IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt

Phil Sorber <sorber@apache.org> Sun, 25 July 2021 19:55 UTC

Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09023A3761 for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.897
X-Spam-Level:
X-Spam-Status: No, score=-14.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOwXQM7Ld2-s for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:55:26 -0700 (PDT)
Received: from mxout1-ec2-va.apache.org (mxout1-ec2-va.apache.org [3.227.148.255]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 465D33A375F for <cdni@ietf.org>; Sun, 25 Jul 2021 12:55:26 -0700 (PDT)
Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-ec2-va.apache.org (ASF Mail Server at mxout1-ec2-va.apache.org) with SMTP id 5299E3E9E6 for <cdni@ietf.org>; Sun, 25 Jul 2021 19:55:25 +0000 (UTC)
Received: (qmail 60620 invoked by uid 99); 25 Jul 2021 19:55:25 -0000
Received: from ec2-52-204-25-47.compute-1.amazonaws.com (HELO mailrelay1-ec2-va.apache.org) (52.204.25.47) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Jul 2021 19:55:25 +0000
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) by mailrelay1-ec2-va.apache.org (ASF Mail Server at mailrelay1-ec2-va.apache.org) with ESMTPSA id F2E9C3E9F9 for <cdni@ietf.org>; Sun, 25 Jul 2021 19:55:24 +0000 (UTC)
Received: by mail-wr1-f48.google.com with SMTP id e2so8474961wrq.6 for <cdni@ietf.org>; Sun, 25 Jul 2021 12:55:24 -0700 (PDT)
X-Gm-Message-State: AOAM533/rbiGHyLGHD6anbE9u8HDiyCoKPAWQq/GTgn32S8i6mKAEi55 mHVyU5teoAUNVApPCjnv6VmlpkC7ME18yaH6n/E=
X-Google-Smtp-Source: ABdhPJxtriwQduPWlp+aUlgorfmf9sJZO5UKZo5+jqF1FkbxW3ONmWIAIuHOfhuk5Ttk+J7fNBvILhwkHuJuDj3aU4g=
X-Received: by 2002:a05:6000:154c:: with SMTP id 12mr15808400wry.393.1627242924278; Sun, 25 Jul 2021 12:55:24 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com> <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com> <CAMrHYE2T2kBdNva_jzUCuSOqsj9jajme-7DObQxLtas-fRi7Gw@mail.gmail.com> <CAJEGKNsg_jX-tH666VPDeNSyLyythnnu-QkA2jQPRN+ggoo9Hw@mail.gmail.com> <CAMrHYE2PJXcYSuEUfYBdOUycK8mVvuNVJDAToBE1QJxxC3upcA@mail.gmail.com>
In-Reply-To: <CAMrHYE2PJXcYSuEUfYBdOUycK8mVvuNVJDAToBE1QJxxC3upcA@mail.gmail.com>
From: Phil Sorber <sorber@apache.org>
Date: Sun, 25 Jul 2021 13:55:13 -0600
X-Gmail-Original-Message-ID: <CABF6JR2AOrVu1UhsZ-49GP9Z2oxXXDNOxJL+EN5nYU5FzOYjTw@mail.gmail.com>
Message-ID: <CABF6JR2AOrVu1UhsZ-49GP9Z2oxXXDNOxJL+EN5nYU5FzOYjTw@mail.gmail.com>
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>, Chris Lemmons <alficles@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000077076705c7f80471"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/-VExtDicbcluYUL-gRS3QuB1aL4>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 19:55:31 -0000

Off the top of my head, I think we’d want to limit it to sections 3.2.7 and
3.2.8. I need to think on it more and get back to you.

On Sun, Jul 25, 2021 at 13:13 Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote:

> Hi Chris,
>
>   Thanks for laying those out.
>
>   (As an individual) Of the two proposals, I prefer option 1, as I think
> it is better to have some expectations listed in the spec and not just punt
> it to an out-of-band requirement.  I don't see an issue with adding a
> normative reference to RFC6570 and stating those expectations.  I don't
> think we're terribly far off from that with the existing text.  And given
> the previous last call discussion with Mark, I'm hopeful he would approve.
>
>   (As a chair) Phil, do you, or any others in the WG have any thoughts on
> this proposal?
>
> thanx.
>
> --  Kevin J. Ma
>
> On Sun, Jul 25, 2021 at 1:11 AM Chris Lemmons <alficles@gmail.com> wrote:
>
>> I see at least two options. One option is something very close to what
>> you suggested earlier: Revise the text to have a normative dependence
>> on 6570 and say that implementations MUST accept parameters in the
>> format generated by a URI template of a particular form. This doesn't
>> help a processor know what to do with ambiguous input, which isn't
>> great, but it does at least let the processor implement in a way that
>> covers all valid forms. Of all the suggestions made so far, this is
>> the one I like the most. But I don't think it gets us out of the
>> trouble Mark brought up. That is, we're effectively defining a format
>> on a part of the URI by saying it has to be generated in a particular
>> form. If, however, everybody is happy with normative text requiring
>> the processing of template-generated URIs with usefully defined
>> templates, that works for me. It's a target you can aim at.
>>
>> The other main option is to take the token location out entirely and
>> remove the MUST. You can imagine text similar to: The URI Signing
>> Package will be found by parsing the URI. The details of how the URI
>> will be parsed will be communicated out-of-band between the CSP, uCDN
>> and and all dCDNs.
>>
>> If we take the first approach, we're effectively standardizing part of
>> the URI. If we take the second approach, we're not standardizing the
>> URI, but it's also impossible to use URI Signing without some explicit
>> agreement between the parties. (Some communication out-of-band is
>> expected, to transfer the trusted keys, so this isn't _totally_ out of
>> the realm of possibility.) Practically, though, there are only a few
>> reasonable places to look, so we're just waving our hands and assuming
>> without saying it aloud that everybody will use the format generated
>> by 6570 or something close.
>>
>> There's no way to do URI Signing without having somewhere in the URI
>> that can be recognized as having a token in it. You can do it
>> explicitly or implicitly, but you have to do it. I think that what
>> we're doing here is in application-land instead of extension-land and
>> option 1 is fine. But others may not agree there.
>>
>> On Sat, Jul 24, 2021 at 8:23 PM Kevin Ma <kevin.j.ma.ietf@gmail.com>
>> wrote:
>> >
>> > Hi Chris,
>> >
>> >   Do you have a solution proposal?
>> >
>> > thanx.
>> >
>> > --  Kevin J. Ma
>> >
>> > On Sat, Jul 24, 2021 at 3:12 PM Chris Lemmons <alficles@gmail.com>
>> wrote:
>> >>
>> >> I honestly think that URI Signing is more appropriately understood as
>> >> an application than an extension of HTTP. You can't use URI Signing
>> >> without special agreement between the entity producing the URI and the
>> >> one that finally processes it. You can't for example, give a signed
>> >> URI to a CDN or other server that isn't expecting to process it.
>> >>
>> >> We could make the location of the token entirely outside the confines
>> >> of the specification, allowing signers and processors to communicate
>> >> out-of-band about where the token will be. That would considerably
>> >> reduce the value and interoperability provided in the document,
>> >> though.
>> >>
>> >> As it stands, there's a MUST requirement that requires that you do
>> >> something that isn't documented anywhere. It's not possible for an
>> >> implementation to know whether they are meeting the MUST parse path
>> >> parameters requirement without anything that describes what a path
>> >> parameter is.
>> >>
>> >> On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com>
>> wrote:
>> >> >
>> >> > Hi Chris,
>> >> >
>> >> >   (As chair) I don't disagree that it would be nice if there was an
>> RFC like RFC6570 that explicitly described the parsing rules.  But I think
>> the point of RFC8820 is that we should not be defining those rules in the
>> URI signing RFC.  Does that mean we should hold off on URI signing until
>> such time as Mark writes that other RFC?  I think Mark's acceptance of the
>> current text during last call (
>> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
>> implies no.  That said, if there are editorial changes that would make the
>> reading easier, we can still consider those, but I don't think we
>> can/should add prescriptive text.
>> >> >
>> >> >   I guess I would be interested if any others in the WG have
>> significant concerns about the ambiguity or interoperability?
>> >> >
>> >> > thanx.
>> >> >
>> >> > --  Kevin J. Ma
>> >> >
>> >> > On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com>
>> wrote:
>> >> >>
>> >> >> The problem I'm running into with 6570 is that it _only_ describes a
>> >> >> format for producing URIs, not one for understanding them. For
>> >> >> example, if you receive this URI, what is the correct behaviour?
>> >> >>
>> >> >>
>> https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT
>> >> >>
>> >> >> This was once considered best practice:
>> >> >> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
>> >> >>
>> >> >> Is the idea to require query strings to comply with the encoding and
>> >> >> decoding requirements of application/x-www-form-urlencoded? If so,
>> >> >> don't we run into the same problem as before with 8820?
>> >> >>
>> >> >> And it's mostly possible to reverse-engineer the path format from
>> 6570
>> >> >> into an unwritten expectation of a format, but I'm not sure an
>> >> >> undocumented format is better than a documented one here.
>> >> >>
>> >> >> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com>
>> wrote:
>> >> >> >
>> >> >> > Hi Chris,
>> >> >> >
>> >> >> > > Unfortunately, there exists no specification for path-style or
>> form-style parameters, so it is impossible for an implementer to know how
>> to reliably locate the token.
>> >> >> >
>> >> >> > My understanding from the discussion with Mark (
>> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
>> is that "path-style" and "form-style" refer to the corresponding
>> descriptions in RFC6570.  Do you think it would help if we added a
>> reference to RFC6570 and some text to the effect of "where path-style and
>> form-style parameters conform to RFC6570 path-style parameter and
>> form-style query expansion formats, respectively"?
>> >> >> >
>> >> >> > > I also wonder whether URI Signing is properly understood as an
>> Extension or an Application, in the terms of 8820.
>> >> >> >
>> >> >> > I think URI Signing should be classified as an "Extension".  As
>> you noted, RFC8820 explicitly notes "signature mechanisms", and we did
>> explicitly discuss our use case with Mark when he first asked us to "get
>> off his lawn" (
>> https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/).
>> Do you think an explicit declaration and reference to RFC8820 would help?
>> >> >> >
>> >> >> > thanx.
>> >> >> >
>> >> >> > --  Kevin J. Ma
>> >> >> >
>> >> >> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com>
>> wrote:
>> >> >> >>
>> >> >> >> I'd like to bring this up again because I think it's a
>> potentially
>> >> >> >> serious implementation concern and I don't see an easy way
>> around it.
>> >> >> >> There is a MUST requirement in the latest draft:
>> >> >> >>
>> >> >> >>    The URI Signing Package will be found by parsing any
>> path-style
>> >> >> >>    parameters and form-style parameters looking for a key name
>> matching
>> >> >> >>    the URI Signing Package Attribute.  Both parameter styles
>> MUST be
>> >> >> >>    supported to allow flexibility of operation.
>> >> >> >>
>> >> >> >> Unfortunately, there exists no specification for path-style or
>> >> >> >> form-style parameters, so it is impossible for an implementer to
>> know
>> >> >> >> how to reliably locate the token. This appears to be by design,
>> >> >> >> though. ( See RFC 8820:
>> https://datatracker.ietf.org/doc/html/rfc8820
>> >> >> >> , which is now published.)
>> >> >> >>
>> >> >> >> I think the intent of this wording is to imply that everybody
>> should
>> >> >> >> use application/x-www-form-urlencoded for form-style parameters
>> and
>> >> >> >> path-style parameters that look like "path;param1=a,param2=b",
>> but
>> >> >> >> aren't specified anywhere in particular.
>> >> >> >>
>> >> >> >> I see no way for an implementer to determine whether they've met
>> the
>> >> >> >> requirement set out that they MUST meet as it is written.
>> >> >> >>
>> >> >> >> I also wonder whether URI Signing is properly understood as an
>> >> >> >> Extension or an Application, in the terms of 8820. I think it
>> wants to
>> >> >> >> be an Extension (for example: `a new signature mechanism for
>> "http"
>> >> >> >> URIs`), but might be an Application in practice (`an HTTP
>> interface to
>> >> >> >> particular information on a host`). I think important to the
>> >> >> >> discussion is that URI Signing is a mechanism added by an
>> upstream
>> >> >> >> entity that controls the content and its format. I think this is
>> an
>> >> >> >> important issue to resolve.
>> >> >> >>
>> >> >> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <
>> alficles@gmail.com> wrote:
>> >> >> >> >
>> >> >> >> > The latest document replaces the path parsing logic with this:
>> >> >> >> >
>> >> >> >> > > URI Signing Package (URISigningPackage): The URI attribute
>> that encapsulates all the URI Signing claims in a signed JWT encoded
>> format.  This attribute is exposed in the Signed URI as a path-style
>> parameter or a form-style parameter.
