Re: [CDNi] Working Group Last Call on draft-ietf-cdni-uri-signing
Kevin Ma J <kevin.j.ma@ericsson.com> Tue, 12 July 2016 14:49 UTC
Return-Path: <kevin.j.ma@ericsson.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98BA512D7C0 for <cdni@ietfa.amsl.com>; Tue, 12 Jul 2016 07:49:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRoBf58beZrC for <cdni@ietfa.amsl.com>; Tue, 12 Jul 2016 07:49:44 -0700 (PDT)
Received: from usplmg20.ericsson.net (usplmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2057E12E059 for <cdni@ietf.org>; Tue, 12 Jul 2016 07:06:51 -0700 (PDT)
X-AuditID: c618062d-f79886d000002334-35-5784ee8f076e
Received: from EUSAAHC008.ericsson.se (Unknown_Domain [147.117.188.96]) by usplmg20.ericsson.net (Symantec Mail Security) with SMTP id D3.73.09012.F8EE4875; Tue, 12 Jul 2016 15:20:15 +0200 (CEST)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC008.ericsson.se ([147.117.188.96]) with mapi id 14.03.0294.000; Tue, 12 Jul 2016 10:06:48 -0400
From: Kevin Ma J <kevin.j.ma@ericsson.com>
To: "Brandenburg, R. (Ray) van" <ray.vanbrandenburg@tno.nl>, Ben Niven-Jenkins <ben@niven-jenkins.co.uk>, Content Delivery Networks Interconnection Discussion List <cdni@ietf.org>
Thread-Topic: [CDNi] Working Group Last Call on draft-ietf-cdni-uri-signing
Thread-Index: AdHSDAIj8Q+3AOh3Q/WhloflAutMVQCa2goAASzpMYAADCKGkACC6yqAAAaL1dAANNetAAAD/kJQ
Date: Tue, 12 Jul 2016 14:06:48 +0000
Message-ID: <A419F67F880AB2468214E154CB8A556206E52458@eusaamb103.ericsson.se>
References: <A419F67F880AB2468214E154CB8A556206E3A737@eusaamb103.ericsson.se> <9E9EDA82-35E4-42D7-BCD6-B8EA88BD3BF5@niven-jenkins.co.uk> <A3CCDEAD-81BA-4E1F-B0B3-07E6F556AF73@tno.nl> <A419F67F880AB2468214E154CB8A556206E4D5FB@eusaamb103.ericsson.se> <73B31A7C-CC80-4646-A7C9-401874C3B07D@tno.nl> <A419F67F880AB2468214E154CB8A556206E50C40@eusaamb103.ericsson.se> <B8DB81BF-E7CE-4172-83C5-EF15FECF94B2@tno.nl>
In-Reply-To: <B8DB81BF-E7CE-4172-83C5-EF15FECF94B2@tno.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.11]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrDLMWRmVeSWpSXmKPExsUyuXRPgm7/u5Zwg8bFUhYLzk1gs3g6+w+r xbfN1xkdmD2WLPnJ5PHz+iRGj4PrLjAHMEdx2aSk5mSWpRbp2yVwZVxc18VW8KKFqeJs/wu2 BsYJ/xi7GDk5JARMJP7vvMsCYYtJXLi3nq2LkYtDSOAoo8TclsksEM5yRombK/vBqtgEtCQe f/3LBJIQEdjJKPFldw8rSEJYwEtif9NxdhBbRMBb4sCR3SwQdpTE68vL2UBsFgFViQOzT4HF eQV8JX4+W8oMsWERs0Tf70awIk4BK4ld+3+DFTEC3fT91BomEJtZQFzi1pP5TBC3Ckgs2XOe GcIWlXj5+B8rhK0k8fH3fKAjOIDqNSXW79KHaFWUmNL9kB1ir6DEyZlPWCYwis5CMnUWQscs JB2zkHQsYGRZxchRWlyQk5tuZLCJERgnxyTYdHcw3p/ueYhRgINRiYd3wb3mcCHWxLLiytxD jBIczEoivBnfWsKFeFMSK6tSi/Lji0pzUosPMUpzsCiJ84o9UgwXEkhPLEnNTk0tSC2CyTJx cEo1MJbaZWSd8lmSvTz0Uc6xlvv7dtb2PWSM/ckiUFXFH//1hYYnX0SUUlaATIifczszC1ex ypTvM9rndz99kGyv8EXN9/xOdYvz54WNRXdmHGJmM9z5YrqzimbZ9KADD2punT8uybLRpy18 Fq8618Qv7WnnmWzEdoun8KuZ+rivT6p627eL5TGbEktxRqKhFnNRcSIAWTkkgY8CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/icmavMIg-cgCUDtdm9hyAfVSGro>
Subject: Re: [CDNi] Working Group Last Call on draft-ietf-cdni-uri-signing
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 14:49:47 -0000
Hi Ray, > > [Ray] In the end, I wouldn’t be surprised if some > > implementations actually only implemented KID_NUM. > > Are there any guidelines on mandatory to > support/implement IEs? Is one allowed to only implement KID_NUM and not > KID > > [Ray] Currently, we don’t have any such guidelines and an implementation > is expected to implement all IEs (but _not_ all algorithms). So, if I send KID=1234 (instead of KID_NUM=1234), we would expect every implementation to support this? And if I send KID=abcd, we would expect every implementation to support that as well? If so, then I see no point in having KID_NUM. > Ben’s > suggestion to not make DSA mandatory does not sound unreasonable to me. Then, I still think you need an error code for this in the logging, and a MUST statement about rejecting requests with algorithms you