IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt

Kevin Ma <kevin.j.ma.ietf@gmail.com> Sat, 24 July 2021 06:14 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6B3F3A2D09 for <cdni@ietfa.amsl.com>; Fri, 23 Jul 2021 23:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehU8jh9Oyk4X for <cdni@ietfa.amsl.com>; Fri, 23 Jul 2021 23:14:45 -0700 (PDT)
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BF123A2D07 for <cdni@ietf.org>; Fri, 23 Jul 2021 23:14:45 -0700 (PDT)
Received: by mail-pj1-x1036.google.com with SMTP id m1so5252109pjv.2 for <cdni@ietf.org>; Fri, 23 Jul 2021 23:14:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=K+DxtGD2g3EisEM8y7fcmdKtXqDHkQP4j1XPlB774B0=; b=vLUsCQw3bcSmWrUoj5RyUfNADzmcGWRdGQNoOlXhJT/TTZKvWgEZwsSDDLzWHl8dUg S2WuAZv9K2PkOW6IvLpUHWd5Ait4i/1g5OONut0c139AbRIE99Hq7wOXQSsAsAs6awyc qK//wcUpRqCatzvdd3UtETrC8OG8qFh91BIrBs0uR5Tl4yuFyIBrKNF9H/IVXwtVZ7Sl ij84tdwu3A5OaM6ZN1QXhnLjb1LYd5Nh2qdSRYYqpuG6gOWkbzJK4ehZmd/RHCc07cdU j4cE2u3rMP0vkh2Nz/5aLpIBbgKUJ7EMFc2XA7iWHbx2rui6YjPt2JQ8X9YGSRQl1wvf woIA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=K+DxtGD2g3EisEM8y7fcmdKtXqDHkQP4j1XPlB774B0=; b=RVpkimjGK7MI/pyk7de1c65UKZ01hyfNnfH+rEPDlGYZP16mGj26q6Lr3Qm3IUNGbH bWk9t//yu1HZS0gBYIGly596r3TK0HIlqfhzgpRXkEyFnJjTeZOo02XKl3JpaHne4+kd 4eK1Wa7CmR0gccwMVCLww81QHfLVuSqB0oKlXLbzQF6rD6H3jAwDCuowdpqcYaeTrhMU afiCQcZOxb/NV4BbHUT7fjz75tfY69Q6h/1TAE64L+AsgrCPCTgONRchDBzzFXnLurtE MX3hg+5mlDipL3CrymM0m+pONzfKlr2MCj/YS4KFcuKm170Zv1XxONBdKYha2dKayyMX c5+w==
X-Gm-Message-State: AOAM532a9e+mKT3CeYNOCv15rvrhJNebsofcNGXOmSXA3ptt5Zy936Ue WaeoXPp1nLX4UcZXw8HHI4Jfg/BSr7BxYbNIbpE=
X-Google-Smtp-Source: ABdhPJwYPRjNqqmBvnSOakzEnt/MFo6nAT7sIcFnQG2UtiilneFn5voc+1aB/Nsd3+kmwyrAMXmNaGKVjPIV04a6wxY=
X-Received: by 2002:a17:902:c941:b029:12b:27b:a7b0 with SMTP id i1-20020a170902c941b029012b027ba7b0mr6419924pla.10.1627107284126; Fri, 23 Jul 2021 23:14:44 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com>
In-Reply-To: <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Sat, 24 Jul 2021 02:14:33 -0400
Message-ID: <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com>
To: Chris Lemmons <alficles@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ae908605c7d86f3a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/6L4aNQrv_UP5gEXK1iBFFkSlEQo>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jul 2021 06:14:49 -0000

Hi Chris,

  (As chair) I don't disagree that it would be nice if there was an RFC
like RFC6570 that explicitly described the parsing rules.  But I think the
point of RFC8820 is that we should not be defining those rules in the URI
signing RFC.  Does that mean we should hold off on URI signing until such
time as Mark writes that other RFC?  I think Mark's acceptance of the
current text during last call (
https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
implies no.  That said, if there are editorial changes that would make the
reading easier, we can still consider those, but I don't think we
can/should add prescriptive text.

  I guess I would be interested if any others in the WG have significant
concerns about the ambiguity or interoperability?

thanx.

--  Kevin J. Ma

On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com> wrote:

> The problem I'm running into with 6570 is that it _only_ describes a
> format for producing URIs, not one for understanding them. For
> example, if you receive this URI, what is the correct behaviour?
>
> https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT
>
> This was once considered best practice:
> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
>
> Is the idea to require query strings to comply with the encoding and
> decoding requirements of application/x-www-form-urlencoded? If so,
> don't we run into the same problem as before with 8820?
>
> And it's mostly possible to reverse-engineer the path format from 6570
> into an unwritten expectation of a format, but I'm not sure an
> undocumented format is better than a documented one here.
>
> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote:
> >
> > Hi Chris,
> >
> > > Unfortunately, there exists no specification for path-style or
> form-style parameters, so it is impossible for an implementer to know how
> to reliably locate the token.
> >
> > My understanding from the discussion with Mark (
> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
> is that "path-style" and "form-style" refer to the corresponding
> descriptions in RFC6570.  Do you think it would help if we added a
> reference to RFC6570 and some text to the effect of "where path-style and
> form-style parameters conform to RFC6570 path-style parameter and
> form-style query expansion formats, respectively"?
> >
> > > I also wonder whether URI Signing is properly understood as an
> Extension or an Application, in the terms of 8820.
> >
> > I think URI Signing should be classified as an "Extension".  As you
> noted, RFC8820 explicitly notes "signature mechanisms", and we did
> explicitly discuss our use case with Mark when he first asked us to "get
> off his lawn" (
> https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/).
> Do you think an explicit declaration and reference to RFC8820 would help?
> >
> > thanx.
> >
> > --  Kevin J. Ma
> >
> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com>
> wrote:
> >>
> >> I'd like to bring this up again because I think it's a potentially
> >> serious implementation concern and I don't see an easy way around it.
> >> There is a MUST requirement in the latest draft:
> >>
> >>    The URI Signing Package will be found by parsing any path-style
> >>    parameters and form-style parameters looking for a key name matching
> >>    the URI Signing Package Attribute.  Both parameter styles MUST be
> >>    supported to allow flexibility of operation.
> >>
> >> Unfortunately, there exists no specification for path-style or
> >> form-style parameters, so it is impossible for an implementer to know
> >> how to reliably locate the token. This appears to be by design,
> >> though. ( See RFC 8820: https://datatracker.ietf.org/doc/html/rfc8820
> >> , which is now published.)
> >>
> >> I think the intent of this wording is to imply that everybody should
> >> use application/x-www-form-urlencoded for form-style parameters and
> >> path-style parameters that look like "path;param1=a,param2=b", but
> >> aren't specified anywhere in particular.
> >>
> >> I see no way for an implementer to determine whether they've met the
> >> requirement set out that they MUST meet as it is written.
> >>
> >> I also wonder whether URI Signing is properly understood as an
> >> Extension or an Application, in the terms of 8820. I think it wants to
> >> be an Extension (for example: `a new signature mechanism for "http"
> >> URIs`), but might be an Application in practice (`an HTTP interface to
> >> particular information on a host`). I think important to the
> >> discussion is that URI Signing is a mechanism added by an upstream
> >> entity that controls the content and its format. I think this is an
> >> important issue to resolve.
> >>
> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com>
> wrote:
> >> >
> >> > The latest document replaces the path parsing logic with this:
> >> >
> >> > > URI Signing Package (URISigningPackage): The URI attribute that
> encapsulates all the URI Signing claims in a signed JWT encoded format.
> This attribute is exposed in the Signed URI as a path-style parameter or a
> form-style parameter.
> >> >
> >> > Unfortunately, that doesn't give implementers any idea what needs to
> >> > be parsed. I read through the conversation on last-call with mnot
> >> > (
> https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/
> ),
> >> > especially with regard to BCP190. I also read through RFC6570 and
> >> > you're right, it doesn't work for our use case because it's generating
> >> > URI, not consuming them. And it's for precisely this reason that we
> >> > need to be specific in what is accepted.
> >> >
> >> > As near as I can tell, there is actually no standard anywhere that
> >> > describes "path-style parameters". And there are multiple methods for
> >> > defining "form-style parameters", some more recent than others and in
> >> > varying levels of use generally on the Internet. How can a document
> >> > have a MUST requirement that requires parsing a specific structure
> >> > that isn't specified anywhere or even widely agreed upon?
> >> >
> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote:
> >> > >
> >> > >
> >> > > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >> > > This draft is a work item of the Content Delivery Networks
> Interconnection WG of the IETF.
> >> > >
> >> > >         Title           : URI Signing for Content Delivery Network
> Interconnection (CDNI)
> >> > >         Authors         : Ray van Brandenburg
> >> > >                           Kent Leung
> >> > >                           Phil Sorber
> >> > >         Filename        : draft-ietf-cdni-uri-signing-21.txt
> >> > >         Pages           : 41
> >> > >         Date            : 2021-02-11
> >> > >
> >> > > Abstract:
> >> > >    This document describes how the concept of URI Signing supports
> the
> >> > >    content access control requirements of Content Delivery Network
> >> > >    Interconnection (CDNI) and proposes a URI Signing method as a
> JSON
> >> > >    Web Token (JWT) profile.
> >> > >
> >> > >    The proposed URI Signing method specifies the information needed
> to
> >> > >    be included in the URI to transmit the signed JWT, as well as the
> >> > >    claims needed by the signed JWT to authorize a User Agent (UA).
> The
> >> > >    mechanism described can be used both in CDNI and single Content
> >> > >    Delivery Network (CDN) scenarios.
> >> > >
> >> > >
> >> > > The IETF datatracker status page for this draft is:
> >> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
> >> > >
> >> > > There are also htmlized versions available at:
> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21
> >> > >
> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21
> >> > >
> >> > > A diff from the previous version is available at:
> >> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21
> >> > >
> >> > >
> >> > > Please note that it may take a couple of minutes from the time of
> submission
> >> > > until the htmlized version and diff are available at tools.ietf.org
> .
> >> > >
> >> > > Internet-Drafts are also available by anonymous FTP at:
> >> > > ftp://ftp.ietf.org/internet-drafts/
> >> > >
> >> > >
> >> > > _______________________________________________
> >> > > CDNi mailing list
> >> > > CDNi@ietf.org
> >> > > https://www.ietf.org/mailman/listinfo/cdni
> >>
> >> _______________________________________________
> >> CDNi mailing list
> >> CDNi@ietf.org
> >> https://www.ietf.org/mailman/listinfo/cdni
>

v2.23.0 | Report a Bug | By Email