IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt

"Kevin J. Ma" <kevin.j.ma.ietf@gmail.com> Tue, 18 July 2017 22:38 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A62E3127275 for <cdni@ietfa.amsl.com>; Tue, 18 Jul 2017 15:38:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKLhmQ7Mq4Qe for <cdni@ietfa.amsl.com>; Tue, 18 Jul 2017 15:38:09 -0700 (PDT)
Received: from mail-yw0-x244.google.com (mail-yw0-x244.google.com [IPv6:2607:f8b0:4002:c05::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC2B4127241 for <cdni@ietf.org>; Tue, 18 Jul 2017 15:38:08 -0700 (PDT)
Received: by mail-yw0-x244.google.com with SMTP id v193so1772554ywg.0 for <cdni@ietf.org>; Tue, 18 Jul 2017 15:38:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yGqFL7HOVKfcMCif/nVrBmL9de6pCqLE+LLW+WIzFzE=; b=V77kRd/ik+Jay8LzkpSieWqtkrQ97iqyvzhQN+zSXpfk7WXaqOmOtTMMst30UY6rId HrEbUlbE/fcEo5mqb6+Fj2YzsohpdjUX95DQ/H0j+vJ2HfZy/JWBW0/VpLFm0ibb5U1t ChseI50H7lDy0na6alS3LaRf1wJhDo4WqpSDmG+Xr9xAlGj/L1Dbx+xhMZNT+dPK9pJ8 qxIynwGHBFv6ftgRQLafT2TGw9gfjTjdi72yKOQN+QSZX0cpHNP1VUwvuNT8G7W/x81E T2xQsEMvTSWX4LWWRsacGCEjnu1pNCZS/31RkXXO64kOQAd2ZJ3Hr1XZgPCU55sn1Jti nyqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yGqFL7HOVKfcMCif/nVrBmL9de6pCqLE+LLW+WIzFzE=; b=ZjTRxKTNbs/heDa1U0vdX9Q1CgJODPRMSuVledaKnWa4RaioJWvvPGq58THIJnhYI+ 7H2uIH2SvwVyApDpthuU6Hie1odgax9oz1EbhUhoBx/JHuapb+mivANDnfLiNGYFmPq3 ctWqm9/DZQmAw5uC6JFRFj5cyaFJqtv+eUdRjln1ceOogTRi7WlZQekLnchFNbPDjLs+ mgHAOUVLQL0k5j5M80QC0isxYSDRIMPVqSRiCLrG+ckbxa5Ma61ouFGDRX8yDVxE4Wlt jpa3sBDMU7CPiNUv5tNu6A0JAChCADizMadtBMn0wmuEER6vCkWrnV3Oa63GlPCXoFDx RrMA==
X-Gm-Message-State: AIVw112+zo0oDOelR0H6ZFco5Q+kgQEDhMgXqNFQkB0lPh0eh6ej9Kca GIihDZazYqp4lwrlaYg=
X-Received: by 10.129.80.10 with SMTP id e10mr2912433ywb.309.1500417487699; Tue, 18 Jul 2017 15:38:07 -0700 (PDT)
Received: from [10.100.17.73] (static-108-26-234-5.bstnma.fios.verizon.net. [108.26.234.5]) by smtp.gmail.com with ESMTPSA id u66sm1274746ywa.44.2017.07.18.15.38.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 15:38:06 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-086A1BCF-37AE-4EF0-BE6F-71619F6A8D51"
Mime-Version: 1.0 (1.0)
From: "Kevin J. Ma" <kevin.j.ma.ietf@gmail.com>
X-Mailer: iPhone Mail (14F89)
In-Reply-To: <a79e35933ce241c78267514fa39f289a@XCH-RTP-006.cisco.com>
Date: Tue, 18 Jul 2017 18:38:05 -0400
Cc: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>, "cdni@ietf.org" <cdni@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <B8EE3C9B-244F-4E72-A5CF-BB5FBA2334A7@gmail.com>
References: <149842148725.3124.11919861730574680552@ietfa.amsl.com> <CABF6JR3gidTD_S2vnrjxzxkmjYxVHsHG3J9VKzaZsiN+pC7WRA@mail.gmail.com> <21D2B0F2-9D1E-45BB-B216-44FFBCD56DE0@niven-jenkins.co.uk> <07d84d59a86f4dcdb19d4e8679bf26f2@XCH-RTP-006.cisco.com> <A14BE764-C40F-4D03-B067-4253178180C4@niven-jenkins.co.uk> <a79e35933ce241c78267514fa39f289a@XCH-RTP-006.cisco.com>
To: "Kent Leung (kleung)" <kleung@cisco.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/MeUm_5j-OywLgr1XQKGEgIUi2R0>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 22:38:14 -0000