don't support. > [Ray] It seems we agree that folding HF and DSA into one information > element wouldn’t fundamentally remove steps from the algorithm itself, nor > reduce it’s complexity. true > Then I still don’t see the downside of having both > an HF and DSA information element, especially if it means we do not have > to add a registry and it makes the step of checking which steps of the > algorithm you need to follow easier. But you already have a registry (section 8.7) just for MD and DS? That seems even less useful. I'd argue that a registry of known/supported algorithms is better than a registry just for those two IEs. If a new signature algorithm is added, is someone expected to add another IE to the "CDNI URI Signing Signature Information Elements" registry? > If you’re concerned about the wording > in the paragraphs above, wouldn’t it be easier if I would simply replace > the ‘symmetric’ and ‘assymetric’ in the paragraphs above with ‘if HF is > present’ and ‘if DSA is present’? I'm concerned about the complexity of the parser. Granted it doesn't make it that much more complex, but a generic IE, imo, is simpler than multiple IEs, where one would work just fine. Same with KID and KID_NUM. The extra IEs are just more cases to handle, for marginal value if any, imo. If no one else cares, that's fine, but since Ben brought it up, I wanted to renew my previous comments. thanx. -- Kevin J. Ma > -----Original Message----- > From: Brandenburg, R. (Ray) van [mailto:ray.vanbrandenburg@tno.nl] > Sent: Tuesday, July 12, 2016 7:48 AM > To: Kevin Ma J; Ben Niven-Jenkins; Content Delivery Networks > Interconnection Discussion List > Subject: Re: [CDNi] Working Group Last Call on draft-ietf-cdni-uri-signing > > Hi Kevin, > > On 11/07/16 16:56, "Kevin Ma J" <kevin.j.ma@ericsson.com> wrote: > > Hi Ray, > > > Given that Leif and his colleagues actually implemented the algorithm, > and > > they were the ones asking for this change, my guess would be yes. But > > let’s ask them to make sure. > > I believe Leif and Phil agreed in BA to re-review during WGLC, so, > hopefully they can chime in. :) > > > In the end, I wouldn’t be surprised if some > > implementations actually only implemented KID_NUM. > > Thinking about this some more. Are there any guidelines on mandatory to > support/implement IEs? Is one allowed to only implement KID_NUM and not > KID, or only HF/MD and not DSA/DS; and if an IE is not supported, is there > a MUST reject? If so, should there be an error code for that? > > [Ray] Currently, we don’t have any such guidelines and an implementation > is expected to implement all IEs (but _not_ all algorithms). Ben’s > suggestion to not make DSA mandatory does not sound unreasonable to me. > > > If you look at the algorithm, the paths for HF and DSA are considerably > > different. > > Just to take it one step further: Yes, the algorithms are different, but > in section 3.2, steps 1 and 2 clearly state "1. If symmetric shared key is > use, perform this step" and "2. if asymmetric private/public keys are > used, perform this step". The difference is already broken out. The only > difference to the current text would be a find/replace on the IE in those > sections. Likewise, in section 4.4, steps 2.A and 2.B are separated based > on whether the algorithm is symmetric or asymmetric, as determined in > section 4.2, steps 2 and 3. (Note: Section 4.3 would actually be > simplified by not having to distinguish between MD/DS.) The only real > question, imo, is whether or not section 4.2, steps 2 and 3 could be > replaced with an algorithm check rather than an IE check, i.e., if SHA256, > then it's symmetric, else if ECDSA, then it's asymmetric? > > There currently isn't a registry for supported HF/SAs. > 1. Would a registry make sense? > 2. Would a registry with a clear/obvious designation of symmetric vs > asymmetric make the above