IETF Logo Mail Archive

Re: [CDNi] URI Signing URI Container Claim Question

Kevin Ma <kevin.j.ma.ietf@gmail.com> Thu, 11 November 2021 02:01 UTC

Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4CF3A157B for <cdni@ietfa.amsl.com>; Wed, 10 Nov 2021 18:01:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hh_PegvtslcX for <cdni@ietfa.amsl.com>; Wed, 10 Nov 2021 18:01:22 -0800 (PST)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386163A1577 for <cdni@ietf.org>; Wed, 10 Nov 2021 18:01:22 -0800 (PST)
Received: by mail-pf1-x430.google.com with SMTP id n85so4225715pfd.10 for <cdni@ietf.org>; Wed, 10 Nov 2021 18:01:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I1IbfJzEFBKxe5oUDHOG2Oy53JhVOQW6Ubp3LzWT4/8=; b=V/htkQwTr91Y4LFCo71rJELRELfz1V4y3eiHHFf87D+EouWqrmkNk9+6bqn7AcAKdf OeQrhRFPnihpOo1nAk8eu7XvPCOip9v/J/ICYAAqocXLrU1YtYanFMr0VF/77PmanNKX DpWFzqQT49kDPcekM7rKNcZEG3sspS1m+0x2q6OimwZwvuaMEef3BJjfbFbC0dsOIA5R AP/501Y5OGetWDmaJjh1yHGEepC0bM739NNkgat4HLPOc/fusHPizO/Pmzs1wL5nz6Gj LfTgoTG6FNG0ku+7r6OtSZ8x7hKCvrR4X51OE9kMfPT0B2EPRsYbvEjGMN/d6QRTw2Ct lzzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I1IbfJzEFBKxe5oUDHOG2Oy53JhVOQW6Ubp3LzWT4/8=; b=63qW7BFv3pDUkTzjJ3KnRUlhopb8iRjGc0Y2RDh0LYHOFJNu3hbckt5EvoITSaNTm6 s5SVILZwCTkup1W6y6kBpVW3Ncyt3Tb6jeeCW5P+zmeBWZTasoh4GhRRdS4PsGeFWSeR JB9fYp5flIlGcY3owvKW4GXfl/9DVwyUD4/9xMRfYU/Rm1ue5q0as1mSlTB3vmlvzRL3 ybaktb9k/o+kRBxbR9DuaOEt7EKQcaxxk4Ag+2LnBGoCGtiB+2k8N9LkA6CRxigqJtTr qBqtcR0RvUfwkfRjEda4ehEU8IPvxQDo4Yt7qyh+7qp8fP1Vc4Bls/WOQmMo8b2kIG9M E42Q==
X-Gm-Message-State: AOAM533xw2j9OaZHdvXH1fiFyZay9ZdXmXyTRsfJwYET71UDq+cLX7Rr MIGojDxby7ErZzsI0AVsQzJdEkhixmYuW7sUAzctguEw
X-Google-Smtp-Source: ABdhPJzxG6ScN/EBnCLN4C88ARZqILv3142geJDRQqIG/Ycv1iUt3U9t9qC0APZIBUwSEOi0EFjLcUtWEC7hmQRYTlU=
X-Received: by 2002:a05:6a00:88e:b0:44c:c40:9279 with SMTP id q14-20020a056a00088e00b0044c0c409279mr3545978pfj.85.1636596080621; Wed, 10 Nov 2021 18:01:20 -0800 (PST)
MIME-Version: 1.0
References: <CABF6JR2DQwnpGA0U9t7Z04QnmHciMS0a+Rs-abNi4Ns32Hi2JA@mail.gmail.com> <CAMrHYE3rf7MSvveZyLaNbksEb_M9Hzu2=v0XUmTjSvE4VoY_1w@mail.gmail.com> <CABF6JR2-Lmf9J1rKMGX4PTS=-uBnQ5SKWpLQgUJDjCqP0i=3iw@mail.gmail.com>
In-Reply-To: <CABF6JR2-Lmf9J1rKMGX4PTS=-uBnQ5SKWpLQgUJDjCqP0i=3iw@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Wed, 10 Nov 2021 21:01:09 -0500
Message-ID: <CAMrHYE0cKhL8yz7Ut=dnJZyhmK+pc0SaxM5d3mSiw6d5NYMtHw@mail.gmail.com>
To: Phil Sorber <sorber@apache.org>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006bcf205d079b8a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/WSvRaIf7FwYRdFyDf7yE6vNCX5c>
Subject: Re: [CDNi] URI Signing URI Container Claim Question
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 02:01:27 -0000

Hi Phil,

  Ah. right.  I see Barry's point.  The spirit of URI Signing is that it
covers a specific URI.  The original scheme (pre-JWT) hashed over the URI.
The regex was added when we added support for adaptive streaming.  The
original "path pattern" in the -04 version was mandatory, but we switched
it to optional (and changed the name to "pattern container") in the -06.
That was during the flip/flop around the KPN IP disclosure.  I don't
remember if the mandatory to optional change was intentional or not; Ray is
probably the only one who might remember.  But, I think making the
container claim mandatory is consistent with the intent of the protocol
(and the original implementation).  The fact that you could wildcard a
regex is in the same vein as using an infinite expiration, imo; i.e., it's
a bad idea and you shouldn't do it, but there's really nothing preventing
it.  I think I would side with making it mandatory and adding guidance to
not use a ".*" regex.

thanx!

--  Kevin J. Ma

On Wed, Nov 10, 2021 at 1:47 PM Phil Sorber <sorber@apache.org> wrote:

> Kevin,
>
> Here is the reference in the doc:
>
> https://www.ietf.org/archive/id/draft-ietf-cdni-uri-signing-22.html#name-cdni-uri-container-cdniuc-c
>
> The only mailing list discussion I see is from Barry asking if the claim
> should be mandatory or not.
>
> The URI Container is what we match the request URI against. So not adding
> it means the JWT will match any URI as long as that content is protected by
> the key used to sign the JWT and any other claims included are satisfied.
>
> So yes, including cdniuc makes the request URL tamper resistant and still
> requires a valid signature even without it.
>
> The concern is that if someone copies this token it can be widely used to
> bypass URI signing protections. It's not scoped small enough without it.
> That's why I think we suggest that this claim is used with an expiry and
> also possibly Client IP. I'd prefer not to have a complex matrix of claim
> combination requirements, but I also see none of them as so important that
> they MUST be included in any valid JWT. Even if we did make it mandatory,
> as Chris pointed out, the value can still be made effectively ".*" which is
> the same problem but with extra steps.
>
> Thanks.
>
> On Wed, Nov 10, 2021 at 11:16 AM Kevin Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
>
>> Hi Phil,
>>
>>   I think I need a refresher.  Could you please add a link to the
>> discussion thread?  The URI container claim is to make the request URL
>> tamper evident?  But you would still need a valid signature without the
>> container verification?  Is the concern some type of replay attack?
>>
>> thanx!
>>
>> --  Kevin J. Ma
>>
>> On Tue, Nov 9, 2021 at 5:39 PM Phil Sorber <sorber@apache.org> wrote:
>>
>>> This is one of three questions that I had after last call feedback. I'd
>>> like to hear any opinions on the matter from the working group. I will be
>>> pointing to this thread for explanation/justification about the changes or
>>> lack thereof to the document. Thanks.
>>>
>>> Do we want to make the URI Container claim mandatory, or should we allow
>>> certain "skeleton key" functionality, perhaps with additional text around
>>> what you can do to make sure you don't give away keys to the kingdom, for
>>> example making sure it has a reasonable expiry and perhaps a Client IP
>>> claim to limit the blast radius?
>>> _______________________________________________
>>> CDNi mailing list
>>> CDNi@ietf.org
>>> https://www.ietf.org/mailman/listinfo/cdni
>>>
>>

v2.23.0 | Report a Bug | By Email