Hi Ben/Kent,

  (as an individual)  It's been my experience that symmetric keys have been more prevelant, historically; and I think we were originally trying to match existing schemes.  Since JWTs supported both symmetric and asymmetric, it was a freebie from that point of view.

  At this point, though, JWT has strayed sufficiently far from legacy implementations that I think we could probably define the scope for CDNI to be only asymmetric, if we wanted, without much resistance.

  I don't have any particular affinity for symmetric keys.  If the WG wants to drop them, it's ok with me.

thanx.

--  Kevin J. Ma

Sent from my iPhone

> On Jul 18, 2017, at 5:37 PM, Kent Leung (kleung) <kleung@cisco.com> wrote:
> 
> Hi Ben. I’m trying to recall the rationale. I think initially, URI signing was based on the non-CDNI environment where both symmetric and asymmetric keys were supported and confidentiality was not an issue between CSP and CDN. The issue for symmetric key is encountered for key distribution between CSP/uCDN and dCDN. This concern has been documented:
>  
>   “In CDNI, there are two methods for request routing: DNS-based and
>    HTTP-based.  For DNS-based request routing, the Signed URI (i.e.,
>    Target CDN URI) provided by the CSP reaches the Downstream CDN
>    directly.  In the case where the Downstream CDN does not have a trust
>    relationship with the CSP, this means that only an asymmetric public/
>    private key method can be used for computing the URI Signature
>    because the CSP and Downstream CDN are not able to exchange symmetric
>    shared secret keys.  Since the CSP is unlikely to have relationships
>    with all the Downstream CDNs that are delegated to by the Upstream
>    CDN, the CSP may choose to allow the Authoritative CDN to
>    redistribute the shared key to a subset of their Downstream CDNs .”
>  
>   “Two types of keys can be used for URI Signing: asymmetric keys and
>    symmetric keys.  …  With symmetric keys, the same key is
>    used by both the signing entity for signing the URI as well as by the
>    validating entity for validating the Signed URI.  …  Key distribution for
>    symmetric keys requires confidentiality to prevent another party from
>    getting access to the key, since it could then generate valid Signed
>    URIs for unauthorized requests.”
>  
>   “With DNS-based request routing, URI Signing does not match well the
>    general chain of trust model of CDNI when used with symmetric keys
>    because the symmetric key information needs to be distributed across
>    multiple CDNI hops including non-adjacent hops.  This raises a
>    security concern for applicability of URI Signing with symmetric keys
>    in case of DNS-based inter-CDN request routing.”
>  
> In light of keeping things simple and the path of least existence, I’m fine with defining only asymmetric key.
>  
> Maybe thoughts from Phil and Kevin and others?
>  
> Kent
>  
>  
> From: Ben Niven-Jenkins [mailto:ben@niven-jenkins.co.uk] 
> Sent: Tuesday, July 18, 2017 4:34 PM
> To: Kent Leung (kleung) <kleung@cisco.com>
> Cc: Phil Sorber <sorber@apache.org>; cdni@ietf.org
> Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
>  
> Hi Kent,
>  
> See inline
>  
> On 5 Jul 2017, at 22:23, Kent Leung (kleung) <kleung@cisco.com> wrote:
> From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Ben Niven-Jenkins
> Sent: Tuesday, July 4, 2017 3:59 AM
> 
>  
> Hi Phil & URI Signing authors,
>  
> I read the latest draft (-12) and below are some questions / thoughts, in no particular order, that occurred to me while reading the document.
>  
> * Why support both symmetric & asymmetric keys? What is the advantage to having both options versus just picking one option (probably asymmetric keys as they work for all use cases)?
>  
> KL> There are pros and cons of using either asymmetric keys vs symmetric key. Key distribution limitations and relationships between CSP and CDNs are factors. So I think supporting both allows flexibility for deployments of URI signing. Existing URI signing proprietary implementations typically support both already.
>  
> Apologies if I’m raking up discussions you’ve already had when writing the document. Can you expand on what factors justify having two different methods for signing URIs?
>  
