Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
Phil Sorber <sorber@apache.org> Sun, 16 July 2017 08:10 UTC
Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 111441275AB for <cdni@ietfa.amsl.com>; Sun, 16 Jul 2017 01:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.421
X-Spam-Level:
X-Spam-Status: No, score=-6.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C4R-OqIgwvGO for <cdni@ietfa.amsl.com>; Sun, 16 Jul 2017 01:10:18 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id 607AA127180 for <cdni@ietf.org>; Sun, 16 Jul 2017 01:10:18 -0700 (PDT)
Received: (qmail 40903 invoked by uid 99); 15 Jul 2017 16:10:17 -0000
Received: from Unknown (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Jul 2017 16:10:17 +0000
Received: from mail-io0-f170.google.com (mail-io0-f170.google.com [209.85.223.170]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 5D6F71A0029 for <cdni@ietf.org>; Sat, 15 Jul 2017 16:10:16 +0000 (UTC)
Received: by mail-io0-f170.google.com with SMTP id h64so27027078iod.0 for <cdni@ietf.org>; Sat, 15 Jul 2017 09:10:16 -0700 (PDT)
X-Gm-Message-State: AIVw110LQGARU8PGDDeGYbF98z0c2Ua5cVhUsC6FU3tjbbP0nfDqPxNg HlmTsf+IAgOGxqt9JeyleTxFl1ZuXQ==
X-Received: by 10.107.158.84 with SMTP id h81mr12017583ioe.97.1500135013940; Sat, 15 Jul 2017 09:10:13 -0700 (PDT)
MIME-Version: 1.0
References: <149842148725.3124.11919861730574680552@ietfa.amsl.com> <CABF6JR3gidTD_S2vnrjxzxkmjYxVHsHG3J9VKzaZsiN+pC7WRA@mail.gmail.com> <21D2B0F2-9D1E-45BB-B216-44FFBCD56DE0@niven-jenkins.co.uk> <07d84d59a86f4dcdb19d4e8679bf26f2@XCH-RTP-006.cisco.com>
In-Reply-To: <07d84d59a86f4dcdb19d4e8679bf26f2@XCH-RTP-006.cisco.com>
From: Phil Sorber <sorber@apache.org>
Date: Sat, 15 Jul 2017 16:10:03 +0000
X-Gmail-Original-Message-ID: <CABF6JR0kPrPQ2dKjrDgkeR-H=AjyV=G+4-DjdTsRLY0vovCq4A@mail.gmail.com>
Message-ID: <CABF6JR0kPrPQ2dKjrDgkeR-H=AjyV=G+4-DjdTsRLY0vovCq4A@mail.gmail.com>
To: "Kent Leung (kleung)" <kleung@cisco.com>, Ben Niven-Jenkins <ben@niven-jenkins.co.uk>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140ba929f164a05545d6670"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/nCgQeQ_N8U_EoqOZUWELYBb8uZE>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Jul 2017 08:10:21 -0000
I created this PR to add that paragraph back. Can you guys comment? https://github.com/PSUdaemon/URISigningSpec/pull/22 Thanks. On Wed, Jul 5, 2017 at 11:24 PM Kent Leung (kleung) <kleung@cisco.com> wrote: > Hi Ben. Thanks for your review comments. See my response to some of them > below. > > > > > > > > *From:* CDNi [mailto:cdni-bounces@ietf.org] *On Behalf Of *Ben > Niven-Jenkins > *Sent:* Tuesday, July 4, 2017 3:59 AM > *To:* Phil Sorber <sorber@apache.org> > *Cc:* cdni@ietf.org > > > *Subject:* Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12.txt > > > > Hi Phil & URI Signing authors, > > > > I read the latest draft (-12) and below are some questions / thoughts, in > no particular order, that occurred to me while reading the document. > > > > * Why support both symmetric & asymmetric keys? What is the advantage to > having both options versus just picking one option (probably asymmetric > keys as they work for all use cases)? > > > > KL> There are pros and cons of using either asymmetric keys vs symmetric > key. Key distribution limitations and relationships between CSP and CDNs > are factors. So I think supporting both allows flexibility for deployments > of URI signing. Existing URI signing proprietary implementations typically > support both already. > > > > > > * How are the keys distributed between CDNs? I don’t see a property in the > UriSigning Metadata object that would include (or link to) the keys (I’m > assuming you need to support distribution of at least 2 keys to support key > rotation)? > > > > KL> Key distribution is out of scope. I noticed following text was dropped > when method converted to JWT. We can put this back in CDNI Overview > section, where the asymmetric and symmetric key methods are mentioned. > > > > “Two types of keys can be used for URI Signing: asymmetric keys and > > symmetric keys. Asymmetric keys are based on a public/private key > > pair mechanism and always contain a private key only known to the > > entity signing the URI (either CSP or uCDN) and a public key for the > > verification of the Signed URI. With symmetric keys, the same key is > > used by both the signing entity for signing the URI as well as by the > > validating entity for validating the Signed URI. Regardless of the > > type of keys used, the validating entity has to obtain the key > > (either the public or the symmetric key). There are very different > > requirements for key distribution (out of scope of this document) > > with asymmetric keys and with symmetric keys. Key distribution for > > symmetric keys requires confidentiality to prevent another party from > > getting access to the key, since it could then generate valid Signed > > URIs for unauthorized requests. Key distribution for asymmetric keys > > does not require confidentiality since public keys can typically be > > distributed openly (because they cannot be used for URI signing) and > > private keys are kept by the URI signing function.” > > > > > > * How does a uCDN know whether it is OK/safe/within policy to > re-distribute symmetric keys to a dCDN? > > > > KL> See above. > > > > * In the case of Signed Token chains, how does a CDN obtain the keys > required to sign the new tokens in the chain as it generates them? > > > > KL> See above. > > > > Kent > > > > > > * Section 3.3.1 I think needs to be more explicit, I don’t know how one > could communicate a token chain via the query string as specified in the > document, as there is no “back channel” for the CDN to communicate the next > token in the chain to the UA. > > > > HTH > > Ben > > > > On 25 Jun 2017, at 21:19, Phil Sorber <sorber@apache.org> wrote: > > > > Really hoping to get some feedback on this at the meeting in Prague. It's > got all the changes that have been discussed so I'm not aware of any more > substantive changes needed. However, lots of editorial nits I suspect. > > Thanks. > > > > On Sun, Jun 25, 2017 at 2:12 PM <internet-drafts@ietf.org> wrote: > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Content Delivery Networks Interconnection > of the IETF. > > Title : URI Signing for CDN Interconnection (CDNI) > Authors : Ray van Brandenburg > Kent Leung > Phil Sorber > Filename : draft-ietf-cdni-uri-signing-12.txt > Pages : 35 > Date : 2017-06-25 > > Abstract: > This document describes how the concept of URI signing supports the > content access control requirements of CDNI and proposes a URI > signing method as a JSON Web Token (JWT) [RFC7519] profile. > > The proposed URI signing method specifies the information needed to > be included in the URI to transmit the signed JWT as well as the > claims needed by the signed JWT to authorize a UA. The mechanism > described can be used both in CDNI and single CDN scenarios. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-12 > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-12 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-12 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > https://www.ietf.org/mailman/listinfo/cdni > > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > https://www.ietf.org/mailman/listinfo/cdni > > >
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-12… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Ben Niven-Jenkins
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kent Leung (kleung)
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Ben Niven-Jenkins
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Ben Niven-Jenkins
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kent Leung (kleung)
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin J. Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber