IETF Logo Mail Archive

Re: [CDNi] URI Signing Signed Token Chaining refactor

"Matthew A. Miller" <linuxwolf@outer-planes.net> Wed, 19 July 2017 14:36 UTC

Return-Path: <linuxwolf@outer-planes.net>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF47B131B8F for <cdni@ietfa.amsl.com>; Wed, 19 Jul 2017 07:36:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id el3spaXjnvyj for <cdni@ietfa.amsl.com>; Wed, 19 Jul 2017 07:36:32 -0700 (PDT)
Received: from mail-wm0-x231.google.com (mail-wm0-x231.google.com [IPv6:2a00:1450:400c:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AC9D1318A3 for <cdni@ietf.org>; Wed, 19 Jul 2017 07:36:32 -0700 (PDT)
Received: by mail-wm0-x231.google.com with SMTP id w126so871444wme.0 for <cdni@ietf.org>; Wed, 19 Jul 2017 07:36:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=VbKdRK713zrGrYAcEFl6BQecU112bQJoHJplxaZAIQk=; b=NqJsRJqEUTNzSY84CS6hE01apPX+W4ox0QpnWT/XPGLpHpnp4i/GdUQRDBAidb2t0O bXmKdsFKOtUpBXcShb7DnpiIfvw6y1X/e5Q068JL6mpwBca5CveWB6ErGuOb5QMV7oTd 4ZfgXFhTl+7g5Fmrj6hWd3TPHeJ2GU5Wil73SENSTuXBFS8MhOMUoCIvgMoWP9b2plvO VeX1QtDQsNuT+fXGbpMdjsfqWnbU3+GvpJ9trVGC999mqSSoUOVt7RQcUetlc0aM4eKg n2JErEg2r/1vH5yaBk3FemTOEh1wkdEiJoIHKpYkMvi/tIjIKjw22Ace2y2jP++Su0tT fCIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=VbKdRK713zrGrYAcEFl6BQecU112bQJoHJplxaZAIQk=; b=L3TbevAHoD8W9VBxlnx9hGSgQHznYdtsvVNWBely5cqq/Mox28J/oCZr8QOkb4ftxS auWeg5OS9OzdTyILCUMDHnv4qhCsZVOKf4enIYYTsjiiVg/48mi2fKGTQBWp0wbLQnWm rXRQGxoAYIZ5m7GHMHjtrlkH1xz1JGOuGkaOeOQAebLCmGtLBcBwKPE2eFOINeszQENP Isz3EYX7YCGYA1IwOCt5rQ/fT51O3sqqbfOem5jhlszZ68cNyaOkI2YemcGqL4aoYFnS xpXpWPq78LV2s4oIKwaIm6EYB0QrsH298ldnoiZxL6UPnOkwFBRfZLUiCb7G6+PLX8K+ aVxQ==
X-Gm-Message-State: AIVw111m4DK2Vtv8cHd3pk3OQJCCFEC7vjWogp4WxcsTkF2l8FTMizqH ddAtHVwA4bMItAnKVhKeotkb
X-Received: by 10.28.166.70 with SMTP id p67mr181470wme.90.1500474990336; Wed, 19 Jul 2017 07:36:30 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:2971:923e:3627:ab64? ([2001:67c:370:128:2971:923e:3627:ab64]) by smtp.gmail.com with ESMTPSA id n19sm115081wmd.40.2017.07.19.07.36.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Jul 2017 07:36:29 -0700 (PDT)
To: "Kevin J. Ma" <kevin.j.ma.ietf@gmail.com>
Cc: Ray van Brandenburg <ray@tiledmedia.com>, Phil Sorber <sorber@apache.org>, "cdni@ietf.org" <cdni@ietf.org>
References: <CABF6JR3wEfUoCSJ29xQ3n56Ah1EqPnCvkZ4x6W5_cTW8V35Hwg@mail.gmail.com> <7CEB7DDD-7C33-4FD9-93BC-75E5E78AB3C2@gmail.com> <A2FBEA85-BF95-44A4-8E11-97D39C8DCF76@tiledmedia.com> <f56a1478-2457-6179-619f-b0f38700eaa6@outer-planes.net> <10AF9851-D7DA-42F8-A8E7-B70D4795E0E1@gmail.com>
From: "Matthew A. Miller" <linuxwolf@outer-planes.net>
Message-ID: <68a60ab4-df68-6c59-cafc-3850012083cf@outer-planes.net>
Date: Wed, 19 Jul 2017 16:36:27 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Thunderbird/54.0
MIME-Version: 1.0
In-Reply-To: <10AF9851-D7DA-42F8-A8E7-B70D4795E0E1@gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="ph9pmQVIWr5m3OSBPvL2PjIh7qOrPTE6D"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/LleyGnRAvbcAXNelMl4EK9xaIaA>
Subject: Re: [CDNi] URI Signing Signed Token Chaining refactor
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 14:36:34 -0000

Even simply 'Token Renewal' would be perfectly fine.  I'm most concerned
about the 'Chain' part.


- m&m

Matthew A. Miller
< http://goo.gl/LM55L >

On 7/19/17 4:35 PM, Kevin J. Ma wrote:
> how do you feel about "short-lived token renewal"?
> 
> --  Kevin J. Ma
> 
> Sent from my iPhone
> 
>> On Jul 19, 2017, at 10:27 AM, Matthew A. Miller <linuxwolf@outer-planes.net> wrote:
>>
>> Making it (a little bit) more generic makes sense.
>>
>> I'm not sure about the name 'Signed Token Chain', but I don't have a
>> better one.  In cryptographic circles, "chain" has certain implications
>> that this document is not expressing.  The "next" item in the chain is
>> supposed to be cryptographically tied to the "previous" item in the
>> chain by using (a hash of, or the exact value of) the previous token
>> when generating the next token.
>>
>> I don't know that that binding property is required here, so I'm not
>> suggesting a change in the protocol.  I do worry, however, that the
>> language may potentially confuse (or worse, mislead) people about the
>> security properties this document is providing.
>>
>>
>> - m&m
>>
>> Matthew A. Miller
>> < http://goo.gl/LM55L >
>>
>>> On 7/19/17 4:14 PM, Ray van Brandenburg wrote:
>>> Yes, good point!
>>>
>>> Although I can’t think of another use case from the top of my head, I don’t see a good reason to limit it to HAS either.
>>>
>>> Ray
>>>
>>>
>>>> On 19 Jul 2017, at 15:51, Kevin J. Ma <kevin.j.ma.ietf@gmail.com> wrote:
>>>>
>>>> (as an individual) I agree with making the section more generic and citing HAS as a use case for token chaining.
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Jul 19, 2017, at 9:43 AM, Phil Sorber <sorber@apache.org> wrote:
>>>>>
>>>>> Since we have added the HAS content I have been thinking about how specific we have made it. Perhaps just specifying a method for token chaining, and then citing HAS as a use case makes more sense. I wanted to get some opinions on it before I make those changes. It shouldn't be that big of a change, just taking the HAS specific stuff and putting it in a lower "Use Case" sub-section at the bottom and leaving everything else as a "Signed Token Chaining" section.
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> Thanks.
>>>>> _______________________________________________
>>>>> CDNi mailing list
>>>>> CDNi@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/cdni
>>>
>>

v2.23.0 | Report a Bug | By Email