test easy? > > [Ray] It seems we agree that folding HF and DSA into one information > element wouldn’t fundamentally remove steps from the algorithm itself, nor > reduce it’s complexity. Then I still don’t see the downside of having both > an HF and DSA information element, especially if it means we do not have > to add a registry and it makes the step of checking which steps of the > algorithm you need to follow easier. If you’re concerned about the wording > in the paragraphs above, wouldn’t it be easier if I would simply replace > the ‘symmetric’ and ‘assymetric’ in the paragraphs above with ‘if HF is > present’ and ‘if DSA is present’? > > Also, I've proposed removal of the Metadata Auth Type registry from the > metadata draft; if that is accepted, we would no longer need section 8.4 > > [Ray] Ok. > > thanx! > > -- Kevin J. Ma > > > -----Original Message----- > > From: Brandenburg, R. (Ray) van [mailto:ray.vanbrandenburg@tno.nl] > > Sent: Monday, July 11, 2016 3:28 AM > > To: Kevin Ma J; Ben Niven-Jenkins; Content Delivery Networks > > Interconnection Discussion List > > Subject: Re: [CDNi] Working Group Last Call on draft-ietf-cdni-uri- > signing > > > > Hi Kevin, > > > > > 1. Having both KID and KID_NUM seems unnecessary to me. I understand > > Leif's argument > > > (https://mailarchive.ietf.org/arch/msg/cdni/YDIrOdutbrvQkEwvAevwONdiUFE), > > but I'm still not sure I agree. Are implementers really going to have 2 > > separate code paths, one with an integer variable and another with a > > string variable, just to get a memory efficiency? Or is the integer > just > > going to get converted to a string? And they already have to allocate > the > > memory just to parse the token? > > > > Given that Leif and his colleagues actually implemented the algorithm, > and > > they were the ones asking for this change, my guess would be yes. But > > let’s ask them to make sure. In the end, I wouldn’t be surprised if some > > implementations actually only implemented KID_NUM. > > > > > 2. I agree that having both HF and DSA could be unnecessary. I know > > we've also had long discussions about needing for both MD and DS. > > Ultimately, there is an algorithm (HF or DSA) that is run, and results > in > > a signature (MD or DS), and only one pair (HF/MD or DSA/DS) ends up in > the > > token? The algorithm doesn't really change dramatically if the IE's are > > different? Is it just about readability? > > > > If you look at the algorithm, the paths for HF and DSA are considerably > > different. One performs an HMAC as defined by HF, the other does a > > (keyless) SHA-1 hash, then encrypts the result with an encryption > > function. If we would merge both into a single Information Element > (let’s > > call it Signature Algorithm, or SA, for now), the algorithm would have > to > > include something along the lines of: “If the algorithm communicated in > > the SA field is a Digital Signature Algorithm, perform X. If it is a > > hashing function, perform Y.”. In other words, the two different paths > in > > the algorithm will keep existing, but now you’re probably going to have > to > > give some definition or list of which algorithms classify as Digital > > Signature Algorithm and which as hashing functions. In the end, I’m not > > sure what we would gain by it. > > > > Thanks, > > > > Ray > > > > > > On 08/07/16 23:19, "Kevin Ma J" <kevin.j.ma@ericsson.com> wrote: > > > > Hi Ray, > > > > (As an individual) I'll echo two of Ben's points, as I've asked > similar > > questions in the past: > > > > 1. Having both KID and KID_NUM seems unnecessary to me. I understand > > Leif's argument > > > (https://mailarchive.ietf.org/arch/msg/cdni/YDIrOdutbrvQkEwvAevwONdiUFE), > > but I'm still not sure I agree. Are implementers really going to have 2 > > separate code paths, one with an integer variable and another with a > > string variable, just to