Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
Chris Lemmons <alficles@gmail.com> Mon, 14 June 2021 17:58 UTC
Return-Path: <alficles@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7DE23A2C90 for <cdni@ietfa.amsl.com>; Mon, 14 Jun 2021 10:58:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gt_viNGdgdhx for <cdni@ietfa.amsl.com>; Mon, 14 Jun 2021 10:58:38 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 631773A2C8C for <cdni@ietf.org>; Mon, 14 Jun 2021 10:58:38 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id x24so16879114lfr.10 for <cdni@ietf.org>; Mon, 14 Jun 2021 10:58:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=T0BKUBtVUQCVLi1VRInYsOlw7EgI/K0CHCvOpbjja9I=; b=rP2QRySZv919ZOkzvzDqGv3XBUDGWiQiLNRBN+DWAhSwK7ojJhhxWpaSGsxABct/Li Ba3Rnhm6zCcAFD1mANaVMGBTy78rMP+a9be8NNBXcQp0GW8OECGgFZaz7ijw49XpzsOW 79uOWYAJaRT17i33pt0Bu3UD8IsKW2+8syM+7qJWMui1YrP+XFl5L63/e1pEcAXqcc6D eFNeLB0SAzjHaWWFPUtYVrvd7BQ+yHYoDxRIb9ftkhwpDu0JxnAj1EIUlDCgLnrft5zs EGWv3A8UCwRVo9QSXJTwv7EN3SDbLFFx72a2ilL7sgDsMawAJNN5XBH+hhj8XLl/C53T A+tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=T0BKUBtVUQCVLi1VRInYsOlw7EgI/K0CHCvOpbjja9I=; b=AsJEIB2sMKs/qMRSXuORyEVe/xXjgEZ5QWWGgCbJxLQVV3vQhTUl53synLqb+3kst5 Xg2ooDQ616SBOZ2NJEpYU2hfCSswi2jCtY6MkdQ8PZPwmaCNPRK8wZY4vXY+yKEjRjOa 0q5zDSikyYf5U4angAmxWfASRsNrGDJ2pqyXcSucYc3uITYsp52umEs1tmcKyhzWweX6 Fwi4FWAFC+vIYBKcey3YILakzI8qK8eoWit8XbXSj/caFagdmzwZHhRYhY9wzd1PddrN vnIzwxVji2ve/w86/h+NUEC+kvQxhKCfDFxROhPsbKEzRROjnAiDZMu9bMrDw4DfhMDx QBEg==
X-Gm-Message-State: AOAM531iT8tH5P57qIQEKsCFceVfMFkvJcjVvIt/QG0AH9j1psURMWHb alNJcz1ivZEO4TaUrPuSL62lIkt0ASwBA/h1DKxJMDl0HAmo8Q==
X-Google-Smtp-Source: ABdhPJyudrJPPjuc7NHyJBOwNUQss+GHH9GH3gF9rOgO7Ju4eJf3qexNk2pXEzkGcKvtMfMQXv7iXdJrvknRnVZAL/c=
X-Received: by 2002:a05:6512:3fa2:: with SMTP id x34mr12436186lfa.437.1623693515519; Mon, 14 Jun 2021 10:58:35 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com>
In-Reply-To: <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com>
From: Chris Lemmons <alficles@gmail.com>
Date: Mon, 14 Jun 2021 11:58:25 -0600
Message-ID: <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com>
To: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/VbLt7KmnzC-2KNP_TGp2WLUfu3E>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 17:58:43 -0000
I'd like to bring this up again because I think it's a potentially serious implementation concern and I don't see an easy way around it. There is a MUST requirement in the latest draft: The URI Signing Package will be found by parsing any path-style parameters and form-style parameters looking for a key name matching the URI Signing Package Attribute. Both parameter styles MUST be supported to allow flexibility of operation. Unfortunately, there exists no specification for path-style or form-style parameters, so it is impossible for an implementer to know how to reliably locate the token. This appears to be by design, though. ( See RFC 8820: https://datatracker.ietf.org/doc/html/rfc8820 , which is now published.) I think the intent of this wording is to imply that everybody should use application/x-www-form-urlencoded for form-style parameters and path-style parameters that look like "path;param1=a,param2=b", but aren't specified anywhere in particular. I see no way for an implementer to determine whether they've met the requirement set out that they MUST meet as it is written. I also wonder whether URI Signing is properly understood as an Extension or an Application, in the terms of 8820. I think it wants to be an Extension (for example: `a new signature mechanism for "http" URIs`), but might be an Application in practice (`an HTTP interface to particular information on a host`). I think important to the discussion is that URI Signing is a mechanism added by an upstream entity that controls the content and its format. I think this is an important issue to resolve. On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com> wrote: > > The latest document replaces the path parsing logic with this: > > > URI Signing Package (URISigningPackage): The URI attribute that encapsulates all the URI Signing claims in a signed JWT encoded format. This attribute is exposed in the Signed URI as a path-style parameter or a form-style parameter. > > Unfortunately, that doesn't give implementers any idea what needs to > be parsed. I read through the conversation on last-call with mnot > (https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/), > especially with regard to BCP190. I also read through RFC6570 and > you're right, it doesn't work for our use case because it's generating > URI, not consuming them. And it's for precisely this reason that we > need to be specific in what is accepted. > > As near as I can tell, there is actually no standard anywhere that > describes "path-style parameters". And there are multiple methods for > defining "form-style parameters", some more recent than others and in > varying levels of use generally on the Internet. How can a document > have a MUST requirement that requires parsing a specific structure > that isn't specified anywhere or even widely agreed upon? > > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote: > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > > This draft is a work item of the Content Delivery Networks Interconnection WG of the IETF. > > > > Title : URI Signing for Content Delivery Network Interconnection (CDNI) > > Authors : Ray van Brandenburg > > Kent Leung > > Phil Sorber > > Filename : draft-ietf-cdni-uri-signing-21.txt > > Pages : 41 > > Date : 2021-02-11 > > > > Abstract: > > This document describes how the concept of URI Signing supports the > > content access control requirements of Content Delivery Network > > Interconnection (CDNI) and proposes a URI Signing method as a JSON > > Web Token (JWT) profile. > > > > The proposed URI Signing method specifies the information needed to > > be included in the URI to transmit the signed JWT, as well as the > > claims needed by the signed JWT to authorize a User Agent (UA). The > > mechanism described can be used both in CDNI and single Content > > Delivery Network (CDN) scenarios. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21 > > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21 > > > > > > Please note that it may take a couple of minutes from the time of submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > CDNi mailing list > > CDNi@ietf.org > > https://www.ietf.org/mailman/listinfo/cdni
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber