Re: [CDNi] URI Signing URI Container Claim Question
Kevin Ma <kevin.j.ma.ietf@gmail.com> Thu, 11 November 2021 02:01 UTC
Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4CF3A157B for <cdni@ietfa.amsl.com>; Wed, 10 Nov 2021 18:01:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hh_PegvtslcX for <cdni@ietfa.amsl.com>; Wed, 10 Nov 2021 18:01:22 -0800 (PST)
Received: from mail-pf1-x430.google.com (mail-pf1-x430.google.com [IPv6:2607:f8b0:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 386163A1577 for <cdni@ietf.org>; Wed, 10 Nov 2021 18:01:22 -0800 (PST)
Received: by mail-pf1-x430.google.com with SMTP id n85so4225715pfd.10 for <cdni@ietf.org>; Wed, 10 Nov 2021 18:01:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I1IbfJzEFBKxe5oUDHOG2Oy53JhVOQW6Ubp3LzWT4/8=; b=V/htkQwTr91Y4LFCo71rJELRELfz1V4y3eiHHFf87D+EouWqrmkNk9+6bqn7AcAKdf OeQrhRFPnihpOo1nAk8eu7XvPCOip9v/J/ICYAAqocXLrU1YtYanFMr0VF/77PmanNKX DpWFzqQT49kDPcekM7rKNcZEG3sspS1m+0x2q6OimwZwvuaMEef3BJjfbFbC0dsOIA5R AP/501Y5OGetWDmaJjh1yHGEepC0bM739NNkgat4HLPOc/fusHPizO/Pmzs1wL5nz6Gj LfTgoTG6FNG0ku+7r6OtSZ8x7hKCvrR4X51OE9kMfPT0B2EPRsYbvEjGMN/d6QRTw2Ct lzzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I1IbfJzEFBKxe5oUDHOG2Oy53JhVOQW6Ubp3LzWT4/8=; b=63qW7BFv3pDUkTzjJ3KnRUlhopb8iRjGc0Y2RDh0LYHOFJNu3hbckt5EvoITSaNTm6 s5SVILZwCTkup1W6y6kBpVW3Ncyt3Tb6jeeCW5P+zmeBWZTasoh4GhRRdS4PsGeFWSeR JB9fYp5flIlGcY3owvKW4GXfl/9DVwyUD4/9xMRfYU/Rm1ue5q0as1mSlTB3vmlvzRL3 ybaktb9k/o+kRBxbR9DuaOEt7EKQcaxxk4Ag+2LnBGoCGtiB+2k8N9LkA6CRxigqJtTr qBqtcR0RvUfwkfRjEda4ehEU8IPvxQDo4Yt7qyh+7qp8fP1Vc4Bls/WOQmMo8b2kIG9M E42Q==
X-Gm-Message-State: AOAM533xw2j9OaZHdvXH1fiFyZay9ZdXmXyTRsfJwYET71UDq+cLX7Rr MIGojDxby7ErZzsI0AVsQzJdEkhixmYuW7sUAzctguEw
X-Google-Smtp-Source: ABdhPJzxG6ScN/EBnCLN4C88ARZqILv3142geJDRQqIG/Ycv1iUt3U9t9qC0APZIBUwSEOi0EFjLcUtWEC7hmQRYTlU=
X-Received: by 2002:a05:6a00:88e:b0:44c:c40:9279 with SMTP id q14-20020a056a00088e00b0044c0c409279mr3545978pfj.85.1636596080621; Wed, 10 Nov 2021 18:01:20 -0800 (PST)
MIME-Version: 1.0
References: <CABF6JR2DQwnpGA0U9t7Z04QnmHciMS0a+Rs-abNi4Ns32Hi2JA@mail.gmail.com> <CAMrHYE3rf7MSvveZyLaNbksEb_M9Hzu2=v0XUmTjSvE4VoY_1w@mail.gmail.com> <CABF6JR2-Lmf9J1rKMGX4PTS=-uBnQ5SKWpLQgUJDjCqP0i=3iw@mail.gmail.com>
In-Reply-To: <CABF6JR2-Lmf9J1rKMGX4PTS=-uBnQ5SKWpLQgUJDjCqP0i=3iw@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Wed, 10 Nov 2021 21:01:09 -0500
Message-ID: <CAMrHYE0cKhL8yz7Ut=dnJZyhmK+pc0SaxM5d3mSiw6d5NYMtHw@mail.gmail.com>
To: Phil Sorber <sorber@apache.org>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006bcf205d079b8a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/WSvRaIf7FwYRdFyDf7yE6vNCX5c>
Subject: Re: [CDNi] URI Signing URI Container Claim Question
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2021 02:01:27 -0000
Hi Phil, Ah. right. I see Barry's point. The spirit of URI Signing is that it covers a specific URI. The original scheme (pre-JWT) hashed over the URI. The regex was added when we added support for adaptive streaming. The original "path pattern" in the -04 version was mandatory, but we switched it to optional (and changed the name to "pattern container") in the -06. That was during the flip/flop around the KPN IP disclosure. I don't remember if the mandatory to optional change was intentional or not; Ray is probably the only one who might remember. But, I think making the container claim mandatory is consistent with the intent of the protocol (and the original implementation). The fact that you could wildcard a regex is in the same vein as using an infinite expiration, imo; i.e., it's a bad idea and you shouldn't do it, but there's really nothing preventing it. I think I would side with making it mandatory and adding guidance to not use a ".*" regex. thanx! -- Kevin J. Ma On Wed, Nov 10, 2021 at 1:47 PM Phil Sorber <sorber@apache.org> wrote: > Kevin, > > Here is the reference in the doc: > > https://www.ietf.org/archive/id/draft-ietf-cdni-uri-signing-22.html#name-cdni-uri-container-cdniuc-c > > The only mailing list discussion I see is from Barry asking if the claim > should be mandatory or not. > > The URI Container is what we match the request URI against. So not adding > it means the JWT will match any URI as long as that content is protected by > the key used to sign the JWT and any other claims included are satisfied. > > So yes, including cdniuc makes the request URL tamper resistant and still > requires a valid signature even without it. > > The concern is that if someone copies this token it can be widely used to > bypass URI signing protections. It's not scoped small enough without it. > That's why I think we suggest that this claim is used with an expiry and > also possibly Client IP. I'd prefer not to have a complex matrix of claim > combination requirements, but I also see none of them as so important that > they MUST be included in any valid JWT. Even if we did make it mandatory, > as Chris pointed out, the value can still be made effectively ".*" which is > the same problem but with extra steps. > > Thanks. > > On Wed, Nov 10, 2021 at 11:16 AM Kevin Ma <kevin.j.ma.ietf@gmail.com> > wrote: > >> Hi Phil, >> >> I think I need a refresher. Could you please add a link to the >> discussion thread? The URI container claim is to make the request URL >> tamper evident? But you would still need a valid signature without the >> container verification? Is the concern some type of replay attack? >> >> thanx! >> >> -- Kevin J. Ma >> >> On Tue, Nov 9, 2021 at 5:39 PM Phil Sorber <sorber@apache.org> wrote: >> >>> This is one of three questions that I had after last call feedback. I'd >>> like to hear any opinions on the matter from the working group. I will be >>> pointing to this thread for explanation/justification about the changes or >>> lack thereof to the document. Thanks. >>> >>> Do we want to make the URI Container claim mandatory, or should we allow >>> certain "skeleton key" functionality, perhaps with additional text around >>> what you can do to make sure you don't give away keys to the kingdom, for >>> example making sure it has a reasonable expiry and perhaps a Client IP >>> claim to limit the blast radius? >>> _______________________________________________ >>> CDNi mailing list >>> CDNi@ietf.org >>> https://www.ietf.org/mailman/listinfo/cdni >>> >>
- [CDNi] URI Signing URI Container Claim Question Phil Sorber
- Re: [CDNi] URI Signing URI Container Claim Questi… Chris Lemmons
- Re: [CDNi] URI Signing URI Container Claim Questi… Kevin Ma
- Re: [CDNi] URI Signing URI Container Claim Questi… Phil Sorber
- Re: [CDNi] URI Signing URI Container Claim Questi… Kevin Ma