[CDNi] Comments on draft 16
"Kolev, Nikola" <Nikola_Kolev@comcast.com> Wed, 06 February 2019 16:39 UTC
Return-Path: <Nikola_Kolev@comcast.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0BB012F1A2 for <cdni@ietfa.amsl.com>; Wed, 6 Feb 2019 08:39:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H702zNrCWs6y for <cdni@ietfa.amsl.com>; Wed, 6 Feb 2019 08:39:51 -0800 (PST)
Received: from vaadcmhout01.cable.comcast.com (vaadcmhout01.cable.comcast.com [96.114.28.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F35C12F18C for <CDNi@ietf.org>; Wed, 6 Feb 2019 08:39:48 -0800 (PST)
X-AuditID: 60721c4b-fcdff7000000b9a5-03-5c5b0dcda6cc
Received: from VAADCEX17.cable.comcast.com (vaadcmhoutvip.cable.comcast.com [96.115.73.56]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by vaadcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id 76.AE.47525.DCD0B5C5; Wed, 6 Feb 2019 11:39:41 -0500 (EST)
Received: from VAADCEX24.cable.comcast.com (147.191.103.201) by VAADCEX17.cable.comcast.com (147.191.102.84) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 6 Feb 2019 11:39:40 -0500
Received: from VAADCEX24.cable.comcast.com ([fe80::3aea:a7ff:fe12:5f44]) by VAADCEX24.cable.comcast.com ([fe80::3aea:a7ff:fe12:5f44%20]) with mapi id 15.00.1365.000; Wed, 6 Feb 2019 11:39:40 -0500
From: "Kolev, Nikola" <Nikola_Kolev@comcast.com>
To: "CDNi@ietf.org" <CDNi@ietf.org>
Thread-Topic: Comments on draft 16
Thread-Index: AQHUvjqOb3PSyGLofkigPit7XhMeJw==
Date: Wed, 06 Feb 2019 16:39:40 +0000
Message-ID: <D06FB61F-6768-4965-94C7-CC3042B3289E@comcast.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.6.190114
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [68.87.29.11]
Content-Type: multipart/alternative; boundary="_000_D06FB61F6768496594C7CC3042B3289Ecomcastcom_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrMIsWRmVeSWpSXmKPExsWSUOxpoXuWNzrG4OtaWYuns/+wOjB6LFny kymAMSrcpii1uDQpN7NEoTi1qCwzOdVWKTmxWMmOSwEDAJXmpCYWpzoml2Tm5xXrY6ix0YcZ ZpcQnvH//nH2gs4djBWtU64xNzBO28zYxcjJISFgInH+TxMziC0ksJ1Joul+fRcjF5B9gFGi c/5aNgjnBKPE3Y5DrCBVbAIGEjNWnAOzRQSUJX6ffMoCYgsLyEocnPiKESKuJLFx2QsWCFtP 4mbDPyYQm0VAReLUgT3sIDavgJ3E/bmtYDajgJjE91NrwGqYBcQlbj2ZzwRxnYDEkj3nmSFs UYmXj/+B7RUV0JfYtHEGO0RcR+Ls9SdQ3xhIbF26D2gvB5AtL/FxLtTIJIkvJ5dArRWUODnz CQtEubjE4SM7WCcwis1CsnkWkpZZSFpmAU1lFtCUWL9LH6JEUWJK90N2CFtDonXOXCjbSqLn +QxGZDULGDlWMfJYmukZGproGVnomZtuYgQlhSIZ7x2M6366H2IU4GBU4uEVY4iOEWJNLCuu zD3EKMHBrCTC+/ZZVIwQb0piZVVqUX58UWlOavEhRmkOFiVxXucvQCmB9MSS1OzU1ILUIpgs EwenVANjRq3H3W2aDPwsGtM/p83c9KI5cb+N7i3elz1pIauf2RlefnvBzWPHHdOtzELHbmzU XBD0+f79mnSrJV5KB6cfumt8U61apbllC0tfxpYzXL0BXPJeSZP+ma8Nmqwe58O/TrqJ9fBO 68iVrQ6VSxyjOdepr+LndXk6wb1Pj7FwF7dcl4jlFyclluKMREMt5qLiRABu2FSXBgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/jDJwmWDXd1PGndPKid74SIJNrG0>
Subject: [CDNi] Comments on draft 16
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Feb 2019 16:39:54 -0000
Hello, I am not sure what the protocol for providing feedback to this memo is so I have included it in this email below. Please let me know what the preferred method is and I would resubmit. Thanks, Nikola Kolev (Re) 2.1.2. Subject (sub) claim Subject (sub) [optional] - The semantics in [RFC7519] Section 4.1.2 MUST be followed. If this claim is used, it MUST be a JSON Web Encryption (JWE [RFC7516]) Object in compact serialization form, because it contains personally identifiable information. Comment: Why? The subject claim does not necessarily need to contain PII. Also, it would be better that the specification leaves this claim's encoding to "service providers" which may choose a "more optimal", than JWE, encoding scheme even in the case where the claim carries PII and (some portion of) the claim is encrypted. (Re) 2.1.4. Expiry Time (exp) claim Expiry Time (exp) [optional] - The semantics in [RFC7519] Section 4.1.4 MUST be followed, though URI Signing implementations .. .. or if the Expiry Time in the signed JWT corresponds to a time earlier than the time of the content request, the CDN MUST reject the request. .. .. .. Comment: If I am not mistaken the `exp` claim carries **on** or after semantics. Hence the memo should read not just **earlier**, as on should result in rejection as well. (Re) 2.1.9. CDNI Critical Claims Set (cdnicrit) claim CDNI Critical Claims Set (cdnicrit) [optional] - The cdnicrit claim indicates that extensions to this specification are being used that MUST be understood and processed. Its value is a comma separated listing of claims in the Signed JWT that use those extensions. Comment: Should be specified as list. Same as the `crit` header claim, https://tools.ietf.org/html/rfc7515#section-4.1.11. "Its value is a comma separated..." could be misinterpreted as a StringOrURI carrying a CSV value. (Re) 2.1.11. CDNI URI Container (cdniuc) claim URI Container (cdniuc) [optional] - Container for holding the URI representation before a URI Signing Package is added. This representation can take one of several forms detailed in Section 2.1.15. If the URI regex .. Comment: URI regex is only one of the forms that the claim can assume. (Re) 6.4. CDNI URI Signing Signed Token Transport The "CDNI URI Signing Signed Token Transport" namespace defines the valid values that may be in the Signed Token Transport (cdnistt) JWT claim. The following table defines the initial Enforcement Information Elements: +-------+-------------------------------------------+---------+ | Value | Description | RFC | +-------+-------------------------------------------+---------+ | 0 | Designates token transport is not enabled | RFCthis | | 1 | Designates token transport via cookie | RFCthis | +-------+-------------------------------------------+---------+ Comment/Question: I would imagine a system where the CDN is not the authority that handles token renewals, but instead the CDN sends the user agent back to the original token issuer. Can the working group consider this architecture and expand the list of “token transport” mechanisms, to include for example HTTP redirects?
- [CDNi] Comments on draft 16 Kolev, Nikola
- Re: [CDNi] Comments on draft 16 Phil Sorber