IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt

Chris Lemmons <alficles@gmail.com> Tue, 06 July 2021 18:55 UTC

Return-Path: <alficles@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 395583A3188 for <cdni@ietfa.amsl.com>; Tue, 6 Jul 2021 11:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ryATll0iF9l for <cdni@ietfa.amsl.com>; Tue, 6 Jul 2021 11:55:31 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22363A3183 for <cdni@ietf.org>; Tue, 6 Jul 2021 11:55:30 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id a18so40042311lfs.10 for <cdni@ietf.org>; Tue, 06 Jul 2021 11:55:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=CGlUgYow3anPst0mB+YQcjXYGygrqaG9eVSPXZnJxB8=; b=FeQnHmTY6it+/InGZx1nmn5iuLdtBibA4fotJMjGfXp2p270VKhnvjZqHsvc2PY906 vRHpIBGophd/C8rJbZBmRj9lXuvXfnuI8oENgOCB6lrCIwDtN2L1k3BnctzjWa5vNyGv TS+tavhhzbWyB9CXZtH3l0x+LLNdg9s98XsH29gTpj/Y6tLF7NF5QXStTKStgy/Jn4iO uqhNaPgBDQuMvXcDZTV4XQtoxNrHaNAyN+yBGY8sYVRVaoDw1f3YBwXm3wtTFQlTALio q766c/WObLMX1oADuIW+8cc0/AwQJ0wiFlQ0rayhPYtKX8I19ntBpU9I92dT/iE6/0cX 4whw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=CGlUgYow3anPst0mB+YQcjXYGygrqaG9eVSPXZnJxB8=; b=UkfhDStJLMn/8ord+t1aE/T7MfqNQRsbUancqTKSn+ozOEnGoc4GupBvfVPMtaWGZy Myd/799j0879BoyWXN67QJU9Xx4HX5J7/Q6oNvdVljD5IRObsTmqBKUhdr9mqb4me3yR 5VWBqaKxZZFaghESkwWDGi0F24zWcGRUVrYVqeDuNiEVKCuYHzdbeCgiDJrkf42ltXlY tfg7LKhh7SAxz5zH/9Hw6iSJxMkLipd2VblEJCKgyKLlM1mAqq2BCglqHQY5eh61hYLe MnQLTSFQCPKUDHMOopQp86AqWnE4fhvc0NPnfpvi79Lp5APIgBmJVJDUirU/PM3LCfh0 hjgw==
X-Gm-Message-State: AOAM531nAgEQ5aEk5/vYfQXjQyxr1s/lAzL6Gb9ud31jz+HZkUFNIQF6 u6ANQ6aJtPDZPJ91AqudSEzNr5TQVfj/rMA4JTM=
X-Google-Smtp-Source: ABdhPJy3DgIuYTAX9ehQRczSwvbAn78EeSpUxx24hQo2P6P6xWrCEX7/JP2EZJQvhdYMZ5j4zCnRGeSNUfkLZJDY3Hw=
X-Received: by 2002:a19:2d0a:: with SMTP id k10mr16395406lfj.301.1625597728808; Tue, 06 Jul 2021 11:55:28 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com> <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com>
In-Reply-To: <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com>
From: Chris Lemmons <alficles@gmail.com>
Date: Tue, 06 Jul 2021 12:54:50 -0600
Message-ID: <CAJEGKNttgKOA4J_Qm1z__8-VHO60S6A0Y6Zv2mFtNTEZ5LsmXQ@mail.gmail.com>
To: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/Xz9tGly-sJvectOcW1fkBx6tLrQ>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2021 18:55:35 -0000

The problem I'm running into with 6570 is that it _only_ describes a
format for producing URIs, not one for understanding them. For
example, if you receive this URI, what is the correct behaviour?

https://cdn.example.net/path/to/content.m3u8?foo=bar;URISigningPackage=JWT

This was once considered best practice:
https://www.w3.org/TR/html401/appendix/notes.html#h-B.2.2

Is the idea to require query strings to comply with the encoding and
decoding requirements of application/x-www-form-urlencoded? If so,
don't we run into the same problem as before with 8820?

And it's mostly possible to reverse-engineer the path format from 6570
into an unwritten expectation of a format, but I'm not sure an
undocumented format is better than a documented one here.