get a memory efficiency? Or is the integer > just > > going to get converted to a string? And they already have to allocate > the > > memory just to parse the token? > > > > 2. I agree that having both HF and DSA could be unnecessary. I know > > we've also had long discussions about needing for both MD and DS. > > Ultimately, there is an algorithm (HF or DSA) that is run, and results > in > > a signature (MD or DS), and only one pair (HF/MD or DSA/DS) ends up in > the > > token? The algorithm doesn't really change dramatically if the IE's are > > different? Is it just about readability? > > > > thanx! > > > > -- Kevin J. Ma > > > > > -----Original Message----- > > > From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Brandenburg, R. > > > (Ray) van > > > Sent: Friday, July 08, 2016 7:12 AM > > > To: Ben Niven-Jenkins; Content Delivery Networks Interconnection > > > Discussion List > > > Subject: Re: [CDNi] Working Group Last Call on draft-ietf-cdni-uri- > > signing > > > > > > Hi Ben, > > > > > > Thanks for the thorough review! See my comments below. > > > > > > Ray > > > > > > On 02/07/16 13:35, "CDNi on behalf of Ben Niven-Jenkins" <cdni- > > > bounces@ietf.org on behalf of ben@niven-jenkins.co.uk> wrote: > > > > > > Kevin, Colleagues, > > > > > > I reviewed draft-ietf-cdni-uri-signing-09 & below are my comments. > > > > > > General: > > > > > > The document is not clear on whether implementers are expected to > > > implement both shared secret & digital signature algorithms for signed > > URI > > > validation. This could lead to interop problems where different > > > implementation implement one but not the other. > > > > > > Maybe specify a minimum baseline of MUST support shared secret (as > AFAIK > > > that is what is used in the field) with SHOULD implement digital > > > signatures for the 1 corner case for which digital signatures provide > an > > > advantage. > > > > > > I’m somewhat against specifying must implement both shared secret & > > > digital signatures because I’ve never seen a digital signature based > > > signed URI in the field and I’m familiar with quite a few signed URI > > > algorithms/implementations of different CDNs. That says to me folks > are > > > not likely to implement more than the shared secret algorithm unless > > they > > > really need to. I know Cisco have a digital signature implementation > > maybe > > > they could help with how much use it sees in the field? > > > > > > [Ray] Agreed that we shouldn’t make digital signatures mandatory. As > for > > > making support for shared secrets mandatory: I guess that makes sense. > > > > > > The document could do with some more examples of {URI, attributes, > > > URISigningPackage, Signed URI} covering e.g. IPv4 & IPv6, one > including > > a > > > URI Path Pattern etc. > > > > > > Section 2.1: > > > URI Pattern Container (UPC) definition - how does one represent a URI > > > pattern that contains a literal ‘;’ because the URI/URI pattern > contains > > > in path parameters to match against? Does presence of a literal ‘;’ > need > > > to be escaped with ‘$' too to distinguish it from the use of ‘;’ to > > > separate URI patterns within the URI Pattern Container? > > > > > > [Ray] Good point. Literal semi-colons do indeed need to be escaped. > I’ll > > > add this in the next revision > > > > > > Section 2.2: > > > Why is there a KID (string) & KID_NUM (integer) for shared > secrets/keys > > > and only CKI (integer) for Client IP keys? To be consistent should it > be > > > CKI_NUM? > > > > > > The document also says > > > In cases > > > where numerical KEY IDs are used, it is RECOMMENDED to use KID_NUM > > > instead of KID. > > > Which makes me think, why? What the KID means/represents is > communicated > > > out of band (and how to do that is out of scope of the document). It > > seems > > > straightforward to say KID is always a string (which can represent an > > > integer) and get rid of KID_NUM entirely. That would mean we need one > > less > > > attribute defining (or two less if we need string & integer attributes > > for > > > CKI) and avoids folks having to work out what to do & implement corner > > > cases like what to do if KID & KID_NUM are both present. > > > > > > Why not just have KID and CKI both as strings and remove KID_NUM? > > > > > > [Ray] This was the consensus result of a lengthy discussion between > the > > > authors both on and off list ☺ The main reason we included a string- > > based > > > KID was so that we can have URLs to public keys. However, as Leif > > pointed > > > out, for interop and performance reasons it helps to have maximum > length > > > for the KID field. With public keys this is hard to do. So in cases > > where > > > performance is essential, using a fixed-length int field is faster. > The > > > reason we didn’t extend this to the CKI field is that for CKI we only > > > support symmetric encryption, and hence a integer key index should be > > > sufficient. > > > > > > Along similar lines. Why have both HF & DSA. Is it implicit from the > > value > > > of the attribute (e.g. 'SHA-256' vs ‘ECDSA’) whether a shared secret > or > > > digital signature algorithm is being used? Or is the purpose to enable > > URI > > > to be signed (& subsequently) verified with either (if both are > > specified) > > > or with both? > > > > > > [Ray] We explicitly rule out having both HF and DSA information > elements > > > in a single Signed URI. The reason we went for separate IEs is that it > > > makes describing the algorithm slightly less complex. And given that > we > > > base64-encode the full URI Signing Package anyway it doesn’t really > > matter > > > in terms of namespace collisions. > > > > > > Section 3.1: > > > 8)a) says > > > Note: the Original URI > > > Container information element MUST be the last information > > > element in the buffer before the signature information > > > element. > > > 8)b) does not have a similar statement. Is the URI Pattern Container > > also > > > required (MUST) to be the last information element in the buffer? > > > > > > [Ray] The Original URI Container is a special case in the sense that > it > > > isn’t communicated along with the Signed URI but is removed from the > > > package after having calculated the signature. > > > > > > Section 5.4: > > > I don’t see the point of key-id, hash-function, digital-signature- > > > algorithm & version. > > > > > > The absence of the VER attribute is specified by the document to mean > > > Version 1. The absence of the HF & DSA attributes is specified by the > > > version of the signing method. Version 1 (the document) specifies them > > as > > > SHA-256 & ECDSA accordingly. Why re-specify this in the Metadata > object? > > > > > > [Ray] I’m not sure I understand. What the metadata ‘version’ field is > > for > > > is to allow CDNs to mandate other versions of URI Signing in the > future > > > (e.g. by setting the version property to 2). The same goes for the > hash- > > > function and digital-signature-algorithm properties: a CDN could > mandate > > > that URI Signing version 1 is used, but still only allow SHA-512 > instead > > > of SHA-256 as used by default. > > > > > > key-id is for when there is only a single key id as an optimisation if > > > someone wants to have a single key id & not transmit it in the signed > > URI? > > > Does;t seem worth it to me for a narrow corner case. If it is worth it > > > just specify if KID/KID_NUM is missing from the signed URI and key-id- > > set > > > contains a single value then use that? Or if KID/KID_NUM is missing > the > > > surrogate checks all keys in key-id-set and if one matches the URI is > > > authorised? > > > > > > [Ray] See earlier comment > > > > > > (Personally I think KID/KID_NUM in the Signed URi is pointless, their > > > meaning is distributed out of band so why not also distribute the > values > > > out of band/via metadata and have the behaviour be any valid > key/secret > > in > > > key-id-set passes and remove KID/KID_NUM [and maybe CKI] from the > Signed > > > URI entirely) > > > > > > [Ray] I’m not sure I understand. How would the dCDN know which Key is > > used > > > to calculate a given signature? Or are you saying it should just check > > all > > > possible Keys that are in the allowed set? > > > > > > Section 5.4: > > > This confused me: > > > Note that the Key ID information element is not needed if only one > > > key is provided by the CSP or the Upstream CDN for the content item > > > or set of content items covered by the CDNI Metadata object. > > > until I realised that “Key ID information element” was referring to > the > > > element of the Signed URI and not the key-id property of the metadata > > > object specified immediately above the sentence. Maybe phrase as “Note > > > that the Key ID information element does not need to be included in > the > > > Signed URI if only one key…" > > > > > > [Ray] Good point. Will update. > > > > > > Section 9: > > > In the case where asymmetric keys are used, the KID information > > > element might contain the URL to the public key. To prevent > > > malicious clients from signing their own URIs and inserting the > > > associated public key URL in the KID field, thereby passing URI > > > validation, it is important that CDNs check whether the URI > conveyed > > > in the KID field is in the allowable set of KIDs as listed in the > > > CDNI metadata or set via configuration. > > > Or specify things as I suggest above and remove the need for > KID/KID_NUM > > > being present in the Signed URI and therefore this > > scenario/vulnerability > > > being able to occur in the first place? > > > > > > [Ray] See my earlier comment. I don’t see how the dCDN would ever be > > able > > > to know which key was used. But maybe I’m missing something. > > > > > > nits: > > > Section 1: > > > The primary goal of URI Signing is to make > > > sure that only authorized User Agents (UAs) are able to access the > > > content, with a CSP being able to authorize every individual > request. > > > Is it really to authorise the User Agent or the IP address the User > > Agent > > > is behind? There is nothing in the signed URI that identifies the > > > particular User Agent. URIs can still potentially be shared/exchanged > > > between User Agents behind the same IP address/subnet, however the > > impact > > > of such sharing is limited/acceptable for the use case. > > > > > > I would s/User Agents (UAs)/IP address(es)/ > > > > > > Section 1: > > > I do not know what is meant by distribution policy in this sentence: > > > Splitting the role of performing per-request > > > authorization by CSP and the role of validation of this > authorization > > > by the CDN allows any arbitrary distribution policy to be enforced > > > across CDNs without the need of CDNs to have any awareness of the > > > actual CSP distribution policy. > > > > > > Section 2.2: > > > The Key ID Information Element is used to retrieved the key which > is > > > needed as input to the algorithm for validating the Signed URI. > > > s/retrieved/retrieve/ > > > > > > Section 2.4: > > > However, a client or CDN may append other > > > query parameters unrelated to URI Signing to the Signed URI. Such > > > additional query parameters SHOULD NOT use the same name as the URI > > > Signing Package Attribute to avoid namespace collision and > potential > > > failure of the URI Signing validation. > > > s/client/User Agent/ is probably more aligned with the rest of the > > > document. There are some other places where you use client. Probably > > worth > > > being consistent and picking one of client or User Agent to use > > > throughout. > > > > > > Section 3: > > > In case the > > > URI Pattern Container information element is used, the CSP has full > > > flexibility to specify which elements of the URI (including the > > > scheme part) are protected by the URI. > > > I think you mean “protected by the Signed URI”? > > > > > > Section 3: > > > The process of generating a Signed URI can be divided into four > sets > > > of steps: 1) Compose URI Signing IEs with original URI / URI > pattern, > > > 2) Compute the URI Signature, 3) Encode the URI Signing Package, > and > > > 4) Assemble the parts to create the Signed URI. > > > This would be better as a list of numbered bullets IMO. > > > > > > > > > [Ray] Thanks again! > > > > > > HTH > > > Ben > > > > > > > On 29 Jun 2016, at 14:43, Kevin Ma J <kevin.j.ma@ericsson.com> > wrote: > > > > > > > > Hi All, > > > > > > > > As per the discussion in BA, we have received the updated URI > Signing > > > draft and would like to move it to WGLC. (Leif and Phil, you're up!) > > > > > > > > Today will begin the two-week WGLC on: > > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-09 > > > > > > > > Please send any comments, questions, concerns to the CDNI mailing > > list: > > > cdni@ietf.org > > > > > > > > The WGLC will end on Wednesday July 13, 2016. > > > > > > > > thanx! > > > > > > > > -- Kevin and Francois > > > > > > > > _______________________________________________ > > > > CDNi mailing list > > > > CDNi@ietf.org > > > > https://www.ietf.org/mailman/listinfo/cdni > > > > > > _______________________________________________ > > > CDNi mailing list > > > CDNi@ietf.org > > > https://www.ietf.org/mailman/listinfo/cdni > > > > > > > > > This message may contain information that is not intended for you. If > > you > > > are not the addressee or if this message was sent to you by mistake, > you > > > are requested to inform the sender and delete the message. TNO accepts > > no > > > liability for the content of this e-mail, for the manner in which you > > use > > > it and for damage of any kind resulting from the risks inherent to the > > > electronic transmission of messages. > > > _______________________________________________ > > > CDNi mailing list > > > CDNi@ietf.org > > > https://www.ietf.org/mailman/listinfo/cdni > > > > > > This message may contain information that is not intended for you. If > you > > are not the addressee or if this message was sent to you by mistake, you > > are requested to inform the sender and delete the message. TNO accepts > no > > liability for the content of this e-mail, for the manner in which you > use > > it and for damage of any kind resulting from the risks inherent to the > > electronic transmission of messages. > > > This message may contain information that is not intended for you. If you > are not the addressee or if this message was sent to you by mistake, you > are requested to inform the sender and delete the message. TNO accepts no > liability for the content of this e-mail, for the manner in which you use > it and for damage of any kind resulting from the risks inherent to the > electronic transmission of messages.
- Re: [CDNi] Working Group Last Call on draft-ietf-… Kevin Ma J
- Re: [CDNi] Working Group Last Call on draft-ietf-… Kevin Ma J
- Re: [CDNi] Working Group Last Call on draft-ietf-… Brandenburg, R. (Ray) van
- Re: [CDNi] Working Group Last Call on draft-ietf-… Ben Niven-Jenkins
- [CDNi] Working Group Last Call on draft-ietf-cdni… Kevin Ma J
- Re: [CDNi] Working Group Last Call on draft-ietf-… Kevin Ma J
- Re: [CDNi] Working Group Last Call on draft-ietf-… Kevin Ma J
- Re: [CDNi] Working Group Last Call on draft-ietf-… Leif Hedstrom
- Re: [CDNi] Working Group Last Call on draft-ietf-… Kevin Ma J
- Re: [CDNi] Working Group Last Call on draft-ietf-… Brandenburg, R. (Ray) van
- Re: [CDNi] Working Group Last Call on draft-ietf-… Brandenburg, R. (Ray) van