Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
"Kent Leung (kleung)" <kleung@cisco.com> Wed, 05 July 2017 21:23 UTC
Return-Path: <kleung@cisco.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0F5131DE0 for <cdni@ietfa.amsl.com>; Wed, 5 Jul 2017 14:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hW_q4t0sW4-c for <cdni@ietfa.amsl.com>; Wed, 5 Jul 2017 14:23:20 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 358391316A5 for <cdni@ietf.org>; Wed, 5 Jul 2017 14:23:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=31088; q=dns/txt; s=iport; t=1499289800; x=1500499400; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=oRA5zk5nyH+wFJewXBYxS4rTFipr45K19VWD8VqpISU=; b=SHVleXdU6X0+0pzgEFMnYr5POSMN3gC8CfbRqVrK0Rix+2EuDviuZFzz hkqSko3MVT4CqJmjDS+ZNjGfGstUA2RaO8z2w1ZEs43Ia2B/pe9APmh9B TqZClUApd2ecfww7gwYCwjzWLkl9+jh2Z7lpMQFzuvK6JsbTTUdp8XOKH E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CZAACkV11Z/40NJK1cGQEBAQEBAQEBAQEBBwEBAQEBgm89LWOBEAeOApFolgCCESEBCoVwAhqDAj8YAQIBAQEBAQEBayiFGAEBAQEDAQEhCkEEBxACAQgRBAEBIQcDAgICJQsUCQgCBAENBQiJQ2QQrweCJotCAQEBAQEBAQEBAQEBAQEBAQEBAQEBHYMngTGCG4FhgySDJoF6CIJVgmEFikmMYIddAodFg0WIcIIVVoR0g3GGV5UyAQ8QOIEKdRUfKocVdoZGK4EFgQ0BAQE
X-IronPort-AV: E=Sophos;i="5.40,313,1496102400"; d="scan'208,217";a="264450516"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 05 Jul 2017 21:23:19 +0000
Received: from XCH-RTP-006.cisco.com (xch-rtp-006.cisco.com [64.101.220.146]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id v65LNIEF011424 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 5 Jul 2017 21:23:19 GMT
Received: from xch-rtp-006.cisco.com (64.101.220.146) by XCH-RTP-006.cisco.com (64.101.220.146) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 5 Jul 2017 17:23:18 -0400
Received: from xch-rtp-006.cisco.com ([64.101.220.146]) by XCH-RTP-006.cisco.com ([64.101.220.146]) with mapi id 15.00.1210.000; Wed, 5 Jul 2017 17:23:18 -0400
From: "Kent Leung (kleung)" <kleung@cisco.com>
To: Ben Niven-Jenkins <ben@niven-jenkins.co.uk>, Phil Sorber <sorber@apache.org>
CC: "cdni@ietf.org" <cdni@ietf.org>
Thread-Topic: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
Thread-Index: AQHS7e9LlS4wGS+P5UmudfPkO3mbd6I2R8sAgA2IdACAAfY0sA==
Date: Wed, 05 Jul 2017 21:23:18 +0000
Message-ID: <07d84d59a86f4dcdb19d4e8679bf26f2@XCH-RTP-006.cisco.com>
References: <149842148725.3124.11919861730574680552@ietfa.amsl.com> <CABF6JR3gidTD_S2vnrjxzxkmjYxVHsHG3J9VKzaZsiN+pC7WRA@mail.gmail.com> <21D2B0F2-9D1E-45BB-B216-44FFBCD56DE0@niven-jenkins.co.uk>
In-Reply-To: <21D2B0F2-9D1E-45BB-B216-44FFBCD56DE0@niven-jenkins.co.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.116.115]
Content-Type: multipart/alternative; boundary="_000_07d84d59a86f4dcdb19d4e8679bf26f2XCHRTP006ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/ln5J0JPCBdHr5_625c6-BEaz0LI>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jul 2017 21:23:22 -0000
Hi Ben. Thanks for your review comments. See my response to some of them below. From: CDNi [mailto:cdni-bounces@ietf.org] On Behalf Of Ben Niven-Jenkins Sent: Tuesday, July 4, 2017 3:59 AM To: Phil Sorber <sorber@apache.org> Cc: cdni@ietf.org Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt Hi Phil & URI Signing authors, I read the latest draft (-12) and below are some questions / thoughts, in no particular order, that occurred to me while reading the document. * Why support both symmetric & asymmetric keys? What is the advantage to having both options versus just picking one option (probably asymmetric keys as they work for all use cases)? KL> There are pros and cons of using either asymmetric keys vs symmetric key. Key distribution limitations and relationships between CSP and CDNs are factors. So I think supporting both allows flexibility for deployments of URI signing. Existing URI signing proprietary implementations typically support both already. * How are the keys distributed between CDNs? I don’t see a property in the UriSigning Metadata object that would include (or link to) the keys (I’m assuming you need