>> >> >> >> >
>> >> >> >> > Unfortunately, that doesn't give implementers any idea what
>> needs to
>> >> >> >> > be parsed. I read through the conversation on last-call with
>> mnot
>> >> >> >> > (
>> https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/
>> ),
>> >> >> >> > especially with regard to BCP190. I also read through RFC6570
>> and
>> >> >> >> > you're right, it doesn't work for our use case because it's
>> generating
>> >> >> >> > URI, not consuming them. And it's for precisely this reason
>> that we
>> >> >> >> > need to be specific in what is accepted.
>> >> >> >> >
>> >> >> >> > As near as I can tell, there is actually no standard anywhere
>> that
>> >> >> >> > describes "path-style parameters". And there are multiple
>> methods for
>> >> >> >> > defining "form-style parameters", some more recent than others
>> and in
>> >> >> >> > varying levels of use generally on the Internet. How can a
>> document
>> >> >> >> > have a MUST requirement that requires parsing a specific
>> structure
>> >> >> >> > that isn't specified anywhere or even widely agreed upon?
>> >> >> >> >
>> >> >> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org>
>> wrote:
>> >> >> >> > >
>> >> >> >> > >
>> >> >> >> > > A New Internet-Draft is available from the on-line
>> Internet-Drafts directories.
>> >> >> >> > > This draft is a work item of the Content Delivery Networks
>> Interconnection WG of the IETF.
>> >> >> >> > >
>> >> >> >> > >         Title           : URI Signing for Content Delivery
>> Network Interconnection (CDNI)
>> >> >> >> > >         Authors         : Ray van Brandenburg
>> >> >> >> > >                           Kent Leung
>> >> >> >> > >                           Phil Sorber
>> >> >> >> > >         Filename        : draft-ietf-cdni-uri-signing-21.txt
>> >> >> >> > >         Pages           : 41
>> >> >> >> > >         Date            : 2021-02-11
>> >> >> >> > >
>> >> >> >> > > Abstract:
>> >> >> >> > >    This document describes how the concept of URI Signing
>> supports the
>> >> >> >> > >    content access control requirements of Content Delivery
>> Network
>> >> >> >> > >    Interconnection (CDNI) and proposes a URI Signing method
>> as a JSON
>> >> >> >> > >    Web Token (JWT) profile.
>> >> >> >> > >
>> >> >> >> > >    The proposed URI Signing method specifies the information
>> needed to
>> >> >> >> > >    be included in the URI to transmit the signed JWT, as
>> well as the
>> >> >> >> > >    claims needed by the signed JWT to authorize a User Agent
>> (UA).  The
>> >> >> >> > >    mechanism described can be used both in CDNI and single
>> Content
>> >> >> >> > >    Delivery Network (CDN) scenarios.
>> >> >> >> > >
>> >> >> >> > >
>> >> >> >> > > The IETF datatracker status page for this draft is:
>> >> >> >> > >
>> https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
>> >> >> >> > >
>> >> >> >> > > There are also htmlized versions available at:
>> >> >> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21
>> >> >> >> > >
>> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21
>> >> >> >> > >
>> >> >> >> > > A diff from the previous version is available at:
>> >> >> >> > >
>> https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21
>> >> >> >> > >
>> >> >> >> > >
>> >> >> >> > > Please note that it may take a couple of minutes from the
>> time of submission
>> >> >> >> > > until the htmlized version and diff are available at
>> tools.ietf.org.
>> >> >> >> > >
>> >> >> >> > > Internet-Drafts are also available by anonymous FTP at:
>> >> >> >> > > ftp://ftp.ietf.org/internet-drafts/
>> >> >> >> > >
>> >> >> >> > >
>> >> >> >> > > _______________________________________________
>> >> >> >> > > CDNi mailing list
>> >> >> >> > > CDNi@ietf.org
>> >> >> >> > > https://www.ietf.org/mailman/listinfo/cdni
>> >> >> >>
>> >> >> >> _______________________________________________
>> >> >> >> CDNi mailing list
>> >> >> >> CDNi@ietf.org
>> >> >> >> https://www.ietf.org/mailman/listinfo/cdni
>>
>

v2.23.0 | Report a Bug | By Email