; paired with secp521r1subjectaltname = { ? DNS: [ + regtext-or-wildcard ] ? Email: [ + regtext ] ? URI: [ + regtext ] * $$subjectaltname-extension}extensions = { ? keyUsage: [ + keyUsageType ] ? extendedKeyUsage: [ + extendedKeyUsageType ] subjectAltName: non-empty<subjectaltname>}keyUsageType /= "digitalSignature"keyUsageType /= "nonRepudiation"keyUsageType /= "keyEncipherment"keyUsageType /= "dataEncipherment"keyUsageType /= "keyAgreement"keyUsageType /= "keyCertSign"keyUsageType /= "cRLSign"keyUsageType /= "encipherOnly"keyUsageType /= "decipherOnly"extendedKeyUsageType /= "serverAuth"extendedKeyUsageType /= "clientAuth"extendedKeyUsageType /= "codeSigning"extendedKeyUsageType /= "emailProtection"extendedKeyUsageType /= "timeStamping"extendedKeyUsageType /= "OCSPSigning"extendedKeyUsageType /= oidoid = text .regexp "([0-2])((\.0)|(\.[1-9][0-9]*))*"¶This appendix includes an alternative, nonnormative JSON Schema definition of the CSR template. The syntax used is that of draft 7 of JSON Schema, which is documented in[json-schema-07]. Note that later versions of this (now-expired) draft describe later versions of the JSON Schema syntax. At the time of writing, a stable reference for this syntax is not yet available, and we have chosen to use the draft version, which is currently best supported by tool implementations.¶
The same considerations about additional constraints checking discussed inAppendix A apply here as well.¶
{ "title": "JSON Schema for the STAR Delegation CSR template", "$schema": "http://json-schema.org/draft-07/schema#", "$id": "http://ietf.org/acme/drafts/star-delegation/csr-template", "$defs": { "distinguished-name": { "$id": "#distinguished-name", "type": "object", "minProperties": 1, "properties": { "country": { "type": "string" }, "stateOrProvince": { "type": "string" }, "locality": { "type": "string" }, "organization": { "type": "string" }, "organizationalUnit": { "type": "string" }, "emailAddress": { "type": "string" }, "commonName": { "type": "string" } }, "additionalProperties": false }, "rsaKeyType": { "$id": "#rsaKeyType", "type": "object", "properties": { "PublicKeyType": { "type": "string", "const": "rsaEncryption" }, "PublicKeyLength": { "type": "integer" }, "SignatureType": { "type": "string", "enum": [ "sha256WithRSAEncryption", "sha384WithRSAEncryption", "sha512WithRSAEncryption", "sha256WithRSAandMGF1", "sha384WithRSAandMGF1", "sha512WithRSAandMGF1" ] } }, "required": [ "PublicKeyType", "PublicKeyLength", "SignatureType" ], "additionalProperties": false }, "ecdsaKeyType": { "$id": "#ecdsaKeyType", "type": "object", "properties": { "PublicKeyType": { "type": "string", "const": "id-ecPublicKey" }, "namedCurve": { "type": "string", "enum": [ "secp256r1", "secp384r1", "secp521r1" ] }, "SignatureType": { "type": "string", "enum": [ "ecdsa-with-SHA256", "ecdsa-with-SHA384", "ecdsa-with-SHA512" ] } }, "required": [ "PublicKeyType", "namedCurve", "SignatureType" ], "additionalProperties": false } }, "type": "object", "properties": { "keyTypes": { "type": "array", "minItems": 1, "items": { "anyOf": [ { "$ref": "#rsaKeyType" }, { "$ref": "#ecdsaKeyType" } ] } }, "subject": { "$ref": "#distinguished-name" }, "extensions": { "type": "object", "properties": { "keyUsage": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "digitalSignature", "nonRepudiation", "keyEncipherment", "dataEncipherment", "keyAgreement", "keyCertSign", "cRLSign", "encipherOnly", "decipherOnly" ] } }, "extendedKeyUsage": { "type": "array", "minItems": 1, "items": { "anyOf": [ { "type": "string", "enum": [ "serverAuth", "clientAuth", "codeSigning", "emailProtection", "timeStamping", "OCSPSigning" ] }, { "type": "string", "pattern": "^([0-2])((\\.0)|(\\.[1-9][0-9]*))*$", "description": "Used for OID values" } ] } }, "subjectAltName": { "type": "object", "minProperties": 1, "properties": { "DNS": { "type": "array", "minItems": 1, "items": { "anyOf": [ { "type": "string", "enum": [ "*", "**" ] }, { "type": "string", "format": "hostname" } ] } }, "Email": { "type": "array", "minItems": 1, "items": { "type": "string", "format": "email" } }, "URI": { "type": "array", "minItems": 1, "items": { "type": "string", "format": "uri" } } }, "additionalProperties": false } }, "required": [ "subjectAltName" ], "additionalProperties": false } }, "required": [ "extensions", "keyTypes" ], "additionalProperties": false}¶We would like to thank the following people who contributed significantly to this document with their review comments and design proposals:Richard Barnes,Carsten Bormann,Roman Danyliw,Lars Eggert,Frédéric Fieau,Russ Housley,Ben Kaduk,Eric Kline,Sanjay Mishra,Francesca Palombini,Jon Peterson,Ryan Sleevi,Emile Stephan, andÉric Vyncke.¶
This work is partially supported by the European Commission under Horizon 2020grant agreement no. 688421 Measurement and Architecture for a MiddleboxedInternet (MAMI). This support does not imply endorsement.¶