IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt

Kevin Ma <kevin.j.ma.ietf@gmail.com> Sun, 25 July 2021 19:13 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0989D3A3619 for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etTcOG06_g61 for <cdni@ietfa.amsl.com>; Sun, 25 Jul 2021 12:13:21 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 617333A361C for <cdni@ietf.org>; Sun, 25 Jul 2021 12:13:21 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id mz5-20020a17090b3785b0290176ecf64922so747864pjb.3 for <cdni@ietf.org>; Sun, 25 Jul 2021 12:13:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ot2mNE7hv+6BKeDbkSOYUtT0oGlPNCjh5p99A9LScr0=; b=adf44oyu6yMIT9KDSuwzlHv7DZ8IhTCBBZ71I/B50Qe/3k/n2RfS/5MOCb4aE2Pd3Z 0A5AzGZ06TlxSPA4ye/xSgFIJ3Yh+rwST2b06B01n0Rmbenjx6C6IhvISuxiVWruXVyq piIjBLgPX0wyDmIhl2pMKrzvT46Th3TaZgqecExjSWnyNYYPhB5IIs9kq2kr9a8dHpxu DV61rnTXZUHFLh5Am8NcgKIVHeHCg5Xz0bKT+wmlKO86z3wJLZa+0P5fgQn7jhSjdOgL WqCxP8YEUYYfpbW2R0RyqpTE/jQ+I1Z//3vfgDcCcvT1gT2R6IyRKW2x+nFGtcj+3B3y y2VA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ot2mNE7hv+6BKeDbkSOYUtT0oGlPNCjh5p99A9LScr0=; b=ng5yz0FmknNzNsRlKHwU2ZvJZMRme6aA3B0M9Mfm0n2FpCnHrEj4m2AoorAV50puI3 WEEjeA61wx/Hui84r60UwOFmUWZk3YQ8jSLGdDyZS7SwVGzLiTk0dF+BwCgDtjD8yzaP UWo3EYVyH+hd6JqLhKQF5z7xnK1vo8j0dTpBBWgm1JfSMY4+JYxLTDSZe4tWEYANTj6S 0zSMZVNc6oFn9wAsXa43SHFtLj0c6PM3cgROVGY3fmcqRHMmH1D2W/gCHAz3BQaTQBJZ iHoZ9iKriAvULHw2afbUQ8/EOqzXy+AJkl+O8iT7ipuHG0DSv6EkRphVGkrNf3jLOWau PnJg==
X-Gm-Message-State: AOAM531ik1/fiYlcxzaZi396QNpsrJbg+TmyyTT22ZVOQGtDTu5o2OTt +b3Dy4z3gw++C+1/d0y8LkibjYU5HKk+NolKn98=
X-Google-Smtp-Source: ABdhPJx6gbuW2HQjkZayZcMTLcXeweqXKWXws5oShT7JEfm9OazXQjG6MCOciPiXJABcbtLJMl87Me1jU4eoRuTyjf8=
X-Received: by 2002:a63:d14c:: with SMTP id c12mr14565850pgj.412.1627240400206; Sun, 25 Jul 2021 12:13:20 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com> <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com> <CAMrHYE2gR2921Pi3c9Tbwq1_eCJMiMJMmpAD0XFfQ1u78t+_DA@mail.gmail.com> <CAJEGKNvk+H7-W9s1pt=YR0Q+z9VLWghZg5+cb_2WZ7i=_ysJAw@mail.gmail.com> <CAMrHYE2T2kBdNva_jzUCuSOqsj9jajme-7DObQxLtas-fRi7Gw@mail.gmail.com> <CAJEGKNsg_jX-tH666VPDeNSyLyythnnu-QkA2jQPRN+ggoo9Hw@mail.gmail.com>
In-Reply-To: <CAJEGKNsg_jX-tH666VPDeNSyLyythnnu-QkA2jQPRN+ggoo9Hw@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Sun, 25 Jul 2021 15:13:09 -0400
Message-ID: <CAMrHYE2PJXcYSuEUfYBdOUycK8mVvuNVJDAToBE1QJxxC3upcA@mail.gmail.com>
To: Chris Lemmons <alficles@gmail.com>, Phil Sorber <sorber@apache.org>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000004c02a05c7f76e6d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/GSHAr-BwsQ4djqjhF-VMB5EK-T0>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Jul 2021 19:13:26 -0000

Hi Chris,

  Thanks for laying those out.

  (As an individual) Of the two proposals, I prefer option 1, as I think it
is better to have some expectations listed in the spec and not just punt it
to an out-of-band requirement.  I don't see an issue with adding a
normative reference to RFC6570 and stating those expectations.  I don't
think we're terribly far off from that with the existing text.  And given
the previous last call discussion with Mark, I'm hopeful he would approve.

  (As a chair) Phil, do you, or any others in the WG have any thoughts on
this proposal?

thanx.

--  Kevin J. Ma

On Sun, Jul 25, 2021 at 1:11 AM Chris Lemmons <alficles@gmail.com> wrote:

> I see at least two options. One option is something very close to what
> you suggested earlier: Revise the text to have a normative dependence
> on 6570 and say that implementations MUST accept parameters in the
> format generated by a URI template of a particular form. This doesn't
> help a processor know what to do with ambiguous input, which isn't
> great, but it does at least let the processor implement in a way that
> covers all valid forms. Of all the suggestions made so far, this is
> the one I like the most. But I don't think it gets us out of the
> trouble Mark brought up. That is, we're effectively defining a format
> on a part of the URI by saying it has to be generated in a particular
> form. If, however, everybody is happy with normative text requiring
> the processing of template-generated URIs with usefully defined
> templates, that works for me. It's a target you can aim at.
>
> The other main option is to take the token location out entirely and
> remove the MUST. You can imagine text similar to: The URI Signing
> Package will be found by parsing the URI. The details of how the URI
> will be parsed will be communicated out-of-band between the CSP, uCDN
> and and all dCDNs.
>
> If we take the first approach, we're effectively standardizing part of
> the URI. If we take the second approach, we're not standardizing the
> URI, but it's also impossible to use URI Signing without some explicit
> agreement between the parties. (Some communication out-of-band is
> expected, to transfer the trusted keys, so this isn't _totally_ out of
> the realm of possibility.) Practically, though, there are only a few
> reasonable places to look, so we're just waving our hands and assuming
> without saying it aloud that everybody will use the format generated
> by 6570 or something close.
>
> There's no way to do URI Signing without having somewhere in the URI
> that can be recognized as having a token in it. You can do it
> explicitly or implicitly, but you have to do it. I think that what
> we're doing here is in application-land instead of extension-land and
> option 1 is fine. But others may not agree there.
>
> On Sat, Jul 24, 2021 at 8:23 PM Kevin Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
> >
> > Hi Chris,
> >
> >   Do you have a solution proposal?
> >
> > thanx.
> >
> > --  Kevin J. Ma
> >
> > On Sat, Jul 24, 2021 at 3:12 PM Chris Lemmons <alficles@gmail.com>
> wrote:
> >>
> >> I honestly think that URI Signing is more appropriately understood as
> >> an application than an extension of HTTP. You can't use URI Signing
> >> without special agreement between the entity producing the URI and the
> >> one that finally processes it. You can't for example, give a signed
> >> URI to a CDN or other server that isn't expecting to process it.
> >>
> >> We could make the location of the token entirely outside the confines
> >> of the specification, allowing signers and processors to communicate
> >> out-of-band about where the token will be. That would considerably
> >> reduce the value and interoperability provided in the document,
> >> though.
> >>
> >> As it stands, there's a MUST requirement that requires that you do
> >> something that isn't documented anywhere. It's not possible for an
> >> implementation to know whether they are meeting the MUST parse path
> >> parameters requirement without anything that describes what a path
> >> parameter is.
> >>
> >> On Sat, Jul 24, 2021 at 12:14 AM Kevin Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
> >> >
> >> > Hi Chris,
> >> >
> >> >   (As chair) I don't disagree that it would be nice if there was an
> RFC like RFC6570 that explicitly described the parsing rules.  But I think
> the point of RFC8820 is that we should not be defining those rules in the
> URI signing RFC.  Does that mean we should hold off on URI signing until
> such time as Mark writes that other RFC?  I think Mark's acceptance of the
> current text during last call (
> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
> implies no.  That said, if there are editorial changes that would make the
> reading easier, we can still consider those, but I don't think we
> can/should add prescriptive text.
> >> >
> >> >   I guess I would be interested if any others in the WG have
> significant concerns about the ambiguity or interoperability?
> >> >
> >> > thanx.
> >> >
> >> > --  Kevin J. Ma
> >> >
> >> > On Tue, Jul 6, 2021 at 2:55 PM Chris Lemmons <alficles@gmail.com>
> wrote:
> >> >>
> >> >> The problem I'm running into with 6570 is that it _only_ describes a
> >> >> format for producing URIs, not one for understanding them. For
> >> >> example, if you receive this URI, what is the correct behaviour?
> >> >>
> >> >>
> https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT
> >> >>
> >> >> This was once considered best practice:
> >> >> https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2
> >> >>
> >> >> Is the idea to require query strings to comply with the encoding and
> >> >> decoding requirements of application/x-www-form-urlencoded? If so,
> >> >> don't we run into the same problem as before with 8820?
> >> >>
> >> >> And it's mostly possible to reverse-engineer the path format from
> 6570
> >> >> into an unwritten expectation of a format, but I'm not sure an
> >> >> undocumented format is better than a documented one here.
> >> >>
> >> >> On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
> >> >> >
> >> >> > Hi Chris,
> >> >> >
> >> >> > > Unfortunately, there exists no specification for path-style or
> form-style parameters, so it is impossible for an implementer to know how
> to reliably locate the token.
> >> >> >
> >> >> > My understanding from the discussion with Mark (
> https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/)
> is that "path-style" and "form-style" refer to the corresponding
> descriptions in RFC6570.  Do you think it would help if we added a
> reference to RFC6570 and some text to the effect of "where path-style and
> form-style parameters conform to RFC6570 path-style parameter and
> form-style query expansion formats, respectively"?
> >> >> >
> >> >> > > I also wonder whether URI Signing is properly understood as an
> Extension or an Application, in the terms of 8820.
> >> >> >
> >> >> > I think URI Signing should be classified as an "Extension".  As
> you noted, RFC8820 explicitly notes "signature mechanisms", and we did
> explicitly discuss our use case with Mark when he first asked us to "get
> off his lawn" (
> https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/).
> Do you think an explicit declaration and reference to RFC8820 would help?
> >> >> >
> >> >> > thanx.
> >> >> >
> >> >> > --  Kevin J. Ma
> >> >> >
> >> >> > On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com>
> wrote:
> >> >> >>
> >> >> >> I'd like to bring this up again because I think it's a potentially
> >> >> >> serious implementation concern and I don't see an easy way around
> it.
> >> >> >> There is a MUST requirement in the latest draft:
> >> >> >>
> >> >> >>    The URI Signing Package will be found by parsing any path-style
> >> >> >>    parameters and form-style parameters looking for a key name
> matching
> >> >> >>    the URI Signing Package Attribute.  Both parameter styles MUST
> be
> >> >> >>    supported to allow flexibility of operation.
> >> >> >>
> >> >> >> Unfortunately, there exists no specification for path-style or
> >> >> >> form-style parameters, so it is impossible for an implementer to
> know
> >> >> >> how to reliably locate the token. This appears to be by design,
> >> >> >> though. ( See RFC 8820:
> https://datatracker.ietf.org/doc/html/rfc8820
> >> >> >> , which is now published.)
> >> >> >>
> >> >> >> I think the intent of this wording is to imply that everybody
> should
> >> >> >> use application/x-www-form-urlencoded for form-style parameters
> and
> >> >> >> path-style parameters that look like "path;param1=a,param2=b", but
> >> >> >> aren't specified anywhere in particular.
> >> >> >>
> >> >> >> I see no way for an implementer to determine whether they've met
> the
> >> >> >> requirement set out that they MUST meet as it is written.
> >> >> >>
> >> >> >> I also wonder whether URI Signing is properly understood as an
> >> >> >> Extension or an Application, in the terms of 8820. I think it
> wants to
> >> >> >> be an Extension (for example: `a new signature mechanism for
> "http"
> >> >> >> URIs`), but might be an Application in practice (`an HTTP
> interface to
> >> >> >> particular information on a host`). I think important to the
> >> >> >> discussion is that URI Signing is a mechanism added by an upstream
> >> >> >> entity that controls the content and its format. I think this is
> an
> >> >> >> important issue to resolve.
> >> >> >>
> >> >> >> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com>
> wrote:
> >> >> >> >
> >> >> >> > The latest document replaces the path parsing logic with this:
> >> >> >> >
> >> >> >> > > URI Signing Package (URISigningPackage): The URI attribute
> that encapsulates all the URI Signing claims in a signed JWT encoded
> format.  This attribute is exposed in the Signed URI as a path-style
> parameter or a form-style parameter.
> >> >> >> >
> >> >> >> > Unfortunately, that doesn't give implementers any idea what
> needs to
> >> >> >> > be parsed. I read through the conversation on last-call with
> mnot
> >> >> >> > (
> https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/
> ),
> >> >> >> > especially with regard to BCP190. I also read through RFC6570
> and
> >> >> >> > you're right, it doesn't work for our use case because it's
> generating
> >> >> >> > URI, not consuming them. And it's for precisely this reason
> that we
> >> >> >> > need to be specific in what is accepted.
> >> >> >> >
> >> >> >> > As near as I can tell, there is actually no standard anywhere
> that
> >> >> >> > describes "path-style parameters". And there are multiple
> methods for
> >> >> >> > defining "form-style parameters", some more recent than others
> and in
> >> >> >> > varying levels of use generally on the Internet. How can a
> document
> >> >> >> > have a MUST requirement that requires parsing a specific
> structure
> >> >> >> > that isn't specified anywhere or even widely agreed upon?
> >> >> >> >
> >> >> >> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org>
> wrote:
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > A New Internet-Draft is available from the on-line
> Internet-Drafts directories.
> >> >> >> > > This draft is a work item of the Content Delivery Networks
> Interconnection WG of the IETF.
> >> >> >> > >
> >> >> >> > >         Title           : URI Signing for Content Delivery
> Network Interconnection (CDNI)
> >> >> >> > >         Authors         : Ray van Brandenburg
> >> >> >> > >                           Kent Leung
> >> >> >> > >                           Phil Sorber
> >> >> >> > >         Filename        : draft-ietf-cdni-uri-signing-21.txt
> >> >> >> > >         Pages           : 41
> >> >> >> > >         Date            : 2021-02-11
> >> >> >> > >
> >> >> >> > > Abstract:
> >> >> >> > >    This document describes how the concept of URI Signing
> supports the
> >> >> >> > >    content access control requirements of Content Delivery
> Network
> >> >> >> > >    Interconnection (CDNI) and proposes a URI Signing method
> as a JSON
> >> >> >> > >    Web Token (JWT) profile.
> >> >> >> > >
> >> >> >> > >    The proposed URI Signing method specifies the information
> needed to
> >> >> >> > >    be included in the URI to transmit the signed JWT, as well
> as the
> >> >> >> > >    claims needed by the signed JWT to authorize a User Agent
> (UA).  The
> >> >> >> > >    mechanism described can be used both in CDNI and single
> Content
> >> >> >> > >    Delivery Network (CDN) scenarios.
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > The IETF datatracker status page for this draft is:
> >> >> >> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
> >> >> >> > >
> >> >> >> > > There are also htmlized versions available at:
> >> >> >> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21
> >> >> >> > >
> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21
> >> >> >> > >
> >> >> >> > > A diff from the previous version is available at:
> >> >> >> > >
> https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > Please note that it may take a couple of minutes from the
> time of submission
> >> >> >> > > until the htmlized version and diff are available at
> tools.ietf.org.
> >> >> >> > >
> >> >> >> > > Internet-Drafts are also available by anonymous FTP at:
> >> >> >> > > ftp://ftp.ietf.org/internet-drafts/
> >> >> >> > >
> >> >> >> > >
> >> >> >> > > _______________________________________________
> >> >> >> > > CDNi mailing list
> >> >> >> > > CDNi@ietf.org
> >> >> >> > > https://www.ietf.org/mailman/listinfo/cdni
> >> >> >>
> >> >> >> _______________________________________________
> >> >> >> CDNi mailing list
> >> >> >> CDNi@ietf.org
> >> >> >> https://www.ietf.org/mailman/listinfo/cdni
>

v2.23.0 | Report a Bug | By Email