Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt

I added your text changes to the PR.

As far as ignoring extra claims, it was for third parties. I am rethinking
this though. Leif expressed some concerns about processing performance if
we allowed free form content. It seems like ignoring unknown claims is of
marginal value, but it had several downsides.

On Sun, Oct 23, 2016 at 7:50 PM Kevin Ma J <kevin.j.ma@ericsson.com> wrote:

> Hi Phil,
>
>
>
>   (as an individual) Wrt unknown claims and changing the MUST reject to a
> SHOULD ignore, is there a specific use case you are considering?
>
>
>
>   Is this to account for changes to the underlying JWT/JWS/JWE specs,
> algorithm support, etc.?  If so, is that something we need to handle
> explicitly?
>
>
>
>   Is this to allow third-parties to add proprietary claims but still be
> RFC compliant?  This seems like a dangerous feature.  If someone relies on
> that proprietary claim, but some intermediate CDN doesn't understand it,
> then the security or policy is lost.  If this is the intent, it is probably
> at least worth an explicit acknowledgement in the text (and possibly a
> special sandbox in the token itself), as well as a caveat in the security
> considerations?
>
>
>
> thanx.
>
>
>
> --  Kevin J. Ma
>
>
>
> minor comments:
>
>
>
> OLD:
>
>   A CDN MUST be able to parse and process all of the claims
>
>   listed below.  If the signed JWT contains any claims which the
>
>   CDN does not understand (i.e., is unable to parse and
>
>   process), the CDN SHOULD ignore them.
>
>
>
> NEW:
>
>   A CDN MUST be able to parse and process all of the claims
>
>   listed below.  If the signed JWT contains any other claims which the
>
>   CDN does not understand (i.e., is unable to parse and
>
>   process), the CDN SHOULD ignore them.
>
>
>
> OLD:
>
>   The type is JSON integer and the value for this version of
>
>   the specification is "1".
>
>
>
> NEW:
>
>   The type is JSON integer and the value MUST be set to "1",
>
>   for this version of the specification.
>
>
>
>
>
> *From:* CDNi [mailto:cdni-bounces@ietf.org] *On Behalf Of *Phil Sorber
> *Sent:* Tuesday, October 18, 2016 11:46 AM
> *To:* Brandenburg, R. (Ray) van <ray.vanbrandenburg@tno.nl>; cdni@ietf.org
> *Subject:* Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt
>
>
>
> Seeing as there hasn't been any negative feedback on the new direction (or
> any feedback at all) I'd like to point out that we have this particular
> draft in revision control in github. I've also submitted a pull request if
> anyone would like to review it.
>
>
>
> https://github.com/rayvbr/URISigningSpec/pull/5
>
>
>
> This adds a version claim so that we can upgrade more easily and also
> ignore unknown claims. We originally had a version field to begin with but
> there was nothing in JWT that was similar so it was left out of the first
> JWT revision. We (Matt Miller and I) also consulted with a JWT expert on
> the name used and how to get it registered properly.
>
>
>
> Thanks.
>
>
>
> On Tue, Oct 4, 2016 at 2:34 AM Brandenburg, R. (Ray) van <
> ray.vanbrandenburg@tno.nl> wrote:
>
> Hi all,
>
> As you can see, we’ve just uploaded a new version of the URI Signing
> document. This is a major rewrite that incorporates the decision we made in
> Berlin to base the URI Signing algorithm on JSON Web Token.
>
> There are still a few open issues, but we wanted to get the groups opinion
> on whether this is going in the right direction.
>
> Best regards,
>
> Ray
>
>
>
> On 04/10/2016, 10:31, "CDNi on behalf of internet-drafts@ietf.org" <
> cdni-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:
>
>
>     A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>     This draft is a work item of the Content Delivery Networks
> Interconnection of the IETF.
>
>             Title           : URI Signing for CDN Interconnection (CDNI)
>             Authors         : Ray van Brandenburg
>                               Kent Leung
>                               Phil Sorber
>                               Matthew Miller
>         Filename        : draft-ietf-cdni-uri-signing-10.txt
>         Pages           : 29
>         Date            : 2016-10-04
>
>     Abstract:
>        This document describes how the concept of URI signing supports the
>        content access control requirements of CDNI and proposes a URI
>        signing method as a JSON Web Token (JWT) [RFC7519] profile.
>
>        The proposed URI signing method specifies the information needed to
>        be included in the URI to transmit the signed JWT as well as the
>        claims needed by the signed JWT to authorize a UA.  The mechanism
>        described can be used both in CDNI and single CDN scenarios.
>
>
>     The IETF datatracker status page for this draft is:
>     https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
>
>     There's also a htmlized version available at:
>     https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-10
>
>     A diff from the previous version is available at:
>     https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-10
>
>
>     Please note that it may take a couple of minutes from the time of
> submission
>     until the htmlized version and diff are available at tools.ietf.org.
>
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
>
>     _______________________________________________
>     CDNi mailing list
>     CDNi@ietf.org
>     https://www.ietf.org/mailman/listinfo/cdni
>
>
> This message may contain information that is not intended for you. If you
> are not the addressee or if this message was sent to you by mistake, you
> are requested to inform the sender and delete the message. TNO accepts no
> liability for the content of this e-mail, for the manner in which you use
> it and for damage of any kind resulting from the risks inherent to the
> electronic transmission of messages.
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni
>
>