IETF Logo Mail Archive

Re: [CDNi] URI Signing Signed Token Chaining refactor

Phil Sorber <sorber@apache.org> Wed, 19 July 2017 14:56 UTC

Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27881131CEB for <cdni@ietfa.amsl.com>; Wed, 19 Jul 2017 07:56:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.42
X-Spam-Level:
X-Spam-Status: No, score=-6.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rnqsa5exxp2T for <cdni@ietfa.amsl.com>; Wed, 19 Jul 2017 07:56:35 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id 32699131CE6 for <cdni@ietf.org>; Wed, 19 Jul 2017 07:56:35 -0700 (PDT)
Received: (qmail 49944 invoked by uid 99); 19 Jul 2017 14:56:34 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 19 Jul 2017 14:56:34 +0000
Received: from mail-it0-f51.google.com (mail-it0-f51.google.com [209.85.214.51]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 370671A0029 for <cdni@ietf.org>; Wed, 19 Jul 2017 14:56:34 +0000 (UTC)
Received: by mail-it0-f51.google.com with SMTP id h199so1874246ith.1 for <cdni@ietf.org>; Wed, 19 Jul 2017 07:56:34 -0700 (PDT)
X-Gm-Message-State: AIVw110mhsfTaQJwS5XhgY6HrbEETXH4kfLU5WSadWREtwz2gKKGZQNS zOzsG9QxlLXXu6vuOXscN3UOR7VrBA==
X-Received: by 10.36.86.139 with SMTP id o133mr181669itb.50.1500476193704; Wed, 19 Jul 2017 07:56:33 -0700 (PDT)
MIME-Version: 1.0
References: <CABF6JR3wEfUoCSJ29xQ3n56Ah1EqPnCvkZ4x6W5_cTW8V35Hwg@mail.gmail.com> <7CEB7DDD-7C33-4FD9-93BC-75E5E78AB3C2@gmail.com> <A2FBEA85-BF95-44A4-8E11-97D39C8DCF76@tiledmedia.com> <f56a1478-2457-6179-619f-b0f38700eaa6@outer-planes.net> <10AF9851-D7DA-42F8-A8E7-B70D4795E0E1@gmail.com> <68a60ab4-df68-6c59-cafc-3850012083cf@outer-planes.net> <D66E565F-32BF-4C36-9B20-98E1406F3D57@gmail.com> <68FD4785-68D5-46A7-8BFB-2539611D097A@tiledmedia.com>
In-Reply-To: <68FD4785-68D5-46A7-8BFB-2539611D097A@tiledmedia.com>
From: Phil Sorber <sorber@apache.org>
Date: Wed, 19 Jul 2017 14:56:23 +0000
X-Gmail-Original-Message-ID: <CABF6JR05WV6TzEnXczGjKsys5Hxe+N_suVT-J+h+X+W4Q8VEkg@mail.gmail.com>
Message-ID: <CABF6JR05WV6TzEnXczGjKsys5Hxe+N_suVT-J+h+X+W4Q8VEkg@mail.gmail.com>
To: Ray van Brandenburg <ray@tiledmedia.com>, "Kevin J. Ma" <kevin.j.ma.ietf@gmail.com>
Cc: "Matthew A. Miller" <linuxwolf@outer-planes.net>, "cdni@ietf.org" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="001a11419c668513360554acd641"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/mF_1q4__TpYJh_r_pRX3N9FMAq4>
Subject: Re: [CDNi] URI Signing Signed Token Chaining refactor
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 14:56:37 -0000

Ok, I'll put together a PR.

Thanks.

On Wed, Jul 19, 2017 at 4:39 PM Ray van Brandenburg <ray@tiledmedia.com>
wrote:

> Works for me.
>
> Ray
>
> > On 19 Jul 2017, at 16:38, Kevin J. Ma <kevin.j.ma.ietf@gmail.com> wrote:
> >
> > I'm good with replacing "chaining" with "renewal".
> >
> > Ray?
> >
> > Sent from my iPhone
> >
> >> On Jul 19, 2017, at 10:36 AM, Matthew A. Miller <
> linuxwolf@outer-planes.net> wrote:
> >>
> >> Even simply 'Token Renewal' would be perfectly fine.  I'm most concerned
> >> about the 'Chain' part.
> >>
> >>
> >> - m&m
> >>
> >> Matthew A. Miller
> >> < http://goo.gl/LM55L >
> >>
> >>> On 7/19/17 4:35 PM, Kevin J. Ma wrote:
> >>> how do you feel about "short-lived token renewal"?
> >>>
> >>> --  Kevin J. Ma
> >>>
> >>> Sent from my iPhone
> >>>
> >>>> On Jul 19, 2017, at 10:27 AM, Matthew A. Miller <
> linuxwolf@outer-planes.net> wrote:
> >>>>
> >>>> Making it (a little bit) more generic makes sense.
> >>>>
> >>>> I'm not sure about the name 'Signed Token Chain', but I don't have a
> >>>> better one.  In cryptographic circles, "chain" has certain
> implications
> >>>> that this document is not expressing.  The "next" item in the chain is
> >>>> supposed to be cryptographically tied to the "previous" item in the
> >>>> chain by using (a hash of, or the exact value of) the previous token
> >>>> when generating the next token.
> >>>>
> >>>> I don't know that that binding property is required here, so I'm not
> >>>> suggesting a change in the protocol.  I do worry, however, that the
> >>>> language may potentially confuse (or worse, mislead) people about the
> >>>> security properties this document is providing.
> >>>>
> >>>>
> >>>> - m&m
> >>>>
> >>>> Matthew A. Miller
> >>>> < http://goo.gl/LM55L >
> >>>>
> >>>>> On 7/19/17 4:14 PM, Ray van Brandenburg wrote:
> >>>>> Yes, good point!
> >>>>>
> >>>>> Although I can’t think of another use case from the top of my head,
> I don’t see a good reason to limit it to HAS either.
> >>>>>
> >>>>> Ray
> >>>>>
> >>>>>
> >>>>>> On 19 Jul 2017, at 15:51, Kevin J. Ma <kevin.j.ma.ietf@gmail.com>
> wrote:
> >>>>>>
> >>>>>> (as an individual) I agree with making the section more generic and
> citing HAS as a use case for token chaining.
> >>>>>>
> >>>>>> Sent from my iPhone
> >>>>>>
> >>>>>>> On Jul 19, 2017, at 9:43 AM, Phil Sorber <sorber@apache.org>
> wrote:
> >>>>>>>
> >>>>>>> Since we have added the HAS content I have been thinking about how
> specific we have made it. Perhaps just specifying a method for token
> chaining, and then citing HAS as a use case makes more sense. I wanted to
> get some opinions on it before I make those changes. It shouldn't be that
> big of a change, just taking the HAS specific stuff and putting it in a
> lower "Use Case" sub-section at the bottom and leaving everything else as a
> "Signed Token Chaining" section.
> >>>>>>>
> >>>>>>> Thoughts?
> >>>>>>>
> >>>>>>> Thanks.
> >>>>>>> _______________________________________________
> >>>>>>> CDNi mailing list
> >>>>>>> CDNi@ietf.org
> >>>>>>> https://www.ietf.org/mailman/listinfo/cdni
> >>>>>
> >>>>
> >>
>
>

v2.23.0 | Report a Bug | By Email