Re: [CDNi] AD review of draft-ietf-cdni-uri-signing-19
Phil Sorber <sorber@apache.org> Tue, 05 January 2021 22:26 UTC
Return-Path: <sorber@apache.org>
X-Original-To: cdni@ietfa.amsl.com
Delivered-To: cdni@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF973A09E9 for <cdni@ietfa.amsl.com>; Tue, 5 Jan 2021 14:26:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.899
X-Spam-Level:
X-Spam-Status: No, score=-9.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1LiIS7yu8z44 for <cdni@ietfa.amsl.com>; Tue, 5 Jan 2021 14:26:55 -0800 (PST)
Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [IPv6:2a01:4f9:c010:567c::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 859F43A0A1D for <cdni@ietf.org>; Tue, 5 Jan 2021 14:26:55 -0800 (PST)
Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 1331C664D3 for <cdni@ietf.org>; Tue, 5 Jan 2021 22:22:46 +0000 (UTC)
Received: (qmail 53040 invoked by uid 99); 5 Jan 2021 20:00:41 -0000
Received: from mailrelay1-he-de.apache.org (HELO mailrelay1-he-de.apache.org) (116.203.21.61) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Jan 2021 20:00:41 +0000
Received: from mail-oi1-f172.google.com (mail-oi1-f172.google.com [209.85.167.172]) by mailrelay1-he-de.apache.org (ASF Mail Server at mailrelay1-he-de.apache.org) with ESMTPSA id 6D5103E83E; Tue, 5 Jan 2021 20:00:40 +0000 (UTC)
Received: by mail-oi1-f172.google.com with SMTP id 9so895835oiq.3; Tue, 05 Jan 2021 12:00:40 -0800 (PST)
X-Gm-Message-State: AOAM530lVv6mLLpPlXYA7Vt2c884C3jx00jQaDIjS4Kvu239XauP/Z1i WVMDBw3PxreSb1BY/uuhhfaRgW+ScYYbavJ0KaY=
X-Google-Smtp-Source: ABdhPJz6bVnkFNVgku0XNaZbuHIU352rpORifHiEcYjlEEEH5iCAJXwXkdU/p2TmZiRGeBpX4b95LDqlDZERSWyIJAg=
X-Received: by 2002:aca:c3c6:: with SMTP id t189mr902315oif.21.1609876839190; Tue, 05 Jan 2021 12:00:39 -0800 (PST)
MIME-Version: 1.0
References: <CALaySJJkZiRYx16cUYDtD2LU+3qAKMtMB_qY7cwkpQnWMnVMpg@mail.gmail.com>
In-Reply-To: <CALaySJJkZiRYx16cUYDtD2LU+3qAKMtMB_qY7cwkpQnWMnVMpg@mail.gmail.com>
From: Phil Sorber <sorber@apache.org>
Date: Tue, 05 Jan 2021 13:00:28 -0700
X-Gmail-Original-Message-ID: <CABF6JR3fJ8qiCwiv-5br9bepUQAsh4_x3ae8Z0oMA5SBgfa4CQ@mail.gmail.com>
Message-ID: <CABF6JR3fJ8qiCwiv-5br9bepUQAsh4_x3ae8Z0oMA5SBgfa4CQ@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: "draft-ietf-cdni-uri-signing.all@ietf.org" <draft-ietf-cdni-uri-signing.all@ietf.org>, "<cdni@ietf.org>" <cdni@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000021d4fb05b82ca9dd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cdni/yywlKoVf6QDw7_zf50h2X4Ahwno>
Subject: Re: [CDNi] AD review of draft-ietf-cdni-uri-signing-19
X-BeenThere: cdni@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This list is to discuss issues associated with the Interconnection of Content Delivery Networks \(CDNs\)" <cdni.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cdni>, <mailto:cdni-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cdni/>
List-Post: <mailto:cdni@ietf.org>
List-Help: <mailto:cdni-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cdni>, <mailto:cdni-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 22:26:57 -0000
Barry, Thanks again for the review and sorry about the amount of time taken to address your issues. I have opened a PR on the git repo for this draft here: https://github.com/PSUdaemon/URISigningSpec/pull/65 Let's iterate there and I will submit an updated draft once you are satisfied with the changes. A couple specific comments below. Thanks. On Thu, Mar 12, 2020 at 11:05 PM Barry Leiba <barryleiba@computer.org> wrote: > Here is my AD review of draft-ietf-cdni-uri-signing-19. My apologies for > taking a couple of weeks to get to this: the IESG has, as you can imagine, > been swamped with both heavy telechat schedules because of the impending AD > changeover and unexpected craziness with IETF 107 planning and decisions > related to the meeting cancellation. > > Kevin, thanks so much for a very thorough and excellent shepherd writeup! > > A couple of these comments are substantive, so I would like to discuss and > resolve them before last call. I’m going to set the draft’s substate to > “revised I-D needed”. > > Please expand “CDNI” in the abstract... and possibly in the title as well, > though you could wait for the RPC to do that if you prefer. Please also > fully expand “CDN” on its first use in the introduction. > > Please replace “UA” in the abstract with “user agent”. > > This document uses the terminology defined in the CDNI Problem > Statement [RFC6707]. > > I believe that terminology definitions are normative references, so I > believe this makes 6707 normative. Happily, normative downrefs such as > this are accepted now, so please make the reference normative and I will > make sure it’s called out in the last call notice. > > — Section 1.3 — > > With symmetric keys, the same key is > used by both the signing entity for signing the URI as well as by the > verifying entity for verifying the Signed URI. > > Nit: Think of “both” as an open parenthesis (and the end of he sentence as > the closing one here). The first “by” is outside the parens (before > “both”), but the second is inside, and that’s not parallel. Make it either > “by both the signing entity [...] and the verifying entity” or “both by the > signing entity [...] and by the verifying entity”. > > distributed openly (because they cannot be used to sign URIs) and > private keys are kept secret by the URI signer. > > I would say “and the corresponding private keys”. > > — Section 1.4 — > > While the URI signing method defined in this document was primarily > created for the purpose of allowing URI Signing in CDNI scenarios, > i.e., between a uCDN and a dCDN, there is nothing in the defined URI > Signing method that precludes it from being used in a non-CDNI > > As you see here, you capitalize “URI Signing” inconsistently,even in this > one paragraph. Please check the document for consistency in the > capitalization: pick one and use it throughout. > > — Section 2 — > > HTTP or HTTPS URI [RFC7230] (Section 2.7). > > This is a quirk of the tools and not a fault in the draft, but this > results in the html version having a clickable link to RFC 7230, and then > another clickable link to Section 2.7 of this document (which, of course, > isn’t there). I think if you change this to “HTTP or HTTPS URI (see > [RFC7230] Section 2.7)” the generated link will work better. > I made this change but not sure if it had the intended effect. Please confirm. > > o a reserved character (as defined in [RFC3986] Section 2.2), > > Any reserved character? And the three reserved characters in bullets 1, > 3, and 5 can be any three different ones? I think I know what you mean, > but it seems that an implementer who doesn’t could go quite wrong. Maybe > some more words along with these bullets would be better? > > [For example, in the URI < > http://example.com/content?sign=jwtdatahere&other >, I think that if I > strictly implement what you have here I would interpret “example.com/” as > the attribute name (because “/“ is a reserved character), “content” as the > JWT package, and “?” as the terminating special character. But you’re > looking for something more like “sign” as the attribute name and > “jwtdatahere” as the JWT package, yes?] > > Also, I don’t see any examples in the draft of a Signed URI, and I think > an example or two here of a couple of variations would also help. > > — Section 2.1 — > Several of the subsections that deal with time values repeat this text > exactly: > > Note: The time > on the entities that generate and verify the signed URI SHOULD be in > sync. In the CDNI case, this means that CSP, uCDN, and dCDN servers > need to be time-synchronized. It is RECOMMENDED to use NTP [RFC5905] > for time synchronization. > > I suggest cleaning this up by moving that note up here to the end of > Section 2.1, saying, “Note: When claims related to time are used, the time > on the entities...” > > — Section 2.1.7 — > > previously seen the nonce used in a request for the same content > > This is the only spot where you don’t capitalize “Nonce”. > > — Section 2.1.9 — > > This claim MUST be understood and processed by > all implementations. > > Section 2.1 already said this about all claims, so why say it here about > this one in particular? > The part in Section 2.1 should have been removed. I made that change instead. > > — Section 2.1.10 — > > Client IP (cdniip) [optional] - The Client IP (cdniip) claim hold an > > Nit: “holds” > > — Section 2.1.15 — > > The URI Container (cdniuc) claim takes one of the following forms > > This is the only claim definition that doesn’t say “[optional]”. Should > it? > I see it as optional in the latest published version of the draft already. Was there another claim you were meaning instead? > > — Section 3.2 — > > the following section defines a mechanism using HTTP Cookies > > Please use a specific section xref instead. > > — Section 6.7 — > Thanks for including advice to the experts. > > Expert Reviewers should be empowered to pass judgements > as they see fit > > This is very vague and, to me, implies more capriciousness than I think > you really intend. Can you come up with another way to word this that > gives a bit more guidance? What sorts of judgments are they likely to make? > This one I agree with you on, but I struggled in adding it. I made some changes, but more guidance is welcome. > > — Section 7 — > > seconds to prevent a sudden network issues from denying legitimate > > Nit: either remove “a” or make it “issue”. > > — > Barry > > _______________________________________________ > CDNi mailing list > CDNi@ietf.org > https://www.ietf.org/mailman/listinfo/cdni >
- [CDNi] AD review of draft-ietf-cdni-uri-signing-19 Barry Leiba
- Re: [CDNi] AD review of draft-ietf-cdni-uri-signi… Barry Leiba
- Re: [CDNi] AD review of draft-ietf-cdni-uri-signi… Phil Sorber
- Re: [CDNi] AD review of draft-ietf-cdni-uri-signi… Barry Leiba
- Re: [CDNi] AD review of draft-ietf-cdni-uri-signi… Phil Sorber
- Re: [CDNi] AD review of draft-ietf-cdni-uri-signi… Barry Leiba
- Re: [CDNi] AD review of draft-ietf-cdni-uri-signi… Barry Leiba