< draft-ietf-cdni-uri-signing-17.txt   draft-ietf-cdni-uri-signing-18.txt >
CDNI R. van Brandenburg CDNI R. van Brandenburg
Internet-Draft Tiledmedia Internet-Draft Tiledmedia
Intended status: Standards Track K. Leung Intended status: Standards Track K. Leung
Expires: September 12, 2019 Cisco Systems, Inc. Expires: November 8, 2019 Cisco Systems, Inc.
P. Sorber P. Sorber
Apple, Inc. Apple, Inc.
March 11, 2019 May 7, 2019
URI Signing for CDN Interconnection (CDNI) URI Signing for CDN Interconnection (CDNI)
draft-ietf-cdni-uri-signing-17 draft-ietf-cdni-uri-signing-18
Abstract Abstract
This document describes how the concept of URI signing supports the This document describes how the concept of URI signing supports the
content access control requirements of CDNI and proposes a URI content access control requirements of CDNI and proposes a URI
signing method as a JSON Web Token (JWT) profile. signing method as a JSON Web Token (JWT) profile.
The proposed URI signing method specifies the information needed to The proposed URI signing method specifies the information needed to
be included in the URI to transmit the signed JWT, as well as the be included in the URI to transmit the signed JWT, as well as the
claims needed by the signed JWT to authorize a UA. The mechanism claims needed by the signed JWT to authorize a UA. The mechanism
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2019. This Internet-Draft will expire on November 8, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 9, line 40 skipping to change at page 9, line 40
The URI Signing Package will be found by searching the URI, left-to- The URI Signing Package will be found by searching the URI, left-to-
right, for the following sequence: right, for the following sequence:
o a reserved character (as defined in [RFC3986] Section 2.2), o a reserved character (as defined in [RFC3986] Section 2.2),
o the URI Signing Package Attribute name, o the URI Signing Package Attribute name,
o if the last character of the URI Signing Package Attribute name is o if the last character of the URI Signing Package Attribute name is
not a reserved character, an equal symbol ('='), not a reserved character, an equal symbol ('='),
o and a sequence of non-reserved characters that will be interpreted o and a sequence of zero or more non-reserved characters that will
as a signed JWT, be interpreted as a signed JWT,
o terminated by either a reserved character or the end of the URI. o terminated by either a reserved character or the end of the URI.
The first such match will be taken to provide the signed JWT; the URI The first such match will be taken to provide the signed JWT; the URI
will not be searched for multiple signed JWTs. will not be searched for multiple signed JWTs.
2.1. JWT Claims 2.1. JWT Claims
This section identifies the set of claims that can be used to enforce This section identifies the set of claims that can be used to enforce
the CSP distribution policy. New claims can be introduced in the the CSP distribution policy. New claims can be introduced in the
skipping to change at page 11, line 15 skipping to change at page 11, line 15
signed JWT contains a Subject claim, then any JWT subsequently signed JWT contains a Subject claim, then any JWT subsequently
generated for CDNI redirection MUST also contain a Subject claim, and generated for CDNI redirection MUST also contain a Subject claim, and
the Subject value MUST be the same as in the received signed JWT. A the Subject value MUST be the same as in the received signed JWT. A
signed JWT generated for CDNI redirection MUST NOT add a Subject signed JWT generated for CDNI redirection MUST NOT add a Subject
claim if no Subject claim existed in the received signed JWT. claim if no Subject claim existed in the received signed JWT.
2.1.3. Audience (aud) claim 2.1.3. Audience (aud) claim
Audience (aud) [optional] - The semantics in [RFC7519] Section 4.1.3 Audience (aud) [optional] - The semantics in [RFC7519] Section 4.1.3
MUST be followed. This claim is used to ensure that the CDN verifing MUST be followed. This claim is used to ensure that the CDN verifing
the JWT is an intended recipient of the request. It should be the JWT is an intended recipient of the request. The claim should
appropriately set to an identiy that the validating CDN understands contain an identity on behalf of whom the CDN can verify the token
itself to be capable of validating on behalf of. This may be the CSP (e.g., the CSP or any uCDN in the chain). A dCDN MAY modify the
identity, or any CDN in the chain and can also be modified as needed claim as long it can generate a valid signature.
by any entity in the chain as long as they can generate a valid
signature.
2.1.4. Expiry Time (exp) claim 2.1.4. Expiry Time (exp) claim
Expiry Time (exp) [optional] - The semantics in [RFC7519] Expiry Time (exp) [optional] - The semantics in [RFC7519]
Section 4.1.4 MUST be followed, though URI Signing implementations Section 4.1.4 MUST be followed, though URI Signing implementations
MUST NOT allow for any time synchronization "leeway". Note: The time MUST NOT allow for any time synchronization "leeway". Note: The time
on the entities that generate and verify the signed URI SHOULD be in on the entities that generate and verify the signed URI SHOULD be in
sync. In the CDNI case, this means that CSP, uCDN, and dCDN servers sync. In the CDNI case, this means that CSP, uCDN, and dCDN servers
need to be time-synchronized. It is RECOMMENDED to use NTP [RFC5905] need to be time-synchronized. It is RECOMMENDED to use NTP [RFC5905]
for time synchronization. If the CDN verifying the signed JWT does for time synchronization. If the CDN verifying the signed JWT does
skipping to change at page 21, line 33 skipping to change at page 21, line 33
are: are:
+ "000" : no signed JWT verification performed + "000" : no signed JWT verification performed
+ "200" : signed JWT verification performed and verified + "200" : signed JWT verification performed and verified
+ "400" : signed JWT verification performed and rejected + "400" : signed JWT verification performed and rejected
because of incorrect signature because of incorrect signature
+ "401" : signed JWT verification performed and rejected + "401" : signed JWT verification performed and rejected
because of Expiration Time enforcement because of Issuer enforcement
+ "402" : signed JWT verification performed and rejected + "402" : signed JWT verification performed and rejected
because of Client IP enforcement because of Subject enforcement
+ "403" : signed JWT verification performed and rejected + "403" : signed JWT verification performed and rejected
because of URI Container enforcement because of Audience enforcement
+ "404" : signed JWT verification performed and rejected + "404" : signed JWT verification performed and rejected
because of Issuer enforcement because of Expiration Time enforcement
+ "405" : signed JWT verification performed and rejected + "405" : signed JWT verification performed and rejected
because of Not Before enforcement because of Not Before enforcement
+ "406" : signed JWT verification performed and rejected + "406" : signed JWT verification performed and rejected
because of Subject enforcement because of Issued At enforcement
+ "407" : signed JWT verification performed and rejected + "407" : signed JWT verification performed and rejected
because of Audience enforcement because of Nonce enforcement
+ "408" : signed JWT verification performed and rejected + "408" : signed JWT verification performed and rejected
because of Nonce enforcement because of Version enforcement
+ "409" : signed JWT verification performed and rejected + "409" : signed JWT verification performed and rejected
because of Version enforcement because of Critical Extention enforcement
+ "410" : signed JWT verification performed and rejected + "410" : signed JWT verification performed and rejected
because of Critical Extention enforcement because of Client IP enforcement
+ "411" : signed JWT verification performed and rejected
because of URI Container enforcement
+ "500" : unable to perform signed JWT verification because of + "500" : unable to perform signed JWT verification because of
malformed URI malformed URI
* occurrence: there MUST be zero or exactly one instance of this * occurrence: there MUST be zero or exactly one instance of this
field. field.
o s-uri-signing-deny-reason (optional): o s-uri-signing-deny-reason (optional):
* format: QSTRING * format: QSTRING
 End of changes. 15 change blocks. 
21 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/