On Sun, Jul 4, 2021 at 9:21 PM Kevin Ma <kevin.j.ma.ietf@gmail.com> wrote:
>
> Hi Chris,
>
> > Unfortunately, there exists no specification for path-style or form-style parameters, so it is impossible for an implementer to know how to reliably locate the token.
>
> My understanding from the discussion with Mark (https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) is that "path-style" and "form-style" refer to the corresponding descriptions in RFC6570.  Do you think it would help if we added a reference to RFC6570 and some text to the effect of "where path-style and form-style parameters conform to RFC6570 path-style parameter and form-style query expansion formats, respectively"?
>
> > I also wonder whether URI Signing is properly understood as an Extension or an Application, in the terms of 8820.
>
> I think URI Signing should be classified as an "Extension".  As you noted, RFC8820 explicitly notes "signature mechanisms", and we did explicitly discuss our use case with Mark when he first asked us to "get off his lawn" (https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/).  Do you think an explicit declaration and reference to RFC8820 would help?
>
> thanx.
>
> --  Kevin J. Ma
>
> On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com> wrote:
>>
>> I'd like to bring this up again because I think it's a potentially
>> serious implementation concern and I don't see an easy way around it.
>> There is a MUST requirement in the latest draft:
>>
>>    The URI Signing Package will be found by parsing any path-style
>>    parameters and form-style parameters looking for a key name matching
>>    the URI Signing Package Attribute.  Both parameter styles MUST be
>>    supported to allow flexibility of operation.
>>
>> Unfortunately, there exists no specification for path-style or
>> form-style parameters, so it is impossible for an implementer to know
>> how to reliably locate the token. This appears to be by design,
>> though. ( See RFC 8820: https://datatracker.ietf.org/doc/html/rfc8820
>> , which is now published.)
>>
>> I think the intent of this wording is to imply that everybody should
>> use application/x-www-form-urlencoded for form-style parameters and
>> path-style parameters that look like "path;param1=a,param2=b", but
>> aren't specified anywhere in particular.
>>
>> I see no way for an implementer to determine whether they've met the
>> requirement set out that they MUST meet as it is written.
>>
>> I also wonder whether URI Signing is properly understood as an
>> Extension or an Application, in the terms of 8820. I think it wants to
>> be an Extension (for example: `a new signature mechanism for "http"
>> URIs`), but might be an Application in practice (`an HTTP interface to
>> particular information on a host`). I think important to the
>> discussion is that URI Signing is a mechanism added by an upstream
>> entity that controls the content and its format. I think this is an
>> important issue to resolve.
>>
>> On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com> wrote:
>> >
>> > The latest document replaces the path parsing logic with this:
>> >
>> > > URI Signing Package (URISigningPackage): The URI attribute that encapsulates all the URI Signing claims in a signed JWT encoded format.  This attribute is exposed in the Signed URI as a path-style parameter or a form-style parameter.
>> >
>> > Unfortunately, that doesn't give implementers any idea what needs to
>> > be parsed. I read through the conversation on last-call with mnot
>> > (https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/),
>> > especially with regard to BCP190. I also read through RFC6570 and
>> > you're right, it doesn't work for our use case because it's generating
>> > URI, not consuming them. And it's for precisely this reason that we
>> > need to be specific in what is accepted.
>> >
>> > As near as I can tell, there is actually no standard anywhere that
>> > describes "path-style parameters". And there are multiple methods for
>> > defining "form-style parameters", some more recent than others and in
>> > varying levels of use generally on the Internet. How can a document
>> > have a MUST requirement that requires parsing a specific structure
>> > that isn't specified anywhere or even widely agreed upon?
>> >
>> > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote:
>> > >
>> > >
>> > > A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> > > This draft is a work item of the Content Delivery Networks Interconnection WG of the IETF.
>> > >
>> > >         Title           : URI Signing for Content Delivery Network Interconnection (CDNI)
>> > >         Authors         : Ray van Brandenburg
>> > >                           Kent Leung
>> > >                           Phil Sorber
>> > >         Filename        : draft-ietf-cdni-uri-signing-21.txt
>> > >         Pages           : 41
>> > >         Date            : 2021-02-11
>> > >
>> > > Abstract:
>> > >    This document describes how the concept of URI Signing supports the
>> > >    content access control requirements of Content Delivery Network
>> > >    Interconnection (CDNI) and proposes a URI Signing method as a JSON
>> > >    Web Token (JWT) profile.
>> > >
>> > >    The proposed URI Signing method specifies the information needed to
>> > >    be included in the URI to transmit the signed JWT, as well as the
>> > >    claims needed by the signed JWT to authorize a User Agent (UA).  The
>> > >    mechanism described can be used both in CDNI and single Content
>> > >    Delivery Network (CDN) scenarios.
>> > >
>> > >
>> > > The IETF datatracker status page for this draft is:
>> > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
>> > >
>> > > There are also htmlized versions available at:
>> > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21
>> > > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21
>> > >
>> > > A diff from the previous version is available at:
>> > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21
>> > >
>> > >
>> > > Please note that it may take a couple of minutes from the time of submission
>> > > until the htmlized version and diff are available at tools.ietf.org.
>> > >
>> > > Internet-Drafts are also available by anonymous FTP at:
>> > > ftp://ftp.ietf.org/internet-drafts/
>> > >
>> > >
>> > > _______________________________________________
>> > > CDNi mailing list
>> > > CDNi@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/cdni
>>
>> _______________________________________________
>> CDNi mailing list
>> CDNi@ietf.org
>> https://www.ietf.org/mailman/listinfo/cdni

v2.23.0 | Report a Bug | By Email