IETF Logo Mail Archive

Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt

Phil Sorber <sorber@apache.org> Sun, 16 July 2017 08:10 UTC

Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 111441275AB for <cdni@ietfa.amsl.com>; Sun, 16 Jul 2017 01:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.421
X-Spam-Level:
X-Spam-Status: No, score=-6.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4R-OqIgwvGO for <cdni@ietfa.amsl.com>; Sun, 16 Jul 2017 01:10:18 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id 607AA127180 for <cdni@ietf.org>; Sun, 16 Jul 2017 01:10:18 -0700 (PDT)
Received: (qmail 40903 invoked by uid 99); 15 Jul 2017 16:10:17 -0000
Received: from Unknown (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Jul 2017 16:10:17 +0000
Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 5D6F71A0029 for <cdni@ietf.org>; Sat, 15 Jul 2017 16:10:16 +0000 (UTC)
Received: by mail-io0-f170.google.com with SMTP id h64so27027078iod.0 for <cdni@ietf.org>; Sat, 15 Jul 2017 09:10:16 -0700 (PDT)
X-Gm-Message-State: AIVw110LQGARU8PGDDeGYbF98z0c2Ua5cVhUsC6FU3tjbbP0nfDqPxNg HlmTsf+IAgOGxqt9JeyleTxFl1ZuXQ==
X-Received: by 10.107.158.84 with SMTP id h81mr12017583ioe.97.1500135013940; Sat, 15 Jul 2017 09:10:13 -0700 (PDT)
MIME-Version: 1.0
References: <149842148725.3124.11919861730574680552@ietfa.amsl.com> <CABF6JR3gidTD_S2vnrjxzxkmjYxVHsHG3J9VKzaZsiN+pC7WRA@mail.gmail.com> <21D2B0F2-9D1E-45BB-B216-44FFBCD56DE0@niven-jenkins.co.uk> <07d84d59a86f4dcdb19d4e8679bf26f2@XCH-RTP-006.cisco.com>
In-Reply-To: <07d84d59a86f4dcdb19d4e8679bf26f2@XCH-RTP-006.cisco.com>
From: Phil Sorber <sorber@apache.org>
Date: Sat, 15 Jul 2017 16:10:03 +0000
X-Gmail-Original-Message-ID: <CABF6JR0kPrPQ2dKjrDgkeR-H=AjyV=G+4-DjdTsRLY0vovCq4A@mail.gmail.com>
Message-ID: <CABF6JR0kPrPQ2dKjrDgkeR-H=AjyV=G+4-DjdTsRLY0vovCq4A@mail.gmail.com>
To: "Kent Leung (kleung)" <kleung@cisco.com>, Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140ba929f164a05545d6670"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/nCgQeQ_N8U_EoqOZUWELYBb8uZE>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 08:10:21 -0000

I created this PR to add that paragraph back. Can you guys comment?

https://github.com/PSUdaemon/URISigningSpec/pull/22

Thanks.

On Wed, Jul 5, 2017 at 11:24 PM Kent Leung (kleung) <kleung@cisco.com>
wrote:

> Hi Ben. Thanks for your review comments.  See my response to some of them
> below.
>
>
>
>
>
>
>
> *From:* CDNi [mailto:cdni-bounces@ietf.org] *On Behalf Of *Ben
> Niven-Jenkins
> *Sent:* Tuesday, July 4, 2017 3:59 AM
> *To:* Phil Sorber <sorber@apache.org>
> *Cc:* cdni@ietf.org
>
>
> *Subject:* Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
>
>
>
> Hi Phil & URI Signing authors,
>
>
>
> I read the latest draft (-12) and below are some questions / thoughts, in
> no particular order, that occurred to me while reading the document.
>
>
>
> * Why support both symmetric & asymmetric keys? What is the advantage to
> having both options versus just picking one option (probably asymmetric
> keys as they work for all use cases)?
>
>
>
> KL> There are pros and cons of using either asymmetric keys vs symmetric
> key. Key distribution limitations and relationships between CSP and CDNs
> are factors. So I think supporting both allows flexibility for deployments
> of URI signing. Existing URI signing proprietary implementations typically
> support both already.
>
>
>
>
>
> * How are the keys distributed between CDNs? I don’t see a property in the
> UriSigning Metadata object that would include (or link to) the keys (I’m
> assuming you need to support distribution of at least 2 keys to support key
> rotation)?
>
>
>
> KL> Key distribution is out of scope. I noticed following text was dropped
> when method converted to JWT. We can put this back in CDNI Overview
> section, where the asymmetric and symmetric key methods are mentioned.
>
>
>
> “Two types of keys can be used for URI Signing: asymmetric keys and
>
>    symmetric keys.  Asymmetric keys are based on a public/private key
>
>    pair mechanism and always contain a private key only known to the
>
>    entity signing the URI (either CSP or uCDN) and a public key for the
>
>    verification of the Signed URI.  With symmetric keys, the same key is
>
>    used by both the signing entity for signing the URI as well as by the
>
>    validating entity for validating the Signed URI.  Regardless of the
>
>    type of keys used, the validating entity has to obtain the key
>
>    (either the public or the symmetric key).  There are very different
>
>    requirements for key distribution (out of scope of this document)
>
>    with asymmetric keys and with symmetric keys.  Key distribution for
>
>    symmetric keys requires confidentiality to prevent another party from
>
>    getting access to the key, since it could then generate valid Signed
>
>    URIs for unauthorized requests.  Key distribution for asymmetric keys
>
>    does not require confidentiality since public keys can typically be
>
>    distributed openly (because they cannot be used for URI signing) and
>
>    private keys are kept by the URI signing function.”
>
>
>
>
>
> * How does a uCDN know whether it is OK/safe/within policy to
> re-distribute symmetric keys to a dCDN?
>
>
>
> KL> See above.
>
>
>
> * In the case of Signed Token chains, how does a CDN obtain the keys
> required to sign the new tokens in the chain as it generates them?
>
>
>
> KL> See above.
>
>
>
> Kent
>
>
>
>
>
> * Section 3.3.1 I think needs to be more explicit, I don’t know how one
> could communicate a token chain via the query string as specified in the
> document, as there is no “back channel” for the CDN to communicate the next
> token in the chain to the UA.
>
>
>
> HTH
>
> Ben
>
>
>
> On 25 Jun 2017, at 21:19, Phil Sorber <sorber@apache.org> wrote:
>
>
>
> Really hoping to get some feedback on this at the meeting in Prague. It's
> got all the changes that have been discussed so I'm not aware of any more
> substantive changes needed. However, lots of editorial nits I suspect.
>
> Thanks.
>
>
>
> On Sun, Jun 25, 2017 at 2:12 PM <internet-drafts@ietf.org> wrote:
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> This draft is a work item of the Content Delivery Networks Interconnection
> of the IETF.
>
>         Title           : URI Signing for CDN Interconnection (CDNI)
>         Authors         : Ray van Brandenburg
>                           Kent Leung
>                           Phil Sorber
>         Filename        : draft-ietf-cdni-uri-signing-12.txt
>         Pages           : 35
>         Date            : 2017-06-25
>
> Abstract:
>    This document describes how the concept of URI signing supports the
>    content access control requirements of CDNI and proposes a URI
>    signing method as a JSON Web Token (JWT) [RFC7519] profile.
>
>    The proposed URI signing method specifies the information needed to
>    be included in the URI to transmit the signed JWT as well as the
>    claims needed by the signed JWT to authorize a UA.  The mechanism
>    described can be used both in CDNI and single CDN scenarios.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-12
> https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-12
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-12
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni
>
> _______________________________________________
> CDNi mailing list
> CDNi@ietf.org
> https://www.ietf.org/mailman/listinfo/cdni
>
>
>

v2.23.0 | Report a Bug | By Email