Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
Kevin Ma <kevin.j.ma.ietf@gmail.com> Sun, 25 July 2021 19:13 UTC
Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0989D3A3619 for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etTcOG06_g61 for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:13:21 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 617333A361C for <cdni@ietf.org>; Sun, 25 Jul 2021 12:13:21 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id mz5-20020a17090b3785b0290176ecf64922so747864pjb.3 for <cdni@ietf.org>; Sun, 25 Jul 2021 12:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ot2mNE7hv+6BKeDbkSOYUtT0oGlPNCjh5p99A9LScr0=; b=adf44oyu6yMIT9KDSuwzlHv7DZ8IhTCBBZ71I/B50Qe/3k/n2RfS/5MOCb4aE2Pd3Z 0A5AzGZ06TlxSPA4ye/xSgFIJ3Yh+rwST2b06B01n0Rmbenjx6C6IhvISuxiVWruXVyq piIjBLgPX0wyDmIhl2pMKrzvT46Th3TaZgqecExjSWnyNYYPhB5IIs9kq2kr9a8dHpxu DV61rnTXZUHFLh5Am8NcgKIVHeHCg5Xz0bKT+wmlKO86z3wJLZa+0P5fgQn7jhSjdOgL WqCxP8YEUYYfpbW2R0RyqpTE/jQ+I1Z//3vfgDcCcvT1gT2R6IyRKW2x+nFGtcj+3B3y y2VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ot2mNE7hv+6BKeDbkSOYUtT0oGlPNCjh5p99A9LScr0=; b=ng5yz0FmknNzNsRlKHwU2ZvJZMRme6aA3B0M9Mfm0n2FpCnHrEj4m2AoorAV50puI3 WEEjeA61wx/Hui84r60UwOFmUWZk3YQ8jSLGdDyZS7SwVGzLiTk0dF+BwCgDtjD8yzaP UWo3EYVyH+hd6JqLhKQF5z7xnK1vo8j0dTpBBWgm1JfSMY4+JYxLTDSZe4tWEYANTj6S 0zSMZVNc6oFn9wAsXa43SHFtLj0c6PM3cgROVGY3fmcqRHMmH1D2W/gCHAz3BQaTQBJZ iHoZ9iKriAvULHw2afbUQ8/EOqzXy+AJkl+O8iT7ipuHG0DSv6EkRphVGkrNf3jLOWau PnJg==
X-Gm-Message-State: AOAM531ik1/fiYlcxzaZi396QNpsrJbg+TmyyTT22ZVOQGtDTu5o2OTt +b3Dy4z3gw++C+1/d0y8LkibjYU5HKk+NolKn98=
X-Google-Smtp-Source: ABdhPJx6gbuW2HQjkZayZcMTLcXeweqXKWXws5oShT7JEfm9OazXQjG6MCOciPiXJABcbtLJMl87Me1jU4eoRuTyjf8=
X-Received: by 2002:a63:d14c:: with SMTP id c12mr14565850pgj.412.1627240400206; Sun, 25 Jul 2021 12:13:20 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com> <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com> <CAMrHYE2T2kBdNva_jzUCuSOqsj9jajme-7DObQxLtas-fRi7Gw@mail.gmail.com> <CAJEGKNsg_jX-tH666VPDeNSyLyythnnu-QkA2jQPRN+ggoo9Hw@mail.gmail.com>
In-Reply-To: <CAJEGKNsg_jX-tH666VPDeNSyLyythnnu-QkA2jQPRN+ggoo9Hw@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Sun, 25 Jul 2021 15:13:09 -0400
Message-ID: <CAMrHYE2PJXcYSuEUfYBdOUycK8mVvuNVJDAToBE1QJxxC3upcA@mail.gmail.com>
To: Chris Lemmons <alficles@gmail.com>, Phil Sorber <sorber@apache.org>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000004c02a05c7f76e6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/GSHAr-BwsQ4djqjhF-VMB5EK-T0>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 19:13:26 -0000
Hi Chris, Thanks for laying those out. (As an individual) Of the two proposals, I prefer option 1, as I think it is better to have some expectations listed in the spec and not just punt it to an out-of-band requirement. I don't see an issue with adding a normative reference to RFC6570 and stating those expectations. I don't think we're terribly far off from that with the existing text. And given the previous last call discussion with Mark, I'm hopeful he would approve. (As a chair) Phil, do you, or any others in the WG have any thoughts on this proposal? thanx. -- Kevin J. Ma On Sun, Jul 25, 2021 at 1:11 AM Chris Lemmons <alficles@gmail.com> wrote: > I see at least two options. One option is something very close to what > you suggested earlier: Revise the text to have a normative dependence > on 6570 and say that implementations MUST accept parameters in the > format generated by a URI template of a particular form. This doesn't > help a processor know what to do with ambiguous input, which isn't > great, but it does at least let the processor implement in a way that > covers all valid forms. Of all the suggestions made so far, this is > the one I like the most. But I don't think it gets us out of the > trouble Mark brought up. That is, we're effectively defining a format > on a part of the URI by saying it has to be generated in a particular > form. If, however, everybody is happy with normative text requiring > the