IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt

Kevin Ma <kevin.j.ma.ietf@gmail.com> Sun, 25 July 2021 02:23 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE2363A0ED7 for <cdni@ietfa.amsl.com>; Sat, 24 Jul 2021 19:23:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_iX-1TN8TkO for <cdni@ietfa.amsl.com>; Sat, 24 Jul 2021 19:23:40 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5930D3A0ED5 for <cdni@ietf.org>; Sat, 24 Jul 2021 19:23:40 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d17so7568394plh.10 for <cdni@ietf.org>; Sat, 24 Jul 2021 19:23:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pYqCUV+5WC/HsHb6Vnx4pRVh6MtcQvidjkfPSlMlOZQ=; b=dym4Y9gu4PJFojEAxhOnyWJJNOrQb3iSVZnbtvDo7A7DegAIEWIliAZTJJFQI9FD5n keMbYiOoeAAD/GRqyjhou//PDF8feTJ6U2WWlbzI7WADP4yLAzHZEx5E2jPvmH/lzasC RTapc7a9gK0rhNw3S+Legp4CwQ7qStquSrmhLUhdW8q8odzd5T1valoTwYlbY5u5Wt1z UY7ICcZxBEnikWBC1VQX7VocF/KlQ+mmRZpfu+OR0g3/7y2voth+MK6fXjJP44cW4Hb0 jrrbY6v5KW6CKtF9hWZ0lJcaaAStJgRvuo6HO7v1sBzoNb1Tdvs4YGUjN+TcnzqlnAez RQeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pYqCUV+5WC/HsHb6Vnx4pRVh6MtcQvidjkfPSlMlOZQ=; b=FYHnJf9o45CpdFZ4YGuRw7Eu5kCa3XqEINJ0pRFjcA/MWaStW4pY1iseLNbkGfJjJp WHDmtZhWuHuxDX52aB+Fk30zlyTDqFDbKy7fxfW15iAYapSDWBPowKHu+krHKV+RFdSr cGcW2z5Dh77YvSJJmiWAnAN+sp5zh9G9JbZa0L6J4nBfi0DfqE1zTzMtmFYrRacEh6jv mvfHpkEZmZq5QwbgW6FDzi+dnnYcWOW0PXvRSG/plCu8WMg7eHTuXlZ64VTa11PFcOdx wd2z65gsc6fug4r2kffsBHi1mXosQMnQndaKbgTjjnFU4vIjKzNol7eE3h1u6BL1ZfEo Xt9A==
X-Gm-Message-State: AOAM531sC/0QVI5L2LzNuCQ7PAs4IjsvshfiKb8ONXzldytqZHz8VZhT XHg9X050E+rhm4vIqtS92QvzxMEvfbUG1L6GHdg=
X-Google-Smtp-Source: ABdhPJxDvmgkqdnvMxWhpOdB/3Fn0mj96U8RK0tK5wTsBFPNjWMP0F7gNaLUrgM8vRmbD7+yHV54sAGL9ctrcmQIRFk=
X-Received: by 2002:a17:90a:62cb:: with SMTP id k11mr8248262pjs.153.1627179819015; Sat, 24 Jul 2021 19:23:39 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com> <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com>
In-Reply-To: <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Sat, 24 Jul 2021 22:23:28 -0400
Message-ID: <CAMrHYE2T2kBdNva_jzUCuSOqsj9jajme-7DObQxLtas-fRi7Gw@mail.gmail.com>
To: Chris Lemmons <alficles@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000019213805c7e95355"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/8BBL3c6BG8OWvrpbxpW84ew1RxM>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 02:23:45 -0000

Hi Chris,

  Do you have a solution proposal?

thanx.

