Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
Kevin Ma <kevin.j.ma.ietf@gmail.com> Sun, 25 July 2021 02:23 UTC
Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE2363A0ED7 for <cdni@ietfa.amsl.com>; Sat, 24 Jul 2021 19:23:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_iX-1TN8TkO for <cdni@ietfa.amsl.com>; Sat, 24 Jul 2021 19:23:40 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5930D3A0ED5 for <cdni@ietf.org>; Sat, 24 Jul 2021 19:23:40 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d17so7568394plh.10 for <cdni@ietf.org>; Sat, 24 Jul 2021 19:23:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pYqCUV+5WC/HsHb6Vnx4pRVh6MtcQvidjkfPSlMlOZQ=; b=dym4Y9gu4PJFojEAxhOnyWJJNOrQb3iSVZnbtvDo7A7DegAIEWIliAZTJJFQI9FD5n keMbYiOoeAAD/GRqyjhou//PDF8feTJ6U2WWlbzI7WADP4yLAzHZEx5E2jPvmH/lzasC RTapc7a9gK0rhNw3S+Legp4CwQ7qStquSrmhLUhdW8q8odzd5T1valoTwYlbY5u5Wt1z UY7ICcZxBEnikWBC1VQX7VocF/KlQ+mmRZpfu+OR0g3/7y2voth+MK6fXjJP44cW4Hb0 jrrbY6v5KW6CKtF9hWZ0lJcaaAStJgRvuo6HO7v1sBzoNb1Tdvs4YGUjN+TcnzqlnAez RQeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pYqCUV+5WC/HsHb6Vnx4pRVh6MtcQvidjkfPSlMlOZQ=; b=FYHnJf9o45CpdFZ4YGuRw7Eu5kCa3XqEINJ0pRFjcA/MWaStW4pY1iseLNbkGfJjJp WHDmtZhWuHuxDX52aB+Fk30zlyTDqFDbKy7fxfW15iAYapSDWBPowKHu+krHKV+RFdSr cGcW2z5Dh77YvSJJmiWAnAN+sp5zh9G9JbZa0L6J4nBfi0DfqE1zTzMtmFYrRacEh6jv mvfHpkEZmZq5QwbgW6FDzi+dnnYcWOW0PXvRSG/plCu8WMg7eHTuXlZ64VTa11PFcOdx wd2z65gsc6fug4r2kffsBHi1mXosQMnQndaKbgTjjnFU4vIjKzNol7eE3h1u6BL1ZfEo Xt9A==
X-Gm-Message-State: AOAM531sC/0QVI5L2LzNuCQ7PAs4IjsvshfiKb8ONXzldytqZHz8VZhT XHg9X050E+rhm4vIqtS92QvzxMEvfbUG1L6GHdg=
X-Google-Smtp-Source: ABdhPJxDvmgkqdnvMxWhpOdB/3Fn0mj96U8RK0tK5wTsBFPNjWMP0F7gNaLUrgM8vRmbD7+yHV54sAGL9ctrcmQIRFk=
X-Received: by 2002:a17:90a:62cb:: with SMTP id k11mr8248262pjs.153.1627179819015; Sat, 24 Jul 2021 19:23:39 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com> <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com>
In-Reply-To: <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Sat, 24 Jul 2021 22:23:28 -0400
Message-ID: <CAMrHYE2T2kBdNva_jzUCuSOqsj9jajme-7DObQxLtas-fRi7Gw@mail.gmail.com>
To: Chris Lemmons <alficles@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000019213805c7e95355"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/8BBL3c6BG8OWvrpbxpW84ew1RxM>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 02:23:45 -0000
Hi Chris, Do you have a solution proposal? thanx. -- Kevin J. Ma On Sat, Jul 24, 2021 at 3:12 PM Chris Lemmons <alficles@gmail.com> wrote: > I honestly think that URI Signing is more appropriately understood as > an application than an extension of HTTP. You can't use URI Signing > without special agreement between the entity producing the URI and the > one that finally processes it. You can't for example, give a signed > URI to a CDN or other server that isn't expecting to process it. > > We could make the location of the token entirely outside the confines > of the specification, allowing signers and processors to communicate > out-of-band about where the token will be. That would considerably > reduce the value and interoperability provided in the document, > though. > > As it stands, there's a MUST requirement that requires that you do > something that isn't documented anywhere. It's not possible for an > implementation to know whether they are meeting the MUST parse path > parameters requirement without anything that describes what a path > parameter is. > > On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com> > wrote: > > > > Hi Chris, > > > > (As chair) I don't disagree that it would be nice if there was an RFC > like RFC6570 that explicitly described the parsing rules. But I think the > point of RFC8820 is that we should not be defining those rules in the URI > signing RFC. Does that mean we should hold off on URI signing until such > time as Mark writes that other RFC? I think Mark's acceptance of the > current text during last call ( > https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) > implies no. That said, if there are editorial changes that would make the > reading easier, we can still consider those, but