> I am coming from the point of view that I can’t think of sufficient justification for having two methods. symmetric keys have the downside of requiring confidentiality. asymmetric keys do not suffer that issue. What is the downside of asymmetric keys that justifies using symmetric keys and tackling the issue of maintaining confidentiality?
>  
> In other words, why not just specify asymmetric keys and leave it at that?
>  
> I am also worried about interoperability because if you specify both symmetric & asymmetric keys I think it is far from guaranteed that all implementations will implement both variants and I’m yet to be convinced that we need to take that risk at all.
> 
>  
> Ben
>  
>  
>  
> * How are the keys distributed between CDNs? I don’t see a property in the UriSigning Metadata object that would include (or link to) the keys (I’m assuming you need to support distribution of at least 2 keys to support key rotation)?
>  
> KL> Key distribution is out of scope. I noticed following text was dropped when method converted to JWT. We can put this back in CDNI Overview section, where the asymmetric and symmetric key methods are mentioned.
>  
> “Two types of keys can be used for URI Signing: asymmetric keys and
>    symmetric keys.  Asymmetric keys are based on a public/private key
>    pair mechanism and always contain a private key only known to the
>    entity signing the URI (either CSP or uCDN) and a public key for the
>    verification of the Signed URI.  With symmetric keys, the same key is
>    used by both the signing entity for signing the URI as well as by the
>    validating entity for validating the Signed URI.  Regardless of the
>    type of keys used, the validating entity has to obtain the key
>    (either the public or the symmetric key).  There are very different
>    requirements for key distribution (out of scope of this document)
>    with asymmetric keys and with symmetric keys.  Key distribution for
>    symmetric keys requires confidentiality to prevent another party from
>    getting access to the key, since it could then generate valid Signed
>    URIs for unauthorized requests.  Key distribution for asymmetric keys
>    does not require confidentiality since public keys can typically be
>    distributed openly (because they cannot be used for URI signing) and
>    private keys are kept by the URI signing function.”
>  
>  
> * How does a uCDN know whether it is OK/safe/within policy to re-distribute symmetric keys to a dCDN?
>  
> KL> See above.
>  
> * In the case of Signed Token chains, how does a CDN obtain the keys required to sign the new tokens in the chain as it generates them?
>  
> KL> See above.
>  
> Kent
>  
>  
> * Section 3.3.1 I think needs to be more explicit, I don’t know how one could communicate a token chain via the query string as specified in the document, as there is no “back channel” for the CDN to communicate the next token in the chain to the UA.
>  
> HTH
> Ben
>  
> On 25 Jun 2017, at 21:19, Phil Sorber <sorber@apache.org> wrote:
>  
> Really hoping to get some feedback on this at the meeting in Prague. It's got all the changes that have been discussed so I'm not aware of any more substantive changes needed. However, lots of editorial nits I suspect.
> 
> Thanks.
>  
> On Sun, Jun 25, 2017 at 2:12 PM <internet-drafts@ietf.org> wrote:
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Content Delivery Networks Interconnection of the IETF.
> 
>         Title           : URI Signing for CDN Interconnection (CDNI)
>         Authors         : Ray van Brandenburg
>                           Kent Leung
>                           Phil Sorber
>         Filename        : draft-ietf-cdni-uri-signing-12.txt
>         Pages           : 35
>         Date            : 2017-06-25
> 
> Abstract:
>    This document describes how the concept of URI signing supports the
>    content access control requirements of CDNI and proposes a URI
>    signing method as a JSON Web Token (JWT) [RFC7519] profile.
> 
>    The proposed URI signing method specifies the information needed to
>    be included in the URI to transmit the signed JWT as well as the
>    claims needed by the signed JWT to authorize a UA.  The mechanism
>    described can be used both in CDNI and single CDN scenarios.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-12
> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-12
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-12
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni
>  
>  
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email