--  Kevin J. Ma

On Sat, Jul 24, 2021 at 3:12 PM Chris Lemmons <alficles@gmail.com> wrote:

> I honestly think that URI Signing is more appropriately understood as
> an application than an extension of HTTP. You can't use URI Signing
> without special agreement between the entity producing the URI and the
> one that finally processes it. You can't for example, give a signed
> URI to a CDN or other server that isn't expecting to process it.
>
> We could make the location of the token entirely outside the confines
> of the specification, allowing signers and processors to communicate
> out-of-band about where the token will be. That would considerably
> reduce the value and interoperability provided in the document,
> though.
>
> As it stands, there's a MUST requirement that requires that you do
> something that isn't documented anywhere. It's not possible for an
> implementation to know whether they are meeting the MUST parse path
> parameters requirement without anything that describes what a path
> parameter is.
>
> On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
> >
> > Hi Chris,
> >
> >   (As chair) I don't disagree that it would be nice if there was an RFC
> like RFC6570 that explicitly described the parsing rules.  But I think the
> point of RFC8820 is that we should not be defining those rules in the URI
> signing RFC.  Does that mean we should hold off on URI signing until such
> time as Mark writes that other RFC?  I think Mark's acceptance of the
> current text during last call (
> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
> implies no.  That said, if there are editorial changes that would make the
> reading easier, we can still consider those, but I don't think we
> can/should add prescriptive text.
> >
> >   I guess I would be interested if any others in the WG have significant
> concerns about the ambiguity or interoperability?
> >
> > thanx.
> >
> > --  Kevin J. Ma
> >
> > On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com> wrote:
> >>
> >> The problem I'm running into with 6570 is that it _only_ describes a
> >> format for producing URIs, not one for understanding them. For
> >> example, if you receive this URI, what is the correct behaviour?
> >>
> >>
> https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT
> >>
> >> This was once considered best practice:
> >> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
> >>
> >> Is the idea to require query strings to comply with the encoding and
> >> decoding requirements of application/x-www-form-urlencoded? If so,
> >> don't we run into the same problem as before with 8820?
> >>
> >> And it's mostly possible to reverse-engineer the path format from 6570
> >> into an unwritten expectation of a format, but I'm not sure an
> >> undocumented format is better than a documented one here.
> >>
> >> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
> >> >
> >> > Hi Chris,
> >> >
> >> > > Unfortunately, there exists no specification for path-style or
> form-style parameters, so it is impossible for an implementer to know how
> to reliably locate the token.
> >> >
> >> > My understanding from the discussion with Mark (
> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
> is that "path-style" and "form-style" refer to the corresponding
> descriptions in RFC6570.  Do you think it would help if we added a
> reference to RFC6570 and some text to the effect of "where path-style and
> form-style parameters conform to RFC6570 path-style parameter and
> form-style query expansion formats, respectively"?
> >> >
> >> > > I also wonder whether URI Signing is properly understood as an
> Extension or an Application, in the terms of 8820.
> >> >
> >> > I think URI Signing should be classified as an "Extension".  As you
> noted, RFC8820 explicitly notes "signature mechanisms", and we did
> explicitly discuss our use case with Mark when he first asked us to "get
> off his lawn" (
> https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/).
> Do you think an explicit declaration and reference to RFC8820 would help?
> >> >
> >> > thanx.
> >> >
> >> > --  Kevin J. Ma
> >> >
> >> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com>
> wrote:
> >> >>
> >> >> I'd like to bring this up again because I think it's a potentially
> >> >> serious implementation concern and I don't see an easy way around it.
> >> >> There is a MUST requirement in the latest draft:
> >> >>
> >> >>    The URI Signing Package will be found by parsing any path-style
> >> >>    parameters and form-style parameters looking for a key name
> matching
> >> >>    the URI Signing Package Attribute.  Both parameter styles MUST be
> >> >>    supported to allow flexibility of operation.
> >> >>
> >> >> Unfortunately, there exists no specification for path-style or
> >> >> form-style parameters, so it is impossible for an implementer to know
> >> >> how to reliably locate the token. This appears to be by design,
> >> >> though. ( See RFC 8820:
> https://datatracker.ietf.org/doc/html/rfc8820
> >> >> , which is now published.)
> >> >>
> >> >> I think the intent of this wording is to imply that everybody should
> >> >> use application/x-www-form-urlencoded for form-style parameters and
> >> >> path-style parameters that look like "path;param1=a,param2=b", but
> >> >> aren't specified anywhere in particular.
> >> >>
> >> >> I see no way for an implementer to determine whether they've met the
> >> >> requirement set out that they MUST meet as it is written.
> >> >>
> >> >> I also wonder whether URI Signing is properly understood as an
> >> >> Extension or an Application, in the terms of 8820. I think it wants
> to
> >> >> be an Extension (for example: `a new signature mechanism for "http"
> >> >> URIs`), but might be an Application in practice (`an HTTP interface
> to
> >> >> particular information on a host`). I think important to the
> >> >> discussion is that URI Signing is a mechanism added by an upstream
> >> >> entity that controls the content and its format. I think this is an
> >> >> important issue to resolve.
> >> >>
> >> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com>
> wrote:
> >> >> >
> >> >> > The latest document replaces the path parsing logic with this:
> >> >> >
> >> >> > > URI Signing Package (URISigningPackage): The URI attribute that
> encapsulates all the URI Signing claims in a signed JWT encoded format.
> This attribute is exposed in the Signed URI as a path-style parameter or a
> form-style parameter.
> >> >> >
> >> >> > Unfortunately, that doesn't give implementers any idea what needs
> to
> >> >> > be parsed. I read through the conversation on last-call with mnot
> >> >> > (
> https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/
> ),
> >> >> > especially with regard to BCP190. I also read through RFC6570 and
> >> >> > you're right, it doesn't work for our use case because it's
> generating
> >> >> > URI, not consuming them. And it's for precisely this reason that we
> >> >> > need to be specific in what is accepted.
> >> >> >
> >> >> > As near as I can tell, there is actually no standard anywhere that
> >> >> > describes "path-style parameters". And there are multiple methods
> for
> >> >> > defining "form-style parameters", some more recent than others and
> in
> >> >> > varying levels of use generally on the Internet. How can a document
> >> >> > have a MUST requirement that requires parsing a specific structure
> >> >> > that isn't specified anywhere or even widely agreed upon?
> >> >> >
> >> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote:
> >> >> > >
> >> >> > >
> >> >> > > A New Internet-Draft is available from the on-line
> Internet-Drafts directories.
> >> >> > > This draft is a work item of the Content Delivery Networks
> Interconnection WG of the IETF.
> >> >> > >
> >> >> > >         Title           : URI Signing for Content Delivery
> Network Interconnection (CDNI)
> >> >> > >         Authors         : Ray van Brandenburg
> >> >> > >                           Kent Leung
> >> >> > >                           Phil Sorber
> >> >> > >         Filename        : draft-ietf-cdni-uri-signing-21.txt
> >> >> > >         Pages           : 41
> >> >> > >         Date            : 2021-02-11
> >> >> > >
> >> >> > > Abstract:
> >> >> > >    This document describes how the concept of URI Signing
> supports the
> >> >> > >    content access control requirements of Content Delivery
> Network
> >> >> > >    Interconnection (CDNI) and proposes a URI Signing method as a
> JSON
> >> >> > >    Web Token (JWT) profile.
> >> >> > >
> >> >> > >    The proposed URI Signing method specifies the information
> needed to
> >> >> > >    be included in the URI to transmit the signed JWT, as well as
> the
> >> >> > >    claims needed by the signed JWT to authorize a User Agent
> (UA).  The
> >> >> > >    mechanism described can be used both in CDNI and single
> Content
> >> >> > >    Delivery Network (CDN) scenarios.
> >> >> > >
> >> >> > >
> >> >> > > The IETF datatracker status page for this draft is:
> >> >> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
> >> >> > >
> >> >> > > There are also htmlized versions available at:
> >> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21
> >> >> > >
> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21
> >> >> > >
> >> >> > > A diff from the previous version is available at:
> >> >> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21
> >> >> > >
> >> >> > >
> >> >> > > Please note that it may take a couple of minutes from the time
> of submission
> >> >> > > until the htmlized version and diff are available at
> tools.ietf.org.
> >> >> > >
> >> >> > > Internet-Drafts are also available by anonymous FTP at:
> >> >> > > ftp://ftp.ietf.org/internet-drafts/
> >> >> > >
> >> >> > >
> >> >> > > _______________________________________________
> >> >> > > CDNi mailing list
> >> >> > > CDNi@ietf.org
> >> >> > > https://www.ietf.org/mailman/listinfo/cdni
> >> >>
> >> >> _______________________________________________
> >> >> CDNi mailing list
> >> >> CDNi@ietf.org
> >> >> https://www.ietf.org/mailman/listinfo/cdni
>

v2.23.0 | Report a Bug | By Email