to support distribution of at least 2 keys to support key rotation)? KL> Key distribution is out of scope. I noticed following text was dropped when method converted to JWT. We can put this back in CDNI Overview section, where the asymmetric and symmetric key methods are mentioned. “Two types of keys can be used for URI Signing: asymmetric keys and symmetric keys. Asymmetric keys are based on a public/private key pair mechanism and always contain a private key only known to the entity signing the URI (either CSP or uCDN) and a public key for the verification of the Signed URI. With symmetric keys, the same key is used by both the signing entity for signing the URI as well as by the validating entity for validating the Signed URI. Regardless of the type of keys used, the validating entity has to obtain the key (either the public or the symmetric key). There are very different requirements for key distribution (out of scope of this document) with asymmetric keys and with symmetric keys. Key distribution for symmetric keys requires confidentiality to prevent another party from getting access to the key, since it could then generate valid Signed URIs for unauthorized requests. Key distribution for asymmetric keys does not require confidentiality since public keys can typically be distributed openly (because they cannot be used for URI signing) and private keys are kept by the URI signing function.” * How does a uCDN know whether it is OK/safe/within policy to re-distribute symmetric keys to a dCDN? KL> See above. * In the case of Signed Token chains, how does a CDN obtain the keys required to sign the new tokens in the chain as it generates them? KL> See above. Kent * Section 3.3.1 I think needs to be more explicit, I don’t know how one could communicate a token chain via the query string as specified in the document, as there is no “back channel” for the CDN to communicate the next token in the chain to the UA. HTH Ben On 25 Jun 2017, at 21:19, Phil Sorber <sorber@apache.org<mailto:sorber@apache.org>> wrote: Really hoping to get some feedback on this at the meeting in Prague. It's got all the changes that have been discussed so I'm not aware of any more substantive changes needed. However, lots of editorial nits I suspect. Thanks. On Sun, Jun 25, 2017 at 2:12 PM <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Content Delivery Networks Interconnection of the IETF. Title : URI Signing for CDN Interconnection (CDNI) Authors : Ray van Brandenburg Kent Leung Phil Sorber Filename : draft-ietf-cdni-uri-signing-12.txt Pages : 35 Date : 2017-06-25 Abstract: This document describes how the concept of URI signing supports the content access control requirements of CDNI and proposes a URI signing method as a JSON Web Token (JWT) [RFC7519] profile. The proposed URI signing method specifies the information needed to be included in the URI to transmit the signed JWT as well as the claims needed by the signed JWT to authorize a UA. The mechanism described can be used both in CDNI and single CDN scenarios. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-12 https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-12 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-12 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ _______________________________________________ CDNi mailing list CDNi@ietf.org<mailto:CDNi@ietf.org> https://www.ietf.org/mailman/listinfo/cdni _______________________________________________ CDNi mailing list CDNi@ietf.org<mailto:CDNi@ietf.org> https://www.ietf.org/mailman/listinfo/cdni
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Ben Niven-Jenkins
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kent Leung (kleung)
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Ben Niven-Jenkins
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Ben Niven-Jenkins
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kent Leung (kleung)
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin J. Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber