Re: [CDNi] URI Signing URI Container Claim Question
Phil Sorber <sorber@apache.org> Wed, 10 November 2021 18:47 UTC
Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA9013A128E for <cdni@ietfa.amsl.com>; Wed, 10 Nov 2021 10:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.919
X-Spam-Level:
X-Spam-Status: No, score=-9.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5MNSCnSv-abE for <cdni@ietfa.amsl.com>; Wed, 10 Nov 2021 10:47:18 -0800 (PST)
Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40EF33A128C for <cdni@ietf.org>; Wed, 10 Nov 2021 10:47:18 -0800 (PST)
Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 925D460220 for <cdni@ietf.org>; Wed, 10 Nov 2021 18:47:15 +0000 (UTC)
Received: (qmail 85637 invoked by uid 99); 10 Nov 2021 18:47:15 -0000
Received: from ec2-52-204-25-47.compute-1.amazonaws.com (HELO mailrelay1-ec2-va.apache.org) (52.204.25.47) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Nov 2021 18:47:15 +0000
Received: from mail-wr1-f51.google.com (mail-wr1-f51.google.com [209.85.221.51]) by mailrelay1-ec2-va.apache.org (ASF Mail Server at mailrelay1-ec2-va.apache.org) with ESMTPSA id 0F6E93E8DE for <cdni@ietf.org>; Wed, 10 Nov 2021 18:47:15 +0000 (UTC)
Received: by mail-wr1-f51.google.com with SMTP id i5so5726272wrb.2 for <cdni@ietf.org>; Wed, 10 Nov 2021 10:47:15 -0800 (PST)
X-Gm-Message-State: AOAM5337gUKHr4i9p6eaBLWS78erxC/MXVY7cEZRyUO8ISyNEMOfK2wB p0My/AsJZR5IZs+2WZyffo5D5fAIeILocVRlV8g=
X-Google-Smtp-Source: ABdhPJx/dxrAT788/fx2R1QE8yzskKkIUNeFJVMm1v6M+n78F/py/YDVy8lQ91ttDfwSOVsmhlcar5NbNUcT64qWkUY=
X-Received: by 2002:adf:fe88:: with SMTP id l8mr1522877wrr.208.1636570034377; Wed, 10 Nov 2021 10:47:14 -0800 (PST)
MIME-Version: 1.0
References: <CABF6JR2DQwnpGA0U9t7Z04QnmHciMS0a+Rs-abNi4Ns32Hi2JA@mail.gmail.com> <CAMrHYE3rf7MSvveZyLaNbksEb_M9Hzu2=v0XUmTjSvE4VoY_1w@mail.gmail.com>
In-Reply-To: <CAMrHYE3rf7MSvveZyLaNbksEb_M9Hzu2=v0XUmTjSvE4VoY_1w@mail.gmail.com>
From: Phil Sorber <sorber@apache.org>
Date: Wed, 10 Nov 2021 11:47:03 -0700
X-Gmail-Original-Message-ID: <CABF6JR2-Lmf9J1rKMGX4PTS=-uBnQ5SKWpLQgUJDjCqP0i=3iw@mail.gmail.com>
Message-ID: <CABF6JR2-Lmf9J1rKMGX4PTS=-uBnQ5SKWpLQgUJDjCqP0i=3iw@mail.gmail.com>
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008c97a705d073a715"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/Vpl3npurJjaS65t-cNQIYt-8vUI>
Subject: Re: [CDNi] URI Signing URI Container Claim Question
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2021 18:47:23 -0000
Kevin, Here is the reference in the doc: https://www.ietf.org/archive/id/draft-ietf-cdni-uri-signing-22.html#name-cdni-uri-container-cdniuc-c The only mailing list discussion I see is from Barry asking if the claim should be mandatory or not. The URI Container is what we match the request URI against. So not adding it means the JWT will match any URI as long as that content is protected by the key used to sign the JWT and any other claims included are satisfied. So yes, including cdniuc makes the request URL tamper resistant and still requires a valid signature even without it. The concern is that if someone copies this token it can be widely used to bypass URI signing protections. It's not scoped small enough without it. That's why I think we suggest that this claim is used with an expiry and also possibly Client IP. I'd prefer not to have a complex matrix of claim combination requirements, but I also see none of them as so important that they MUST be included in any valid JWT. Even if we did make it mandatory, as Chris pointed out, the value can still be made effectively ".*" which is the same problem but with extra steps. Thanks. On Wed, Nov 10, 2021 at 11:16 AM Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote: > Hi Phil, > > I think I need a refresher. Could you please add a link to the > discussion thread? The URI container claim is to make the request URL > tamper evident? But you would still need a valid signature without the > container verification? Is the concern some type of replay attack? > > thanx! > > -- Kevin J. Ma > > On Tue, Nov 9, 2021 at 5:39 PM Phil Sorber <sorber@apache.org> wrote: > >> This is one of three questions that I had after last call feedback. I'd >> like to hear any opinions on the matter from the working group. I will be >> pointing to this thread for explanation/justification about the changes or >> lack thereof to the document. Thanks. >> >> Do we want to make the URI Container claim mandatory, or should we allow >> certain "skeleton key" functionality, perhaps with additional text around >> what you can do to make sure you don't give away keys to the kingdom, for >> example making sure it has a reasonable expiry and perhaps a Client IP >> claim to limit the blast radius? >> _______________________________________________ >> CDNi mailing list >> CDNi@ietf.org >> https://www.ietf.org/mailman/listinfo/cdni >> >
- [CDNi] URI Signing URI Container Claim Question Phil Sorber
- Re: [CDNi] URI Signing URI Container Claim Questi… Chris Lemmons
- Re: [CDNi] URI Signing URI Container Claim Questi… Kevin Ma
- Re: [CDNi] URI Signing URI Container Claim Questi… Phil Sorber
- Re: [CDNi] URI Signing URI Container Claim Questi… Kevin Ma