Re: [alto] Redistribution (was: Reprise of REST comments)
Richard Alimi <rich@velvetsea.net> Thu, 06 January 2011 06:30 UTC
Return-Path: <richard.alimi@gmail.com>
X-Original-To: alto@core3.amsl.com
Delivered-To: alto@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3498B3A6B1F for <alto@core3.amsl.com>; Wed, 5 Jan 2011 22:30:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Level:
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ecVKSyqEJWOI for <alto@core3.amsl.com>; Wed, 5 Jan 2011 22:30:06 -0800 (PST)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 3CD143A6BF1 for <alto@ietf.org>; Wed, 5 Jan 2011 22:30:06 -0800 (PST)
Received: by iwn40 with SMTP id 40so17021122iwn.31 for <alto@ietf.org>; Wed, 05 Jan 2011 22:32:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=Yt4n3Fy6QJFPOQFEOmqqYhXM+2L/p71YQn7MpN4sSik=; b=xxUUw/cDm9k550MIe7j9LRMDB3EKREqgL233TOjfVmP+NJeSFHotl5NLnjaOZpiglQ qVvXsnwbLur5qsZmt0KDgl/zK824NwWNwJedwUTFJX1zW6O8kT0xmt4WsWf7AFX94Tg4 sXvHu9lcQe0MA0ho2mVSClS8MlGqLnmbNYti8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=pJ0Y1jblCfR2uQBdL75s/dk8vbks1yvTKHlhKwIiOk4Mcwty0RA56LfE8zMMuOT6kQ a2SENDEA7+AH/Kx1nPi/BqoiStmt7HXE4IwjCN5zLEGHrhHL5e9gpy/kjq9z/iwqtD1t 9g0zu5DRkZpD2sSHi7ICCDYp+XJdIhrK2C3gw=
MIME-Version: 1.0
Received: by 10.231.13.133 with SMTP id c5mr710193iba.39.1294295532788; Wed, 05 Jan 2011 22:32:12 -0800 (PST)
Sender: richard.alimi@gmail.com
Received: by 10.231.31.8 with HTTP; Wed, 5 Jan 2011 22:32:12 -0800 (PST)
In-Reply-To: <8B0A9FCBB9832F43971E38010638454F03F50ED652@SISPE7MB1.commscope.com>
References: <8B0A9FCBB9832F43971E38010638454F03F336538D@SISPE7MB1.commscope.com> <AANLkTi=MzkpVSw5Nvet2GLdaEGFYCKo++eKbZbG5QCj3@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03F50ED506@SISPE7MB1.commscope.com> <AANLkTimvg4A8zB0SH4ZLfbCBN7sFyLCcL5Fwnvzu6iGk@mail.gmail.com> <8B0A9FCBB9832F43971E38010638454F03F50ED652@SISPE7MB1.commscope.com>
Date: Wed, 05 Jan 2011 22:32:12 -0800
X-Google-Sender-Auth: U-AVyI8c5Mi3KKhnSElTsZkBBhM
Message-ID: <AANLkTi=BduAW0ToYr-4TC8KfewAK9Kp8KghORKpW1CaE@mail.gmail.com>
From: Richard Alimi <rich@velvetsea.net>
To: "Thomson, Martin" <Martin.Thomson@andrew.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "alto@ietf.org" <alto@ietf.org>
Subject: Re: [alto] Redistribution (was: Reprise of REST comments)
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/alto>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jan 2011 06:30:12 -0000
Hi Martin, On Wed, Jan 5, 2011 at 2:56 PM, Thomson, Martin <Martin.Thomson@andrew.com> wrote: > On 2011-01-05 at 19:38:02, Richard Alimi wrote: >> > Digital signatures are one way of checking, but there are other >> options: >> > >> > - MD5 is pretty weak by modern standards, but a HEAD request to the >> URI could produce a Content-MD5 header. >> > - Use a link header (and a HEAD request) to include a link to a >> digest if MD5 is no good. >> > - Wait for someone else to invent some better HTTP integrity >> mechanism. Mark Nottingham is interested in designing something for >> more general caching applications. >> > >> > I'm going to advise that the latter is the course you want to follow, >> perhaps leaving other options open in the meantime. No point in >> inheriting more complexity than absolutely necessary. >> > >> >> Each of these three options requires the ALTO Client to send a message >> to the HTTP server to verify, right? One of the goals of >> redistribution is to allow ALTO Clients to not contact an ALTO Server >> at all in the common case. With the existing solution, ALTO Clients >> need only download a certificate upon initial contact with the server, >> and can then verify ALTO Responses without contacting the server at >> all. Section 12.4 has some additional discussion on this. > > There's a fair difference between asking for data (and all that entails) and just asking for metadata in terms of denial of service. > > If, however, redistribution is a fundamental part of the architecture, then there's a lot of work to be done in getting that right. > > I'm not the security guy, but that signature mechanism looks like it needs some work. I like the fact that you have put the signature in metadata, but how does a client decide which of the many available public keys to use? There are potentially multiple sources that can provide a public key; before redirection comes into play. > I think Section 8.1.3 should answer the question here. Was it still ambiguous after reading this? If so, we can certainly clarify it. > From an HTTP perspective, I think that you will find that trailers are poorly supported. Current advice indicates that they have to be able to be ignored (see [1]), which might interfere with your use case - though this is definitely the right way to use trailers. > That's unfortunate. I think the requirements here are that an ALTO Server should be able to generate and an append a signature even for a dynamically-generated response which is streamed (as opposed to buffered) to a client. An alternative was to put the signature as some trailing portion of the JSON message (e.g., the last member of the outer-most object), but that seemed ugly since it seemed to require signing a subset of the JSON message, thus requiring us to define some canonical form that would be used for signature verification. Do you know of other alternatives beyond these two? > At a minimum, drop the PEM encoding, it doesn't play well with HTTP headers, nor does it really make sense: you just have a numeric value, so base64 alone should suffice. > Thanks - we can update that. > On balance, I'd still encourage you to investigate this separately to the rest of the protocol. You might find that you can get someone else to do the hard work for you. I also suspect that this sort of thing could be a sticking point in the many reviews this work has to navigate; don't let a small thing prevent the bigger thing from happening. > Splitting it out to a separate draft would be okay I think. Other feedback from the WG here? Rich > --Martin > > [1] http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-12#page-36 >
- [alto] Reprise of REST comments Thomson, Martin
- Re: [alto] Reprise of REST comments Richard Alimi
- Re: [alto] Reprise of REST comments Thomson, Martin
- Re: [alto] Reprise of REST comments Richard Alimi
- Re: [alto] Redistribution (was: Reprise of REST c… Thomson, Martin
- Re: [alto] Redistribution (was: Reprise of REST c… Richard Alimi
- Re: [alto] Redistribution (was: Reprise of REST c… Thomson, Martin
- Re: [alto] Redistribution (was: Reprise of REST c… Richard Alimi
- Re: [alto] Redistribution (was: Reprise of REST c… Thomson, Martin