I don't think we > can/should add prescriptive text. > > > > I guess I would be interested if any others in the WG have significant > concerns about the ambiguity or interoperability? > > > > thanx. > > > > -- Kevin J. Ma > > > > On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com> wrote: > >> > >> The problem I'm running into with 6570 is that it _only_ describes a > >> format for producing URIs, not one for understanding them. For > >> example, if you receive this URI, what is the correct behaviour? > >> > >> > https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT > >> > >> This was once considered best practice: > >> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2 > >> > >> Is the idea to require query strings to comply with the encoding and > >> decoding requirements of application/x-www-form-urlencoded? If so, > >> don't we run into the same problem as before with 8820? > >> > >> And it's mostly possible to reverse-engineer the path format from 6570 > >> into an unwritten expectation of a format, but I'm not sure an > >> undocumented format is better than a documented one here. > >> > >> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> > wrote: > >> > > >> > Hi Chris, > >> > > >> > > Unfortunately, there exists no specification for path-style or > form-style parameters, so it is impossible for an implementer to know how > to reliably locate the token. > >> > > >> > My understanding from the discussion with Mark ( > https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) > is that "path-style" and "form-style" refer to the corresponding > descriptions in RFC6570. Do you think it would help if we added a > reference to RFC6570 and some text to the effect of "where path-style and > form-style parameters conform to RFC6570 path-style parameter and > form-style query expansion formats, respectively"? > >> > > >> > > I also wonder whether URI Signing is properly understood as an > Extension or an Application, in the terms of 8820. > >> > > >> > I think URI Signing should be classified as an "Extension". As you > noted, RFC8820 explicitly notes "signature mechanisms", and we did > explicitly discuss our use case with Mark when he first asked us to "get > off his lawn" ( > https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/). > Do you think an explicit declaration and reference to RFC8820 would help? > >> > > >> > thanx. > >> > > >> > -- Kevin J. Ma > >> > > >> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com> > wrote: > >> >> > >> >> I'd like to bring this up again because I think it's a potentially > >> >> serious implementation concern and I don't see an easy way around it. > >> >> There is a MUST requirement in the latest draft: > >> >> > >> >> The URI Signing Package will be found by parsing any path-style > >> >> parameters and form-style parameters looking for a key name > matching > >> >> the URI Signing Package Attribute. Both parameter styles MUST be > >> >> supported to allow flexibility of operation. > >> >> > >> >> Unfortunately, there exists no specification for path-style or > >> >> form-style parameters, so it is impossible for an implementer to know > >> >> how to reliably locate the token. This appears to be by design, > >> >> though. ( See RFC 8820: > https://datatracker.ietf.org/doc/html/rfc8820 > >> >> , which is now published.) > >> >> > >> >> I think the intent of this wording is to imply that everybody should > >> >> use application/x-www-form-urlencoded for form-style parameters and > >> >> path-style parameters that look like "path;param1=a,param2=b", but > >> >> aren't specified anywhere in particular. > >> >> > >> >> I see no way for an implementer to determine whether they've met the > >> >> requirement set out that they MUST meet as it is written. > >> >> > >> >> I also wonder whether URI Signing is properly understood as an > >> >> Extension or an Application, in the terms of 8820. I think it wants > to > >> >> be an Extension (for example: `a new signature mechanism for "http" > >> >> URIs`), but might be an Application in practice (`an HTTP interface > to > >> >> particular information