Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt

Phil Sorber <sorber@apache.org> Wed, 02 November 2016 18:56 UTC

Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF29129B43 for <cdni@ietfa.amsl.com>; Wed, 2 Nov 2016 11:56:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.916
X-Spam-Level:
X-Spam-Status: No, score=-7.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qEEgHp0pSb3 for <cdni@ietfa.amsl.com>; Wed, 2 Nov 2016 11:56:32 -0700 (PDT)
Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by ietfa.amsl.com (Postfix) with SMTP id C0149129B3C for <cdni@ietf.org>; Wed, 2 Nov 2016 11:56:32 -0700 (PDT)
Received: (qmail 39257 invoked by uid 99); 2 Nov 2016 18:56:31 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2016 18:56:31 +0000
Received: from mail-yw0-f172.google.com (mail-yw0-f172.google.com [209.85.161.172]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 6732A1A02A7 for <cdni@ietf.org>; Wed, 2 Nov 2016 18:56:31 +0000 (UTC)
Received: by mail-yw0-f172.google.com with SMTP id h14so19561287ywa.2 for <cdni@ietf.org>; Wed, 02 Nov 2016 11:56:31 -0700 (PDT)
X-Gm-Message-State: ABUngvc/bjELR+axribIBfr1uU8xqfUPqKOn0Zybvat3H9LTfiik/3jNiTh5ReNt03mNbs7+5+LbaddLInDA/A==
X-Received: by 10.129.86.86 with SMTP id k83mr3944345ywb.256.1478112990696; Wed, 02 Nov 2016 11:56:30 -0700 (PDT)
MIME-Version: 1.0
References: <147556991928.12899.3720041473146885160.idtracker@ietfa.amsl.com> <E30D6B39-70EC-4345-AF5E-1698D8BD4FAD@tno.nl> <CABF6JR0Ak8GXicNJpf6LGyLAmZhW4zT2B3OaP_ik6nXp5dB-rQ@mail.gmail.com> <A419F67F880AB2468214E154CB8A556206F6A925@eusaamb103.ericsson.se> <CABF6JR1zhKmgddQ8euhDTBgM9HTAd-QJqx712wOR3vPDMyUc_A@mail.gmail.com> <8FF13AE0-272D-43B2-A4A6-A96EB2B1D560@ogre.com>
In-Reply-To: <8FF13AE0-272D-43B2-A4A6-A96EB2B1D560@ogre.com>
From: Phil Sorber <sorber@apache.org>
Date: Wed, 02 Nov 2016 18:56:20 +0000
X-Gmail-Original-Message-ID: <CABF6JR3F3qem1U1V_nkymD9_u-bV-AzsxH4rfupe2eK6kN83mg@mail.gmail.com>
Message-ID: <CABF6JR3F3qem1U1V_nkymD9_u-bV-AzsxH4rfupe2eK6kN83mg@mail.gmail.com>
To: Leif Hedstrom <leif@ogre.com>
Content-Type: multipart/alternative; boundary="001a114329debfa13b054055ff06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/w4kbOBOZDRhNTzRQXKD4vQ8WNPo>
Cc: "cdni@ietf.org" <cdni@ietf.org>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-10.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 18:56:34 -0000

Ok, I've reverted to the "reject" wording.

On Tue, Nov 1, 2016 at 9:25 AM Leif Hedstrom <leif@ogre.com> wrote:

>
> > On Oct 26, 2016, at 10:09 AM, Phil Sorber <sorber@apache.org> wrote:
> >
> > I added your text changes to the PR.
> >
> > As far as ignoring extra claims, it was for third parties. I am
> rethinking this though. Leif expressed some concerns about processing
> performance if we allowed free form content. It seems like ignoring unknown
> claims is of marginal value, but it had several downsides.
>
>
> My thinking is that we should make efforts to clamp down specifications on
> what is acceptable (and required) JSON and claims here. Such that someone
> could write a really fast, simplified JWT parser that only handles the
> cases we must support, nothing more, nothing less.
>
> Cheers,
>
> — Leif
>
>