Re: [CDNi] Super-late Review of draft-ietf-cdni-uri-signing
Kevin Ma J <kevin.j.ma@ericsson.com> Wed, 20 July 2016 14:24 UTC
Return-Path: <kevin.j.ma@ericsson.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4719E12D7BE for <cdni@ietfa.amsl.com>; Wed, 20 Jul 2016 07:24:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDO7oplc9KrO for <cdni@ietfa.amsl.com>; Wed, 20 Jul 2016 07:24:36 -0700 (PDT)
Received: from usplmg21.ericsson.net (usplmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7AE612D810 for <cdni@ietf.org>; Wed, 20 Jul 2016 07:24:33 -0700 (PDT)
X-AuditID: c6180641-f796f6d000000e1e-9b-578f895a9f37
Received: from EUSAAHC004.ericsson.se (Unknown_Domain [147.117.188.84]) by usplmg21.ericsson.net (Symantec Mail Security) with SMTP id 0F.D1.03614.A598F875; Wed, 20 Jul 2016 16:23:23 +0200 (CEST)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC004.ericsson.se ([147.117.188.84]) with mapi id 14.03.0294.000; Wed, 20 Jul 2016 10:24:32 -0400
From: Kevin Ma J <kevin.j.ma@ericsson.com>
To: "Matt Miller (mamille2)" <mamille2@cisco.com>, "cdni@ietf.org" <cdni@ietf.org>
Thread-Topic: Super-late Review of draft-ietf-cdni-uri-signing
Thread-Index: AQHR4opdj30OJ31ShkebNjAT7KbAeKAhXQlg
Date: Wed, 20 Jul 2016 14:24:32 +0000
Message-ID: <A419F67F880AB2468214E154CB8A556206E6F328@eusaamb103.ericsson.se>
References: <7A7E55A2-C671-4F65-B51B-9515C098D09B@cisco.com>
In-Reply-To: <7A7E55A2-C671-4F65-B51B-9515C098D09B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.12]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPLMWRmVeSWpSXmKPExsUyuXRPiG50Z3+4wZq/PBZPZ/9htfj88Dar A5PHlN8bWT2WLPnJFMAUxWWTkpqTWZZapG+XwJWxYulttoLVEhVdjz8xNzDOEO5i5OSQEDCR uL12PiOELSZx4d56NhBbSOAoo8TEt3JdjFxA9nJGiZ/HZrODJNgEtCQef/3LBGKLCIRIvJ29 DiwuLGArcefORzaIuJ3E49v/2SFsI4n2W99YQWwWAVWJc6cOgS3jFfCV+PhuJhPEMhuJY2vv gtVzAs35MukJC4jNCHTQ91NrwGqYBcQlbj2ZzwRxqIDEkj3nmSFsUYmXj/+xQthKEnNeX2OG qNeRWLD7ExuErS2xbOFrZoi9ghInZz5hmcAoOgvJ2FlIWmYhaZmFpGUBI8sqRo7S4oKc3HQj w02MwGg4JsHmuINxb6/nIUYBDkYlHl6F233hQqyJZcWVuYcYJTiYlUR4uzv6w4V4UxIrq1KL 8uOLSnNSiw8xSnOwKInz6r9UDBcSSE8sSc1OTS1ILYLJMnFwSjUwdnAqGf40FHizOiFbuMPs 5MTrjT3puuHX8npKvKLk7qVmXSqRK5ss5mzW2PV40+3GsrP7wxsXKyo9PSV4O/I0u5f/sctC d2LiOj42MH5i47HbMu+Fw0wdLcFdX1Wvz/xsr51+XEXsNhOX/NF+0XcWOncmXbnmz7ZcjNd3 AVtsYZRyk3hSM6cSS3FGoqEWc1FxIgBmeikaggIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/3xTSo1OzQyFf6ky8gj8kMxPTU1Q>
Subject: Re: [CDNi] Super-late Review of draft-ietf-cdni-uri-signing
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2016 14:24:38 -0000
Thanks Matt! Hi all, (as chairs) Per the discussion in the working group session today, we think it makes sense for the authors to look at the possibility of using JWT for the URI Signing token, and at the same time evaluate whether or not it would be easy to pull in the relevant cookie-based transport mechanism from draft-brandenburg-cdni-uri-signing-for-has-03. As discussed, there is a trade-off between taking the time to rewrite the token generation portions of the existing WG draft to use JWT and a probable long IESG review cycle for a new security token scheme, as proposed in the current WG draft. There was general consensus in the room that an existing standard based approach (i.e. JWT) would be the faster approach to document publication -- especially with the help of Matt and Phil. ;) We also agreed that it made sense to just rev the existing working group document, rather than submit a separate individual draft. If anyone has concerns with the approach described above, please speak up. thanx! -- Kevin and Francois > -----Original Message----- > From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Matt Miller > (mamille2) > Sent: Wednesday, July 20, 2016 9:27 AM > To: cdni@ietf.org > Subject: [CDNi] Super-late Review of draft-ietf-cdni-uri-signing > > I was asked to review this draft with an eye toward security. > > The short answer: this looks like it's inventing a new crypto container > and/or > assertion format, and it would be a smoother path to use existing > technology. > > Some of the concerns I have are: > > * Implicit algorithms can lead to key substitution attacks if you're not > careful. Ideally the algorithm descriptor should be part of the > signature/MAC > generation; it ought to be part of the primitive, but this is *NOT* true > of > ECDSA nor HMAC. > * For ECDSA, the curve parameters (named for explicitly) MUST be > specified, or > you run the risk of key substitution attacks. ECDSA allows a fairly > large > range of curve parameters which can appear to be the same size, and the > ASN.1 key format does not require the parameters be present. > * Encryption without Authentication is strongly discouraged, and ECB is > the > worst of the choices. > * Mixing hash algorithms have in the past lead to some interesting > vulnerabilities. It's much much better if everywhere hashing is done > for a given input/output pair, the same hash algorithm is used. > * SHA-1 is NOT RECOMMENDED unless it's used in non-cryptographic purposes, > but this document in my opinion is still using it for cryptographic > purposes in generating the message digest to feed into ECDSA. > > I'll point out that this looks very close to [JWT] in terms of what you're > trying to > accomplish. I am willing to help with text to transform this into a > profile of JWT. > > > -- > - m&m > > Matt Miller > Cisco Systems, Inc. > > [JWT] JSON Web Token (JWT) < https://tools.ietf.org/html/rfc7519 >
- Re: [CDNi] Super-late Review of draft-ietf-cdni-u… Kevin Ma J
- [CDNi] Super-late Review of draft-ietf-cdni-uri-s… Matt Miller (mamille2)