Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
Phil Sorber <sorber@apache.org> Sun, 25 July 2021 19:55 UTC
Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09023A3761 for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.897
X-Spam-Level:
X-Spam-Status: No, score=-14.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOwXQM7Ld2-s for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:55:26 -0700 (PDT)
Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465D33A375F for <cdni@ietf.org>; Sun, 25 Jul 2021 12:55:26 -0700 (PDT)
Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id 5299E3E9E6 for <cdni@ietf.org>; Sun, 25 Jul 2021 19:55:25 +0000 (UTC)
Received: (qmail 60620 invoked by uid 99); 25 Jul 2021 19:55:25 -0000
Received: from ec2-52-204-25-47.compute-1.amazonaws.com (HELO mailrelay1-ec2-va.apache.org) (52.204.25.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Jul 2021 19:55:25 +0000
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mailrelay1-ec2-va.apache.org (ASF Mail Server at mailrelay1-ec2-va.apache.org) with ESMTPSA id F2E9C3E9F9 for <cdni@ietf.org>; Sun, 25 Jul 2021 19:55:24 +0000 (UTC)
Received: by mail-wr1-f48.google.com with SMTP id e2so8474961wrq.6 for <cdni@ietf.org>; Sun, 25 Jul 2021 12:55:24 -0700 (PDT)
X-Gm-Message-State: AOAM533/rbiGHyLGHD6anbE9u8HDiyCoKPAWQq/GTgn32S8i6mKAEi55 mHVyU5teoAUNVApPCjnv6VmlpkC7ME18yaH6n/E=
X-Google-Smtp-Source: ABdhPJxtriwQduPWlp+aUlgorfmf9sJZO5UKZo5+jqF1FkbxW3ONmWIAIuHOfhuk5Ttk+J7fNBvILhwkHuJuDj3aU4g=
X-Received: by 2002:a05:6000:154c:: with SMTP id 12mr15808400wry.393.1627242924278; Sun, 25 Jul 2021 12:55:24 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com> <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com> <CAMrHYE2T2kBdNva_jzUCuSOqsj9jajme-7DObQxLtas-fRi7Gw@mail.gmail.com> <CAJEGKNsg_jX-tH666VPDeNSyLyythnnu-QkA2jQPRN+ggoo9Hw@mail.gmail.com> <CAMrHYE2PJXcYSuEUfYBdOUycK8mVvuNVJDAToBE1QJxxC3upcA@mail.gmail.com>
In-Reply-To: <CAMrHYE2PJXcYSuEUfYBdOUycK8mVvuNVJDAToBE1QJxxC3upcA@mail.gmail.com>
From: Phil Sorber <sorber@apache.org>
Date: Sun, 25 Jul 2021 13:55:13 -0600
X-Gmail-Original-Message-ID: <CABF6JR2AOrVu1UhsZ-49GP9Z2oxXXDNOxJL+EN5nYU5FzOYjTw@mail.gmail.com>
Message-ID: <CABF6JR2AOrVu1UhsZ-49GP9Z2oxXXDNOxJL+EN5nYU5FzOYjTw@mail.gmail.com>
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>, Chris Lemmons <alficles@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000077076705c7f80471"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/-VExtDicbcluYUL-gRS3QuB1aL4>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 19:55:31 -0000
Off the top of my head, I think we’d want to limit it to sections 3.2.7 and 3.2.8. I need to think on it more and get back to you. On Sun, Jul 25, 2021 at 13:13 Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote: > Hi Chris, > > Thanks for laying those out. > > (As an individual) Of the two proposals, I prefer option 1, as I think > it is better to have some expectations listed in the spec and not just punt > it to an out-of-band requirement. I don't see an issue with adding a > normative reference to RFC6570 and stating those expectations. I don't > think we're terribly far off from that with the existing text. And given > the previous last call discussion with Mark, I'm hopeful he would approve. > > (As a chair) Phil, do you, or any others in the WG have any thoughts on > this proposal? > > thanx. > > -- Kevin J. Ma > > On Sun, Jul 25, 2021 at 1:11 AM Chris Lemmons <alficles@gmail.com> wrote: > >> I see at least two options. One option is something very close to what >> you suggested earlier: Revise the text to have a normative dependence >> on 6570 and say that implementations MUST accept parameters in the >> format generated by a URI template of a particular form. This doesn't >> help a processor know what to do with ambiguous input, which isn't >> great, but it does at least let the processor implement in a way that >> covers all valid forms. Of all the suggestions made so far, this is >> the one I like the most. But I don't think it gets us out of the >> trouble Mark brought up. That is, we're effectively defining a format >> on a part of the URI by saying it has to be generated in