Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt

Kevin Ma J <kevin.j.ma@ericsson.com> Mon, 24 October 2016 02:50 UTC

Return-Path: <kevin.j.ma@ericsson.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E781293E4 for <cdni@ietfa.amsl.com>; Sun, 23 Oct 2016 19:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6FN60TZJVgZ9 for <cdni@ietfa.amsl.com>; Sun, 23 Oct 2016 19:50:00 -0700 (PDT)
Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DF3C129579 for <cdni@ietf.org>; Sun, 23 Oct 2016 19:50:00 -0700 (PDT)
X-AuditID: c618062d-72fff700000009b8-c1-580d7a48f612
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by (Symantec Mail Security) with SMTP id 31.29.02488.84A7D085; Mon, 24 Oct 2016 05:04:41 +0200 (CEST)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.03.0319.002; Sun, 23 Oct 2016 22:49:58 -0400
From: Kevin Ma J <kevin.j.ma@ericsson.com>
To: Phil Sorber <sorber@apache.org>, "Brandenburg, R. (Ray) van" <ray.vanbrandenburg@tno.nl>, "cdni@ietf.org" <cdni@ietf.org>
Thread-Topic: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt
Thread-Index: AQHSHhnNS5ryyRQbG0KFSOKjqs80QKCYOxSAgBZ5MICACE9SMA==
Date: Mon, 24 Oct 2016 02:49:57 +0000
Message-ID: <A419F67F880AB2468214E154CB8A556206F6A925@eusaamb103.ericsson.se>
References: <147556991928.12899.3720041473146885160.idtracker@ietfa.amsl.com> <E30D6B39-70EC-4345-AF5E-1698D8BD4FAD@tno.nl> <CABF6JR0Ak8GXicNJpf6LGyLAmZhW4zT2B3OaP_ik6nXp5dB-rQ@mail.gmail.com>
In-Reply-To: <CABF6JR0Ak8GXicNJpf6LGyLAmZhW4zT2B3OaP_ik6nXp5dB-rQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.11]
Content-Type: multipart/alternative; boundary="_000_A419F67F880AB2468214E154CB8A556206F6A925eusaamb103erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnkeLIzCtJLcpLzFFi42KZXLonVtezijfCoOktt8XT2X9YLb5tvs5o seDsfXYHZo8ffxtYPJYs+cnkcXDdBeYA5igum5TUnMyy1CJ9uwSujFP/ZzAWvLvNWHH99E7G BsaOa4xdjBwcEgImEmv3+nUxcnEICWxglGh7upERwlnOKLFx8m3WLkZODjYBLYnHX/8ygdgi AvUSDZ+/gMWFBZwkOtY+gIo7S/y+sIgRwnaSuHTyPjuIzSKgKrH35EUwm1fAV2Jiby8zxIIj jBI71raANXAKBEqc7/3NBmIzCohJfD+1Bmwos4C4xK0n88FsCQEBiSV7zjND2KISLx//Y4Ww lSQ+/p7PDlGfLzHz0ks2iGWCEidnPmGZwCg8C8moWUjKZiEpmwUMDGYBTYn1u/QhShQlpnQ/ ZIewNSRa58xlRxZfwMi+ipGjtLggJzfdyGATIzB6jkmw6e5gvD/d8xCjAAejEg/vgl88EUKs iWXFlbmHGCU4mJVEeGfm8EYI8aYkVlalFuXHF5XmpBYfYpTmYFES541bfT9cSCA9sSQ1OzW1 ILUIJsvEwSnVwJhwMZfxYL4qa9ndVAZ71ph/PttvLzJb+vbwf/GXqd9v1UbaRfUl7QqRmbxy tkzisTvrmS2E3r8vjL9fXSDewiSxOG3h5rpZepHC/JsPhhr5HyiIMbNmCNvZm1c9ucvy5QcT vzWrePfGsu5aJLJN9unC8j83bxxY0HLHpWbzT6cvF8rde6fuMFNiKc5INNRiLipOBADE/vUI mgIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/ADB9AIbpmZY-UsjcDUeRH1NgAF4>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2016 02:50:03 -0000

Hi Phil,

  (as an individual) Wrt unknown claims and changing the MUST reject to a SHOULD ignore, is there a specific use case you are considering?

  Is this to account for changes to the underlying JWT/JWS/JWE specs, algorithm support, etc.?  If so, is that something we need to handle explicitly?

  Is this to allow third-parties to add proprietary claims but still be RFC compliant?  This seems like a dangerous feature.  If someone relies on that proprietary claim, but some intermediate CDN doesn't understand it, then the security or policy is lost.  If this is the intent, it is probably at least worth an explicit acknowledgement in the text (and possibly a special sandbox in the token itself), as well as a caveat in the security considerations?

thanx.

--  Kevin J. Ma

minor comments:

OLD:
  A CDN MUST be able to parse and process all of the claims
  listed below.  If the signed JWT contains any claims which the
  CDN does not understand (i.e., is unable to parse and
  process), the CDN SHOULD ignore them.

NEW:
  A CDN MUST be able to parse and process all of the claims
  listed below.  If the signed JWT contains any other claims which the
  CDN does not understand (i.e., is unable to parse and
  process), the CDN SHOULD ignore them.

OLD:
  The type is JSON integer and the value for this version of
  the specification is "1".

NEW:
  The type is JSON integer and the value MUST be set to "1",
  for this version of the specification.


From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Phil Sorber
Sent: Tuesday, October 18, 2016 11:46 AM
To: Brandenburg, R. (Ray) van <ray.vanbrandenburg@tno.nl>; cdni@ietf.org
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt

Seeing as there hasn't been any negative feedback on the new direction (or any feedback at all) I'd like to point out that we have this particular draft in revision control in github. I've also submitted a pull request if anyone would like to review it.

https://github.com/rayvbr/URISigningSpec/pull/5

This adds a version claim so that we can upgrade more easily and also ignore unknown claims. We originally had a version field to begin with but there was nothing in JWT that was similar so it was left out of the first JWT revision. We (Matt Miller and I) also consulted with a JWT expert on the name used and how to get it registered properly.

Thanks.

On Tue, Oct 4, 2016 at 2:34 AM Brandenburg, R. (Ray) van <ray.vanbrandenburg@tno.nl<mailto:ray.vanbrandenburg@tno.nl>> wrote:
Hi all,

As you can see, we’ve just uploaded a new version of the URI Signing document. This is a major rewrite that incorporates the decision we made in Berlin to base the URI Signing algorithm on JSON Web Token.

There are still a few open issues, but we wanted to get the groups opinion on whether this is going in the right direction.

Best regards,

Ray



On 04/10/2016, 10:31, "CDNi on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <cdni-bounces@ietf.org<mailto:cdni-bounces@ietf.org> on behalf of internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:


    A New Internet-Draft is available from the on-line Internet-Drafts directories.
    This draft is a work item of the Content Delivery Networks Interconnection of the IETF.

            Title           : URI Signing for CDN Interconnection (CDNI)
            Authors         : Ray van Brandenburg
                              Kent Leung
                              Phil Sorber
                              Matthew Miller
        Filename        : draft-ietf-cdni-uri-signing-10.txt
        Pages           : 29
        Date            : 2016-10-04

    Abstract:
       This document describes how the concept of URI signing supports the
       content access control requirements of CDNI and proposes a URI
       signing method as a JSON Web Token (JWT) [RFC7519] profile.

       The proposed URI signing method specifies the information needed to
       be included in the URI to transmit the signed JWT as well as the
       claims needed by the signed JWT to authorize a UA.  The mechanism
       described can be used both in CDNI and single CDN scenarios.


    The IETF datatracker status page for this draft is:
    https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/

    There's also a htmlized version available at:
    https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-10

    A diff from the previous version is available at:
    https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-10


    Please note that it may take a couple of minutes from the time of submission
    until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

    Internet-Drafts are also available by anonymous FTP at:
    ftp://ftp.ietf.org/internet-drafts/

    _______________________________________________
    CDNi mailing list
    CDNi@ietf.org<mailto:CDNi@ietf.org>
    https://www.ietf.org/mailman/listinfo/cdni


This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.
_______________________________________________
CDNi mailing list
CDNi@ietf.org<mailto:CDNi@ietf.org>
https://www.ietf.org/mailman/listinfo/cdni