on a host`). I think important to the > >> >> discussion is that URI Signing is a mechanism added by an upstream > >> >> entity that controls the content and its format. I think this is an > >> >> important issue to resolve. > >> >> > >> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com> > wrote: > >> >> > > >> >> > The latest document replaces the path parsing logic with this: > >> >> > > >> >> > > URI Signing Package (URISigningPackage): The URI attribute that > encapsulates all the URI Signing claims in a signed JWT encoded format. > This attribute is exposed in the Signed URI as a path-style parameter or a > form-style parameter. > >> >> > > >> >> > Unfortunately, that doesn't give implementers any idea what needs > to > >> >> > be parsed. I read through the conversation on last-call with mnot > >> >> > ( > https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/ > ), > >> >> > especially with regard to BCP190. I also read through RFC6570 and > >> >> > you're right, it doesn't work for our use case because it's > generating > >> >> > URI, not consuming them. And it's for precisely this reason that we > >> >> > need to be specific in what is accepted. > >> >> > > >> >> > As near as I can tell, there is actually no standard anywhere that > >> >> > describes "path-style parameters". And there are multiple methods > for > >> >> > defining "form-style parameters", some more recent than others and > in > >> >> > varying levels of use generally on the Internet. How can a document > >> >> > have a MUST requirement that requires parsing a specific structure > >> >> > that isn't specified anywhere or even widely agreed upon? > >> >> > > >> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote: > >> >> > > > >> >> > > > >> >> > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > >> >> > > This draft is a work item of the Content Delivery Networks > Interconnection WG of the IETF. > >> >> > > > >> >> > > Title : URI Signing for Content Delivery > Network Interconnection (CDNI) > >> >> > > Authors : Ray van Brandenburg > >> >> > > Kent Leung > >> >> > > Phil Sorber > >> >> > > Filename : draft-ietf-cdni-uri-signing-21.txt > >> >> > > Pages : 41 > >> >> > > Date : 2021-02-11 > >> >> > > > >> >> > > Abstract: > >> >> > > This document describes how the concept of URI Signing > supports the > >> >> > > content access control requirements of Content Delivery > Network > >> >> > > Interconnection (CDNI) and proposes a URI Signing method as a > JSON > >> >> > > Web Token (JWT) profile. > >> >> > > > >> >> > > The proposed URI Signing method specifies the information > needed to > >> >> > > be included in the URI to transmit the signed JWT, as well as > the > >> >> > > claims needed by the signed JWT to authorize a User Agent > (UA). The > >> >> > > mechanism described can be used both in CDNI and single > Content > >> >> > > Delivery Network (CDN) scenarios. > >> >> > > > >> >> > > > >> >> > > The IETF datatracker status page for this draft is: > >> >> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > >> >> > > > >> >> > > There are also htmlized versions available at: > >> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21 > >> >> > > > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21 > >> >> > > > >> >> > > A diff from the previous version is available at: > >> >> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21 > >> >> > > > >> >> > > > >> >> > > Please note that it may take a couple of minutes from the time > of submission > >> >> > > until the htmlized version and diff are available at > tools.ietf.org. > >> >> > > > >> >> > > Internet-Drafts are also available by anonymous FTP at: > >> >> > > ftp://ftp.ietf.org/internet-drafts/ > >> >> > > > >> >> > > > >> >> > > _______________________________________________ > >> >> > > CDNi mailing list > >> >> > > CDNi@ietf.org > >> >> > > https://www.ietf.org/mailman/listinfo/cdni > >> >> > >> >> _______________________________________________ > >> >> CDNi mailing list > >> >> CDNi@ietf.org > >> >> https://www.ietf.org/mailman/listinfo/cdni >
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber