IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt

Chris Lemmons <alficles@gmail.com> Sat, 24 July 2021 19:12 UTC

Return-Path: <alficles@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674BC3A00B3 for <cdni@ietfa.amsl.com>; Sat, 24 Jul 2021 12:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bzqfmcfpxOw for <cdni@ietfa.amsl.com>; Sat, 24 Jul 2021 12:12:43 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 827C63A00B2 for <cdni@ietf.org>; Sat, 24 Jul 2021 12:12:42 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id u20so5693937ljo.0 for <cdni@ietf.org>; Sat, 24 Jul 2021 12:12:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UNowhPO0pP8HBYhEo5aDGay5gB0bZR3Nd3xlgzO99vc=; b=OaE9Ea7POslUJIo/AX6S0reYQFizgg8GODjuV7/lIpEniEUjHoecz80PgTwCVnY8Vk BX/a8wuPqGgyrKDb+Gv1FgQz3bwJI/2W047tZMfgLvH7ftbtFaO4s2ko/rVQ99CqnEHF WVVID4AUETVagKnTfoDGGuSPBBYSzcPWXh7BoaCaHZwxlj9p1kKe7gHZAOg/G/edDUZk iL+U/FJkcT6pOGqPFGvSTKFZCAH1Y5WulKSkRbD3h7qpnSG2r8spOdl3zBMLhR1WvMnY 38T79cjm5fGOuuzPRfemhCtTtcLLOCLmD50sNDf+TiepMRZt4V4arBwHOQ/Qh5dUmgR0 gYpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UNowhPO0pP8HBYhEo5aDGay5gB0bZR3Nd3xlgzO99vc=; b=X9pPAmBWQPcR3Jng/gdeysCB/NU5Hl5hiVJIAXeMjn8Wz2H89a1pEaaU9NeB+iWxju BglrfNOxiJG3AVeid2tzH8ZZSbARsuabFVlIHKf2JUvdTMFxcIgulSBNhXV3fT19owkk nc/9N4i4OAYCFzpSH92OZd9omFoAXv2Zvp5urX2W1BGrsNFnltX3Ym7451P6DDbdTZJ3 E/uyQb6JGq4TPRqZ1OxIkVNdw0mmVHq0cr69C0u0dqLQQXJhB40Ow9dIXijGWdGLg0th n31YbPyYmydvvhqH4/jz1of6GQaxv1kSw8UAGbgdXWvlOXbsh1X5BGsXEc++37T9mMkp IYuA==
X-Gm-Message-State: AOAM530mkp6QyKjX57ny3XdoQ0UeJ3VwsrTtwAFl5wweG6N4U/uBSDFr L4ZEYAX22j3iYnoBUVraQlU3ZkdwZcA0chLevN8=
X-Google-Smtp-Source: ABdhPJxnA88Uk+eOKCfgJVuzb+JSv2rjK78eRGVBrAXrQ57+QI3r1XfJMotvCBg3uCzIM2oDhf96IUSGB8vxUDE0s1w=
X-Received: by 2002:a05:651c:10a2:: with SMTP id k2mr7061672ljn.89.1627153959748; Sat, 24 Jul 2021 12:12:39 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com>
In-Reply-To: <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com>
From: Chris Lemmons <alficles@gmail.com>
Date: Sat, 24 Jul 2021 13:12:29 -0600
Message-ID: <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com>
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/3Xl2zlRnkKbP2AQs0mI2WtElK5U>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jul 2021 19:12:48 -0000

I honestly think that URI Signing is more appropriately understood as
an application than an extension of HTTP. You can't use URI Signing
without special agreement between the entity producing the URI and the
one that finally processes it. You can't for example, give a signed
URI to a CDN or other server that isn't expecting to process it.

We could make the location of the token entirely outside the confines
of the specification, allowing signers and processors to communicate
out-of-band about where the token will be. That would considerably
reduce the value and interoperability provided in the document,
though.

As it stands, there's a MUST requirement that requires that you do
something that isn't documented anywhere. It's not possible for an
implementation to know whether they are meeting the MUST parse path
parameters requirement without anything that describes what a path
parameter is.

On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote:
>
> Hi Chris,
>
>   (As chair) I don't disagree that it would be nice if there was an RFC like RFC6570 that explicitly described the parsing rules.  But I think the point of RFC8820 is that we should not be defining those rules in the URI signing RFC.  Does that mean we should hold off on URI signing until such time as Mark writes that other RFC?  I think Mark's acceptance of the current text during last call (https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) implies no.  That said, if there are editorial changes that would make the reading easier, we can still consider those, but I don't think we can/should add prescriptive text.
>
>   I guess I would be interested if any others in the WG have significant concerns about the ambiguity or interoperability?
>
> thanx.
>
> --  Kevin J. Ma
>
> On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com> wrote:
>>
>> The problem I'm running into with 6570 is that it _only_ describes a
>> format for producing URIs, not one for understanding them. For
>> example, if you receive this URI, what is the correct behaviour?
>>
>> https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT
>>
>> This was once considered best practice:
>> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
>>
>> Is the idea to require query strings to comply with the encoding and
>> decoding requirements of application/x-www-form-urlencoded? If so,
>> don't we run into the same problem as before with 8820?
>>
>> And it's mostly possible to reverse-engineer the path format from 6570
>> into an unwritten expectation of a format, but I'm not sure an
>> undocumented format is better than a documented one here.
>>
>> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote:
>> >
>> > Hi Chris,
>> >
>> > > Unfortunately, there exists no specification for path-style or form-style parameters, so it is impossible for an implementer to know how to reliably locate the token.
>> >
>> > My understanding from the discussion with Mark (https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) is that "path-style" and "form-style" refer to the corresponding descriptions in RFC6570.  Do you think it would help if we added a reference to RFC6570 and some text to the effect of "where path-style and form-style parameters conform to RFC6570 path-style parameter and form-style query expansion formats, respectively"?
>> >
>> > > I also wonder whether URI Signing is properly understood as an Extension or an Application, in the terms of 8820.
>> >
>> > I think URI Signing should be classified as an "Extension".  As you noted, RFC8820 explicitly notes "signature mechanisms", and we did explicitly discuss our use case with Mark when he first asked us to "get off his lawn" (https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/).  Do you think an explicit declaration and reference to RFC8820 would help?
>> >
>> > thanx.
>> >
>> > --  Kevin J. Ma
>> >
>> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com> wrote:
>> >>
>> >> I'd like to bring this up again because I think it's a potentially
>> >> serious implementation concern and I don't see an easy way around it.
>> >> There is a MUST requirement in the latest draft:
>> >>
>> >>    The URI Signing Package will be found by parsing any path-style
>> >>    parameters and form-style parameters looking for a key name matching
>> >>    the URI Signing Package Attribute.  Both parameter styles MUST be
>> >>    supported to allow flexibility of operation.
>> >>
>> >> Unfortunately, there exists no specification for path-style or
>> >> form-style parameters, so it is impossible for an implementer to know
>> >> how to reliably locate the token. This appears to be by design,
>> >> though. ( See RFC 8820: https://datatracker.ietf.org/doc/html/rfc8820
>> >> , which is now published.)
>> >>
>> >> I think the intent of this wording is to imply that everybody should
>> >> use application/x-www-form-urlencoded for form-style parameters and
>> >> path-style parameters that look like "path;param1=a,param2=b", but
>> >> aren't specified anywhere in particular.
>> >>
>> >> I see no way for an implementer to determine whether they've met the
>> >> requirement set out that they MUST meet as it is written.
>> >>
>> >> I also wonder whether URI Signing is properly understood as an
>> >> Extension or an Application, in the terms of 8820. I think it wants to
>> >> be an Extension (for example: `a new signature mechanism for "http"
>> >> URIs`), but might be an Application in practice (`an HTTP interface to
>> >> particular information on a host`). I think important to the
>> >> discussion is that URI Signing is a mechanism added by an upstream
>> >> entity that controls the content and its format. I think this is an
>> >> important issue to resolve.
>> >>
>> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com> wrote:
>> >> >
>> >> > The latest document replaces the path parsing logic with this:
>> >> >
>> >> > > URI Signing Package (URISigningPackage): The URI attribute that encapsulates all the URI Signing claims in a signed JWT encoded format.  This attribute is exposed in the Signed URI as a path-style parameter or a form-style parameter.
>> >> >
>> >> > Unfortunately, that doesn't give implementers any idea what needs to
>> >> > be parsed. I read through the conversation on last-call with mnot
>> >> > (https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/),
>> >> > especially with regard to BCP190. I also read through RFC6570 and
>> >> > you're right, it doesn't work for our use case because it's generating
>> >> > URI, not consuming them. And it's for precisely this reason that we
>> >> > need to be specific in what is accepted.
>> >> >
>> >> > As near as I can tell, there is actually no standard anywhere that
>> >> > describes "path-style parameters". And there are multiple methods for
>> >> > defining "form-style parameters", some more recent than others and in
>> >> > varying levels of use generally on the Internet. How can a document
>> >> > have a MUST requirement that requires parsing a specific structure
>> >> > that isn't specified anywhere or even widely agreed upon?
>> >> >
>> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote:
>> >> > >
>> >> > >
>> >> > > A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> >> > > This draft is a work item of the Content Delivery Networks Interconnection WG of the IETF.
>> >> > >
>> >> > >         Title           : URI Signing for Content Delivery Network Interconnection (CDNI)
>> >> > >         Authors         : Ray van Brandenburg
>> >> > >                           Kent Leung
>> >> > >                           Phil Sorber
>> >> > >         Filename        : draft-ietf-cdni-uri-signing-21.txt
>> >> > >         Pages           : 41
>> >> > >         Date            : 2021-02-11
>> >> > >
>> >> > > Abstract:
>> >> > >    This document describes how the concept of URI Signing supports the
>> >> > >    content access control requirements of Content Delivery Network
>> >> > >    Interconnection (CDNI) and proposes a URI Signing method as a JSON
>> >> > >    Web Token (JWT) profile.
>> >> > >
>> >> > >    The proposed URI Signing method specifies the information needed to
>> >> > >    be included in the URI to transmit the signed JWT, as well as the
>> >> > >    claims needed by the signed JWT to authorize a User Agent (UA).  The
>> >> > >    mechanism described can be used both in CDNI and single Content
>> >> > >    Delivery Network (CDN) scenarios.
>> >> > >
>> >> > >
>> >> > > The IETF datatracker status page for this draft is:
>> >> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
>> >> > >
>> >> > > There are also htmlized versions available at:
>> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21
>> >> > > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21
>> >> > >
>> >> > > A diff from the previous version is available at:
>> >> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21
>> >> > >
>> >> > >
>> >> > > Please note that it may take a couple of minutes from the time of submission
>> >> > > until the htmlized version and diff are available at tools.ietf.org.
>> >> > >
>> >> > > Internet-Drafts are also available by anonymous FTP at:
>> >> > > ftp://ftp.ietf.org/internet-drafts/
>> >> > >
>> >> > >
>> >> > > _______________________________________________
>> >> > > CDNi mailing list
>> >> > > CDNi@ietf.org
>> >> > > https://www.ietf.org/mailman/listinfo/cdni
>> >>
>> >> _______________________________________________
>> >> CDNi mailing list
>> >> CDNi@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email