Re: [CDNi] URI Signing Signed Token Chaining refactor
"Matthew A. Miller" <linuxwolf@outer-planes.net> Wed, 19 July 2017 14:27 UTC
Return-Path: <linuxwolf@outer-planes.net>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9A3D131532 for <cdni@ietfa.amsl.com>; Wed, 19 Jul 2017 07:27:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgvSOuZxH86J for <cdni@ietfa.amsl.com>; Wed, 19 Jul 2017 07:27:19 -0700 (PDT)
Received: from mail-wr0-x22f.google.com (mail-wr0-x22f.google.com [IPv6:2a00:1450:400c:c0c::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D833131CC9 for <cdni@ietf.org>; Wed, 19 Jul 2017 07:27:18 -0700 (PDT)
Received: by mail-wr0-x22f.google.com with SMTP id y43so59321864wrd.3 for <cdni@ietf.org>; Wed, 19 Jul 2017 07:27:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=86ibxE/sqnZRvF6bfT9DeM6QTuSKaSpT9M1+Dl3dAek=; b=S+GlsOekERgzRbgIX0ZuwzONcUHHQ4/b6W0JmJkHt3ONM3jknOk03H1+Elj7zg8h5Z 1pstWW/hNV9j3DT6pDVHAL9Xyb0A3XHO3VYrDpzHq6jAXVSn1sfFnBVOabZs+gjnPWhp uB2y/GDEZdGyBSv8M0KrPOw2Jw2RVPqM5wqGgfRICwCZP+gkAe3ZYIiqpYiAkEy7nvW2 Z/JBIc/Nyyvhqb/cd9pnT8fYuAiOqcRqBucVCucFoSbrzOfB5letKMIUa7fQaTz0mO3+ keTt0SnS5G2pJYQaDk8yWV6sI0iTWAdoszJO+ZAZn+wtCpGtp+Cd4w0Tso7eRcLDyVsb S4Ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=86ibxE/sqnZRvF6bfT9DeM6QTuSKaSpT9M1+Dl3dAek=; b=erL5tJSsYNdR+hMesllQb/hjubJ6g8c8EaropdS68HC+/yl+KOSeOsV75wkcJx75mz fSEmJo6zbA08XcnvwR3ySPS7SiYy2+BKMRght0aCBpqRlepZFynytmVsBxFRKWo80rf7 SDNIrTe0g0TgGAW+QqsEAW02gtooxLyTWLzuRgtWi/PL++AgvyJwBgTisVaHZcrVGGpV EieVsx0GTjftKqC5kNU1TfpJpxGryHys2MUeunllcxIxsRlEthP8UW/XT67jHwAhAvBi zx2sW5Atn3cR/0w5Ryuj3bWGCbGHd6OkUHJ7yzoWKwvogFw8qXDdDZOtacIwh6a2cnuV 4IRw==
X-Gm-Message-State: AIVw112zI/WMFYI1V0R75VkcLHVyayJDs9bu0KS3+jkICGZPYOpKt66u rNe+HuxvzYFrxh5Kq/i/EBfP
X-Received: by 10.223.168.15 with SMTP id l15mr4875505wrc.37.1500474436703; Wed, 19 Jul 2017 07:27:16 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:2971:923e:3627:ab64? ([2001:67c:370:128:2971:923e:3627:ab64]) by smtp.gmail.com with ESMTPSA id 3sm3360063wrs.18.2017.07.19.07.27.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Jul 2017 07:27:16 -0700 (PDT)
To: Ray van Brandenburg <ray@tiledmedia.com>, "Kevin J. Ma" <kevin.j.ma.ietf@gmail.com>
Cc: Phil Sorber <sorber@apache.org>, "cdni@ietf.org" <cdni@ietf.org>
References: <CABF6JR3wEfUoCSJ29xQ3n56Ah1EqPnCvkZ4x6W5_cTW8V35Hwg@mail.gmail.com> <7CEB7DDD-7C33-4FD9-93BC-75E5E78AB3C2@gmail.com> <A2FBEA85-BF95-44A4-8E11-97D39C8DCF76@tiledmedia.com>
From: "Matthew A. Miller" <linuxwolf@outer-planes.net>
Message-ID: <f56a1478-2457-6179-619f-b0f38700eaa6@outer-planes.net>
Date: Wed, 19 Jul 2017 16:27:14 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Thunderbird/54.0
MIME-Version: 1.0
In-Reply-To: <A2FBEA85-BF95-44A4-8E11-97D39C8DCF76@tiledmedia.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="h4GKe7D01aGwxXnPpr0eAi6bMVHWxJ9eP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/4tYquigxNUHdFzbGQEG_hkAMP08>
Subject: Re: [CDNi] URI Signing Signed Token Chaining refactor
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 14:27:21 -0000
Making it (a little bit) more generic makes sense. I'm not sure about the name 'Signed Token Chain', but I don't have a better one. In cryptographic circles, "chain" has certain implications that this document is not expressing. The "next" item in the chain is supposed to be cryptographically tied to the "previous" item in the chain by using (a hash of, or the exact value of) the previous token when generating the next token. I don't know that that binding property is required here, so I'm not suggesting a change in the protocol. I do worry, however, that the language may potentially confuse (or worse, mislead) people about the security properties this document is providing. - m&m Matthew A. Miller < http://goo.gl/LM55L > On 7/19/17 4:14 PM, Ray van Brandenburg wrote: > Yes, good point! > > Although I can’t think of another use case from the top of my head, I don’t see a good reason to limit it to HAS either. > > Ray > > >> On 19 Jul 2017, at 15:51, Kevin J. Ma <kevin.j.ma.ietf@gmail.com> wrote: >> >> (as an individual) I agree with making the section more generic and citing HAS as a use case for token chaining. >> >> Sent from my iPhone >> >>> On Jul 19, 2017, at 9:43 AM, Phil Sorber <sorber@apache.org> wrote: >>> >>> Since we have added the HAS content I have been thinking about how specific we have made it. Perhaps just specifying a method for token chaining, and then citing HAS as a use case makes more sense. I wanted to get some opinions on it before I make those changes. It shouldn't be that big of a change, just taking the HAS specific stuff and putting it in a lower "Use Case" sub-section at the bottom and leaving everything else as a "Signed Token Chaining" section. >>> >>> Thoughts? >>> >>> Thanks. >>> _______________________________________________ >>> CDNi mailing list >>> CDNi@ietf.org >>> https://www.ietf.org/mailman/listinfo/cdni >
- [CDNi] URI Signing Signed Token Chaining refactor Phil Sorber
- Re: [CDNi] URI Signing Signed Token Chaining refa… Kevin J. Ma
- Re: [CDNi] URI Signing Signed Token Chaining refa… Ray van Brandenburg
- Re: [CDNi] URI Signing Signed Token Chaining refa… Matthew A. Miller
- Re: [CDNi] URI Signing Signed Token Chaining refa… Kevin J. Ma
- Re: [CDNi] URI Signing Signed Token Chaining refa… Matthew A. Miller
- Re: [CDNi] URI Signing Signed Token Chaining refa… Kevin J. Ma
- Re: [CDNi] URI Signing Signed Token Chaining refa… Ray van Brandenburg
- Re: [CDNi] URI Signing Signed Token Chaining refa… Phil Sorber