processing of template-generated URIs with usefully defined > templates, that works for me. It's a target you can aim at. > > The other main option is to take the token location out entirely and > remove the MUST. You can imagine text similar to: The URI Signing > Package will be found by parsing the URI. The details of how the URI > will be parsed will be communicated out-of-band between the CSP, uCDN > and and all dCDNs. > > If we take the first approach, we're effectively standardizing part of > the URI. If we take the second approach, we're not standardizing the > URI, but it's also impossible to use URI Signing without some explicit > agreement between the parties. (Some communication out-of-band is > expected, to transfer the trusted keys, so this isn't _totally_ out of > the realm of possibility.) Practically, though, there are only a few > reasonable places to look, so we're just waving our hands and assuming > without saying it aloud that everybody will use the format generated > by 6570 or something close. > > There's no way to do URI Signing without having somewhere in the URI > that can be recognized as having a token in it. You can do it > explicitly or implicitly, but you have to do it. I think that what > we're doing here is in application-land instead of extension-land and > option 1 is fine. But others may not agree there. > > On Sat, Jul 24, 2021 at 8:23 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> > wrote: > > > > Hi Chris, > > > > Do you have a solution proposal? > > > > thanx. > > > > -- Kevin J. Ma > > > > On Sat, Jul 24, 2021 at 3:12 PM Chris Lemmons <alficles@gmail.com> > wrote: > >> > >> I honestly think that URI Signing is more appropriately understood as > >> an application than an extension of HTTP. You can't use URI Signing > >> without special agreement between the entity producing the URI and the > >> one that finally processes it. You can't for example, give a signed > >> URI to a CDN or other server that isn't expecting to process it. > >> > >> We could make the location of the token entirely outside the confines > >> of the specification, allowing signers and processors to communicate > >> out-of-band about where the token will be. That would considerably > >> reduce the value and interoperability provided in the document, > >> though. > >> > >> As it stands, there's a MUST requirement that requires that you do > >> something that isn't documented anywhere. It's not possible for an > >> implementation to know whether they are meeting the MUST parse path > >> parameters requirement without anything that describes what a path > >> parameter is. > >> > >> On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com> > wrote: > >> > > >> > Hi Chris, > >> > > >> > (As chair) I don't disagree that it would be nice if there was an > RFC like RFC6570 that explicitly described the parsing rules. But I think > the point of RFC8820 is that we should not be defining those rules in the > URI signing RFC. Does that mean we should hold off on URI signing until > such time as Mark writes that other RFC? I think Mark's acceptance of the > current text during last call ( > https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) > implies no. That said, if there are editorial changes that would make the > reading easier, we can still consider those, but I don't think we > can/should add prescriptive text. > >> > > >> > I guess I would be interested if any others in the WG have > significant concerns about the ambiguity or interoperability? > >> > > >> > thanx. > >> > > >> > -- Kevin J. Ma > >> > > >> > On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com> > wrote: > >> >> > >> >> The problem I'm running into with 6570 is that it _only_ describes a > >> >> format for producing URIs, not one for understanding them. For > >> >> example, if you receive this URI, what is the correct behaviour? > >> >> > >> >> > https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT > >> >> > >> >> This was once considered best practice: > >> >> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2 > >> >> > >> >> Is the idea to require query strings to comply with the encoding and > >> >> decoding requirements of application/x-www-form-urlencoded? If so, > >> >> don't we run into the same problem as before with 8820? > >> >> > >> >> And it's mostly possible to reverse-engineer the path format from > 6570 > >> >> into an unwritten expectation of a format, but I'm not sure an > >> >> undocumented format is better than a documented one here. > >> >> > >> >> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> > wrote: > >> >> > > >> >> > Hi Chris, > >> >> > > >> >> > > Unfortunately, there exists no specification for path-style or > form-style parameters, so it is impossible for an implementer to know how > to reliably locate the token. > >> >> > > >> >> > My understanding from the discussion with Mark ( > https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) > is that "path-style" and "form-style" refer to the corresponding > descriptions in RFC6570. Do you think it would help if we added a > reference to RFC6570 and some text to the effect of "where path-style and > form-style parameters conform to RFC6570 path-style parameter and > form-style query expansion formats, respectively"? > >> >> > > >> >> > > I also wonder whether URI Signing is properly understood as an > Extension or an Application, in the terms of 8820. > >> >> > > >> >> > I think URI Signing should be classified as an "Extension". As > you noted, RFC8820 explicitly notes "signature mechanisms", and we did > explicitly discuss our use case with Mark when he first asked us to "get > off his lawn" ( > https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/). > Do you think an explicit declaration and reference to RFC8820 would help? > >> >> > > >> >> > thanx. > >> >> > > >> >> > -- Kevin J. Ma > >> >> > > >> >> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com> > wrote: > >> >> >> > >> >> >> I'd like to bring this up again because I think it's a potentially > >> >> >> serious implementation concern and I don't see an easy way around > it. > >> >> >> There is a MUST requirement in the latest draft: > >> >> >> > >> >> >> The URI Signing Package will be found by parsing any path-style > >> >> >> parameters and form-style parameters looking for a key name > matching > >> >> >> the URI Signing Package Attribute. Both parameter styles MUST > be > >> >> >> supported to allow flexibility of operation. > >> >> >> > >> >> >> Unfortunately, there exists no specification for path-style or > >> >> >> form-style parameters, so it is impossible for an implementer to > know > >> >> >> how to reliably locate the token. This appears to be by design, > >> >> >> though. ( See RFC 8820: > https://datatracker.ietf.org/doc/html/rfc8820 > >> >> >> , which is now published.) > >> >> >> > >> >> >> I think the intent of this wording is to imply that everybody > should > >> >> >> use application/x-www-form-urlencoded for form-style parameters > and > >> >> >> path-style parameters that look like "path;param1=a,param2=b", but > >> >> >> aren't specified anywhere in particular. > >> >> >> > >> >> >> I see no way for an implementer to determine whether they've met > the > >> >> >> requirement set out that they MUST meet as it is written. > >> >> >> > >> >> >> I also wonder whether URI Signing is properly understood as an > >> >> >> Extension or an Application, in the terms of 8820. I think it > wants to > >> >> >> be an Extension (for example: `a new signature mechanism for > "http" > >> >> >> URIs`), but might be an Application in practice (`an HTTP > interface to > >> >> >> particular information on a host`). I think important to the > >> >> >> discussion is that URI Signing is a mechanism added by an upstream > >> >> >> entity that controls the content and its format. I think this is > an > >> >> >> important issue to resolve. > >> >> >> > >> >> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com> > wrote: > >> >> >> > > >> >> >> > The latest document replaces the path parsing logic with this: > >> >> >> > > >> >> >> > > URI Signing Package (URISigningPackage): The URI attribute > that encapsulates all the URI Signing claims in a signed JWT encoded > format. This attribute is exposed in the Signed URI as a path-style > parameter or a form-style parameter. > >> >> >> > > >> >> >> > Unfortunately, that doesn't give implementers any idea what > needs to > >> >> >> > be parsed. I read through the conversation on last-call with > mnot > >> >> >> > ( > https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/ > ), > >> >> >> > especially with regard to BCP190. I also read through RFC6570 > and > >> >> >> > you're right, it doesn't work for our use case because it's > generating > >> >> >> > URI, not consuming them. And it's for precisely this reason > that we > >> >> >> > need to be specific in what is accepted. > >> >> >> > > >> >> >> > As near as I can tell, there is actually no standard anywhere > that > >> >> >> > describes "path-style parameters". And there are multiple > methods for > >> >> >> > defining "form-style parameters", some more recent than others > and in > >> >> >> > varying levels of use generally on the Internet. How can a > document > >> >> >> > have a MUST requirement that requires parsing a specific > structure > >> >> >> > that isn't specified anywhere or even widely agreed upon? > >> >> >> > > >> >> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> > wrote: > >> >> >> > > > >> >> >> > > > >> >> >> > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > >> >> >> > > This draft is a work item of the Content Delivery Networks > Interconnection WG of the IETF. > >> >> >> > > > >> >> >> > > Title : URI Signing for Content Delivery > Network Interconnection (CDNI) > >> >> >> > > Authors : Ray van Brandenburg > >> >> >> > > Kent Leung > >> >> >> > > Phil Sorber > >> >> >> > > Filename : draft-ietf-cdni-uri-signing-21.txt > >> >> >> > > Pages : 41 > >> >> >> > > Date : 2021-02-11 > >> >> >> > > > >> >> >> > > Abstract: > >> >> >> > > This document describes how the concept of URI Signing > supports the > >> >> >> > > content access control requirements of Content Delivery > Network > >> >> >> > > Interconnection (CDNI) and proposes a URI Signing method > as a JSON > >> >> >> > > Web Token (JWT) profile. > >> >> >> > > > >> >> >> > > The proposed URI Signing method specifies the information > needed to > >> >> >> > > be included in the URI to transmit the signed JWT, as well > as the > >> >> >> > > claims needed by the signed JWT to authorize a User Agent > (UA). The > >> >> >> > > mechanism described can be used both in CDNI and single > Content > >> >> >> > > Delivery Network (CDN) scenarios. > >> >> >> > > > >> >> >> > > > >> >> >> > > The IETF datatracker status page for this draft is: > >> >> >> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > >> >> >> > > > >> >> >> > > There are also htmlized versions available at: > >> >> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21 > >> >> >> > > > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21 > >> >> >> > > > >> >> >> > > A diff from the previous version is available at: > >> >> >> > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21 > >> >> >> > > > >> >> >> > > > >> >> >> > > Please note that it may take a couple of minutes from the > time of submission > >> >> >> > > until the htmlized version and diff are available at > tools.ietf.org. > >> >> >> > > > >> >> >> > > Internet-Drafts are also available by anonymous FTP at: > >> >> >> > > ftp://ftp.ietf.org/internet-drafts/ > >> >> >> > > > >> >> >> > > > >> >> >> > > _______________________________________________ > >> >> >> > > CDNi mailing list > >> >> >> > > CDNi@ietf.org > >> >> >> > > https://www.ietf.org/mailman/listinfo/cdni > >> >> >> > >> >> >> _______________________________________________ > >> >> >> CDNi mailing list > >> >> >> CDNi@ietf.org > >> >> >> https://www.ietf.org/mailman/listinfo/cdni >
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber