Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
Kevin Ma <kevin.j.ma.ietf@gmail.com> Mon, 05 July 2021 03:21 UTC
Return-Path: <kevin.j.ma.ietf@gmail.com>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 654173A0AB0 for <cdni@ietfa.amsl.com>; Sun, 4 Jul 2021 20:21:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQh_lplTEmsy for <cdni@ietfa.amsl.com>; Sun, 4 Jul 2021 20:21:51 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C8F53A0AAB for <cdni@ietf.org>; Sun, 4 Jul 2021 20:21:50 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id b5so9514355plg.2 for <cdni@ietf.org>; Sun, 04 Jul 2021 20:21:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=N77HYAuwfsXBzINOV9ranphQy3/VgO5iEgsCBS/0MeM=; b=RVOv0S3m2N0CV4GdxeAbnEGRxlUtvQiPmd9GIQNVPOO2b23QNVrs1HTq5Cn77i4gYO NFfmJIzO3SoHh6w+98Zb7BXIL//FD2lqu2CerrnMxbuiQusRLsH/ZvwiEbpmo/VrMWI4 u6Blkppu/TMjxp57Vl3hq6aylH5BdEO2aQzADZ4LJFlK1eiuKa+eRiETlqKAn4OhnbL2 hF/O5LNui2zVxM/tqgMV6cKiHoyrB8vuZCsBXnu6PJ0yq4yvz36ajv5YpAp6upedhHKn LWtxBi8Pg1HeGuj8OQowOgQY3xySh7sH/cCHpHOdcmbYrazIsDoiytfwDqQZd4gW3UOC nqDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=N77HYAuwfsXBzINOV9ranphQy3/VgO5iEgsCBS/0MeM=; b=GuQ72UDll8YURMOcfOD5hVdYDz8EtjFwOqiB0A0WhNihYhp0vXsz0KBR4SmkjOHiaR lMocPHyQtgsthU+++33gIXB9E8Gc9EoF/bOO8s0/HIgM2MzIvh/30jAjp1FyiXWhYGLQ WzRkr4FCEEPMB9Yt1hC1UPW8CWr5BJaLUHrM50J/bBXaQBAgvGOuF+9TPXGm2W3VmYi6 V8jplJPQ9dQ4hWlAqGmaZ5oOOqZ0Gw/Bpo34+P4kwOZpq6rem/W5E1dDUWJA6cAJ2Fsl /8kQfQRHvpIXka0sNgaMUnUNLbEQSrYiDDKAPr3+8tBX5Gg+BCJ9EGJokEL8Z4YXvcPE ZmMA==
X-Gm-Message-State: AOAM530teLYPQxdZixPvP2E0CsUDXO+kRgRB+pKHktWrwCXzK0f9hd2x 5nXya0TCOqKTuUEGrxAW6GamRoKFMJ4PAFDlMAY=
X-Google-Smtp-Source: ABdhPJw89Vo+AEgiUoIBXBTwlLZbAAg1NwDG6uMlt4Aea4TFe3ZFwrtploq8uS5kc30Z2RFstyfCGEBVONDGVM9zVXM=
X-Received: by 2002:a17:902:e74a:b029:129:4f4c:7273 with SMTP id p10-20020a170902e74ab02901294f4c7273mr10428938plf.10.1625455309822; Sun, 04 Jul 2021 20:21:49 -0700 (PDT)
MIME-Version: 1.0
References: <161307191169.578.5042999963159191945@ietfa.amsl.com> <CAJEGKNuoCDz4bXaAHXOnhwg6h2WBV=BSsc_kXFvtq57quy2=rg@mail.gmail.com> <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com>
In-Reply-To: <CAJEGKNvNX3Z1o6YzM-Vs6=Ee82VNjD_4FhLrbfntqf91pJCStQ@mail.gmail.com>
From: Kevin Ma <kevin.j.ma.ietf@gmail.com>
Date: Sun, 04 Jul 2021 23:21:38 -0400
Message-ID: <CAMrHYE3SfY+uyA86g7sdovxb_h718t6uUdT0+nh=428_Jb-y=w@mail.gmail.com>
To: Chris Lemmons <alficles@gmail.com>
Cc: "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057208b05c657ce56"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/xHWjI2m80ikSjbOkjxViI7IfDtQ>
Subject: Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21.txt
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jul 2021 03:21:56 -0000
Hi Chris, > Unfortunately, there exists no specification for path-style or form-style parameters, so it is impossible for an implementer to know how to reliably locate the token. My understanding from the discussion with Mark ( https://mailarchive.ietf.org/arch/msg/last-call/PxSKvtGtlkQAf7cExIs9HtkzutI/) is that "path-style" and "form-style" refer to the corresponding descriptions in RFC6570. Do you think it would help if we added a reference to RFC6570 and some text to the effect of "where path-style and form-style parameters conform to RFC6570 path-style parameter and form-style query expansion formats, respectively"? > I also wonder whether URI Signing is properly understood as an Extension or an Application, in the terms of 8820. I think URI Signing should be classified as an "Extension". As you noted, RFC8820 explicitly notes "signature mechanisms", and we did explicitly discuss our use case with Mark when he first asked us to "get off his lawn" (https://mailarchive.ietf.org/arch/msg/cdni/3Zt4iDgyVhICgBjpLAlDxqL7uJI/). Do you think an explicit declaration and reference to RFC8820 would help? thanx. -- Kevin J. Ma On Mon, Jun 14, 2021 at 1:59 PM Chris Lemmons <alficles@gmail.com> wrote: > I'd like to bring this up again because I think it's a potentially > serious implementation concern and I don't see an easy way around it. > There is a MUST requirement in the latest draft: > > The URI Signing Package will be found by parsing any path-style > parameters and form-style parameters looking for a key name matching > the URI Signing Package Attribute. Both parameter styles MUST be > supported to allow flexibility of operation. > > Unfortunately, there exists no specification for path-style or > form-style parameters, so it is impossible for an implementer to know > how to reliably locate the token. This appears to be by design, > though. ( See RFC 8820: https://datatracker.ietf.org/doc/html/rfc8820 > , which is now published.) > > I think the intent of this wording is to imply that everybody should > use application/x-www-form-urlencoded for form-style parameters and > path-style parameters that look like "path;param1=a,param2=b", but > aren't specified anywhere in particular. > > I see no way for an implementer to determine whether they've met the > requirement set out that they MUST meet as it is written. > > I also wonder whether URI Signing is properly understood as an > Extension or an Application, in the terms of 8820. I think it wants to > be an Extension (for example: `a new signature mechanism for "http" > URIs`), but might be an Application in practice (`an HTTP interface to > particular information on a host`). I think important to the > discussion is that URI Signing is a mechanism added by an upstream > entity that controls the content and its format. I think this is an > important issue to resolve. > > On Fri, Feb 12, 2021 at 9:24 AM Chris Lemmons <alficles@gmail.com> wrote: > > > > The latest document replaces the path parsing logic with this: > > > > > URI Signing Package (URISigningPackage): The URI attribute that > encapsulates all the URI Signing claims in a signed JWT encoded format. > This attribute is exposed in the Signed URI as a path-style parameter or a > form-style parameter. > > > > Unfortunately, that doesn't give implementers any idea what needs to > > be parsed. I read through the conversation on last-call with mnot > > ( > https://mailarchive.ietf.org/arch/msg/last-call/yIhgGSja7_OoFXK_SGQUuhMdO2o/ > ), > > especially with regard to BCP190. I also read through RFC6570 and > > you're right, it doesn't work for our use case because it's generating > > URI, not consuming them. And it's for precisely this reason that we > > need to be specific in what is accepted. > > > > As near as I can tell, there is actually no standard anywhere that > > describes "path-style parameters". And there are multiple methods for > > defining "form-style parameters", some more recent than others and in > > varying levels of use generally on the Internet. How can a document > > have a MUST requirement that requires parsing a specific structure > > that isn't specified anywhere or even widely agreed upon? > > > > On Thu, Feb 11, 2021 at 12:32 PM <internet-drafts@ietf.org> wrote: > > > > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > This draft is a work item of the Content Delivery Networks > Interconnection WG of the IETF. > > > > > > Title : URI Signing for Content Delivery Network > Interconnection (CDNI) > > > Authors : Ray van Brandenburg > > > Kent Leung > > > Phil Sorber > > > Filename : draft-ietf-cdni-uri-signing-21.txt > > > Pages : 41 > > > Date : 2021-02-11 > > > > > > Abstract: > > > This document describes how the concept of URI Signing supports the > > > content access control requirements of Content Delivery Network > > > Interconnection (CDNI) and proposes a URI Signing method as a JSON > > > Web Token (JWT) profile. > > > > > > The proposed URI Signing method specifies the information needed to > > > be included in the URI to transmit the signed JWT, as well as the > > > claims needed by the signed JWT to authorize a User Agent (UA). The > > > mechanism described can be used both in CDNI and single Content > > > Delivery Network (CDN) scenarios. > > > > > > > > > The IETF datatracker status page for this draft is: > > > https://datatracker.ietf.org/doc/draft-ietf-cdni-uri-signing/ > > > > > > There are also htmlized versions available at: > > > https://tools.ietf.org/html/draft-ietf-cdni-uri-signing-21 > > > https://datatracker.ietf.org/doc/html/draft-ietf-cdni-uri-signing-21 > > > > > > A diff from the previous version is available at: > > > https://www.ietf.org/rfcdiff?url2=draft-ietf-cdni-uri-signing-21 > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > > until the htmlized version and diff are available at tools.ietf.org. > > > > > > Internet-Drafts are also available by anonymous FTP at: > > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > > > > _______________________________________________ > > > CDNi mailing list > > > CDNi@ietf.org > > > https://www.ietf.org/mailman/listinfo/cdni > > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > https://www.ietf.org/mailman/listinfo/cdni >
- [CDNi] I-D Action: draft-ietf-cdni-uri-signing-21… internet-drafts
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Chris Lemmons
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Kevin Ma
- Re: [CDNi] I-D Action: draft-ietf-cdni-uri-signin… Phil Sorber