a particular >> form. If, however, everybody is happy with normative text requiring >> the processing of template-generated URIs with usefully defined >> templates, that works for me. It's a target you can aim at. >> >> The other main option is to take the token location out entirely and >> remove the MUST. You can imagine text similar to: The URI Signing >> Package will be found by parsing the URI. The details of how the URI >> will be parsed will be communicated out-of-band between the CSP, uCDN >> and and all dCDNs. >> >> If we take the first approach, we're effectively standardizing part of >> the URI. If we take the second approach, we're not standardizing the >> URI, but it's also impossible to use URI Signing without some explicit >> agreement between the parties. (Some communication out-of-band is >> expected, to transfer the trusted keys, so this isn't _totally_ out of >> the realm of possibility.) Practically, though, there are only a few >> reasonable places to look, so we're just waving our hands and assuming >> without saying it aloud that everybody will use the format generated >> by 6570 or something close. >> >> There's no way to do URI Signing without having somewhere in the URI >> that can be recognized as having a token in it. You can do it >> explicitly or implicitly, but you have to do it. I think that what >> we're doing here is in application-land instead of extension-land and >> option 1 is fine. But others may not agree there. >> >> On Sat, Jul 24, 2021 at 8:23 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> >> wrote: >> > >> > Hi Chris, >> > >> > Do you have a solution proposal? >> > >> > thanx. >> > >> > -- Kevin J. Ma >> > >> > On Sat, Jul 24, 2021 at 3:12 PM Chris Lemmons <alficles@gmail.com> >> wrote: >> >> >> >> I honestly think that URI Signing is more appropriately understood as >> >> an application than an extension of HTTP. You can't use URI Signing >> >> without special agreement between the entity producing the URI and the >> >> one that finally processes it. You can't for example, give a signed >> >> URI to a CDN or other server that isn't expecting to process it. >> >> >> >> We could make the location of the token entirely outside the confines >> >> of the specification, allowing signers and processors to communicate >> >> out-of-band about where the token will be. That would considerably >> >> reduce the value and interoperability provided in the document, >> >> though. >> >> >> >> As it stands, there's a MUST requirement that requires that you do >> >> something that isn't documented anywhere. It's not possible for an >> >> implementation to know whether they are meeting the MUST parse path >> >> parameters requirement without anything that describes what a path >> >> parameter is. >> >> >> >> On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com> >> wrote: >> >> > >> >> > Hi Chris, >> >> > >> >> > (As chair) I don't disagree that it would be nice if there was an >> RFC like RFC6570 that explicitly described the parsing rules. But I think >> the point of RFC8820 is that we should not be defining those rules in the >> URI signing RFC. Does that mean we should hold off on URI signing until >> such time as Mark writes that other RFC? I think Mark's acceptance of the >> current text during last call ( >> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) >> implies no. That said, if there are editorial changes that would make the >> reading easier, we can still consider those, but I don't think we >> can/should add prescriptive text. >> >> > >> >> > I guess I would be interested if any others in the WG have >> significant concerns about the ambiguity or interoperability? >> >> > >> >> > thanx. >> >> > >> >> > -- Kevin J. Ma >> >> > >> >> > On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com> >> wrote: >> >> >> >> >> >> The problem I'm running into with 6570 is that it _only_ describes a >> >> >> format for producing URIs, not one for understanding them. For >> >> >> example, if you receive this URI, what is the correct behaviour? >> >> >> >> >> >> >> https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT >> >> >> >> >> >> This was once considered best practice: >> >> >> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2 >> >> >> >> >> >> Is the idea to require query strings to comply with the encoding and >> >> >> decoding requirements of application/x-www-form-urlencoded? If so, >> >> >> don't we run into the same problem as before with 8820? >> >> >> >> >> >> And it's mostly possible to reverse-engineer the path format from >> 6570 >> >> >> into an unwritten expectation of a format, but I'm not sure an >> >> >> undocumented format is better than a documented one here. >> >> >> >> >> >> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> >> wrote: >> >> >> > >> >> >> > Hi Chris, >> >> >> > >> >> >> > > Unfortunately, there exists no specification for path-style or >> form-style parameters, so it is impossible for an implementer to know how >> to reliably locate the token. >> >> >> > >> >> >> > My understanding from the discussion with Mark ( >> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) >> is that "path-style" and "form-style" refer to the corresponding >> descriptions in RFC6570. Do you think it would help if we added a >> reference to RFC6570 and some text to the effect of "where path-style and >> form-style parameters conform to RFC6570 path-style parameter and >> form-style query expansion formats, respectively"? >> >> >> > >> >> >> > > I also wonder whether URI Signing is properly understood as an >> Extension or an Application, in the terms of 8820. >> >> >> > >> >> >> > I think URI Signing should be classified as an "Extension". As >> you noted, RFC8820 explicitly notes "signature mechanisms", and we did >> explicitly discuss our use case with Mark when he first asked us to "get >> off his lawn" ( >> https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/). >> Do you think an explicit declaration and reference to RFC8820 would help? >> >> >> > >> >> >> > thanx. >> >> >> > >> >> >> > -- Kevin J. Ma >> >> >> > >> >> >> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com> >> wrote: >> >> >> >> >> >> >> >> I'd like to bring this up again because I think it's a >> potentially >> >> >> >> serious implementation concern and I don't see an easy way >> around it. >> >> >> >> There is a MUST requirement in the latest draft: >> >> >> >> >> >> >> >> The URI Signing Package will be found by parsing any >> path-style >> >> >> >> parameters and form-style parameters looking for a key name >> matching >> >> >> >> the URI Signing Package Attribute. Both parameter styles >> MUST be >> >> >> >> supported to allow flexibility of operation. >> >> >> >> >> >> >> >> Unfortunately, there exists no specification for path-style or >> >> >> >> form-style parameters, so it is impossible for an implementer to >> know >> >> >> >> how to reliably locate the token. This appears to be by design, >> >> >> >> though. ( See RFC 8820: >> https://datatracker.ietf.org/doc/html/rfc8820 >> >> >> >> , which is now published.) >> >> >> >> >> >> >> >> I think the intent of this wording is to imply that everybody >> should >> >> >> >> use application/x-www-form-urlencoded for form-style parameters >> and >> >> >> >> path-style parameters that look like "path;param1=a,param2=b", >> but >> >> >> >> aren't specified anywhere in particular. >> >> >> >> >> >> >> >> I see no way for an implementer to determine whether they've met >> the >> >> >> >> requirement set out that they MUST meet as it is written. >> >> >> >> >> >> >> >> I also wonder whether URI Signing is properly understood as an >> >> >> >> Extension or an Application, in the terms of 8820. I think it >> wants to >> >> >> >> be an Extension (for example: `a new signature mechanism for >> "http" >> >> >> >> URIs`), but might be an Application in practice (`an HTTP >> interface to >> >> >> >> particular information on a host`). I think important to the >> >> >> >> discussion is that URI Signing is a mechanism added by an >> upstream >> >> >> >> entity that controls the content and its format. I think this is >> an >> >> >> >> important issue to resolve. >> >> >> >> >> >> >> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons < >> alficles@gmail.com> wrote: >> >> >> >> > >> >> >> >> > The latest document replaces the path parsing logic with this: >> >> >> >> > >> >> >> >> > > URI Signing Package (URISigningPackage): The URI attribute >> that encapsulates all the URI Signing claims in a signed JWT encoded >> format. This attribute is exposed in the Signed URI as a path-style >> parameter or a form-style parameter. >> >> >> >> > >> >> >> >> > Unfortunately, that doesn't give implementers any idea what >> needs to >> >> >> >> > be parsed. I read through the conversation on last-call with >> mnot >> >> >> >> > ( >> https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/ >> ), >> >> >> >> > especially with regard to BCP190. I also read through RFC6570 >> and >> >> >> >> > you're right, it doesn't work for our use case because it's >> generating >> >> >> >> > URI, not consuming them. And it's for precisely this reason >> that we >> >> >> >> > need to be specific in what is accepted. >> >> >> >> > >> >> >> >> > As near as I can tell, there is actually no standard anywhere >> that >> >> >> >> > describes "path-style parameters". And there are multiple >> methods for >> >> >> >> > defining "form-style parameters", some more recent than others >> and in >> >> >> >> > varying levels of use generally on the Internet. How can a >> document >> >> >> >> > have a MUST requirement that requires parsing a specific >> structure >> >> >> >> > that isn't specified anywhere or even widely agreed upon? >> >> >> >> > >> >> >> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> >> wrote: >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > A New Internet-Draft is available from the on-line >> Internet-Drafts directories. >> >> >> >> > > This draft is a work item of the Content Delivery Networks >> Interconnection WG of the IETF. >> >> >> >> > > >> >> >> >> > > Title : URI Signing for Content Delivery >> Network Interconnection (CDNI) >> >> >> >> > > Authors : Ray van Brandenburg >> >> >> >> > > Kent Leung >> >> >> >> > > Phil Sorber >> >> >> >> > > Filename : draft-ietf-cdni-uri-signing-21.txt >> >> >> >> > > Pages : 41 >> >> >> >> > > Date : 2021-02-11 >> >> >> >> > > >> >> >> >> > > Abstract: >> >> >> >> > > This document describes how the concept of URI Signing >> supports the >> >> >> >> > > content access control requirements of Content Delivery >> Network >> >> >> >> > > Interconnection (CDNI) and proposes a URI Signing method >> as a JSON >> >> >> >> > > Web Token (JWT) profile. >> >> >> >> > > >> >> >> >> > > The proposed URI Signing method specifies the information >> needed to >> >> >> >> > > be included in the URI to transmit the signed JWT, as >> well as the >> >> >> >> > > claims needed by the signed JWT to authorize a User Agent >> (UA). The >> >> >> >> > > mechanism described can be used both in CDNI and single >> Content >> >> >> >> > > Delivery Network (CDN) scenarios. >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > The IETF datatracker status page for this draft is: >> >> >> >> > > >> https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ >> >> >> >> > > >> >> >> >> > > There are also htmlized versions available at: >> >> >> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21 >> >> >> >> > > >> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21 >> >> >> >> > > >> >> >> >> > > A diff from the previous version is available at: >> >> >> >> > > >> https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21 >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > Please note that it may take a couple of minutes from the >> time of submission >> >> >> >> > > until the htmlized version and diff are available at >> tools.ietf.org. >> >> >> >> > > >> >> >> >> > > Internet-Drafts are also available by anonymous FTP at: >> >> >> >> > > ftp://ftp.ietf.org/internet-drafts/ >> >> >> >> > > >> >> >> >> > > >> >> >> >> > > _______________________________________________ >> >> >> >> > > CDNi mailing list >> >> >> >> > > CDNi@ietf.org >> >> >> >> > > https://www.ietf.org/mailman/listinfo/cdni >> >> >> >> >> >> >> >> _______________________________________________ >> >> >> >> CDNi mailing list >> >> >> >> CDNi@ietf.org >> >> >> >> https://www.ietf.org/mailman/listinfo/cdni >> >
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber