diff options
author | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
---|---|---|
committer | Thomas Voss <mail@thomasvoss.com> | 2024-11-27 20:54:24 +0100 |
commit | 4bfd864f10b68b71482b35c818559068ef8d5797 (patch) | |
tree | e3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc9246.txt | |
parent | ea76e11061bda059ae9f9ad130a9895cc85607db (diff) |
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc9246.txt')
-rw-r--r-- | doc/rfc/rfc9246.txt | 1939 |
1 files changed, 1939 insertions, 0 deletions
diff --git a/doc/rfc/rfc9246.txt b/doc/rfc/rfc9246.txt new file mode 100644 index 0000000..deafe4d --- /dev/null +++ b/doc/rfc/rfc9246.txt @@ -0,0 +1,1939 @@ + + + + +Internet Engineering Task Force (IETF) R. van Brandenburg +Request for Comments: 9246 Tiledmedia +Category: Standards Track K. Leung +ISSN: 2070-1721 + P. Sorber + Apple, Inc. + June 2022 + + + URI Signing for Content Delivery Network Interconnection (CDNI) + +Abstract + + This document describes how the concept of URI Signing supports the + content access control requirements of Content Delivery Network + Interconnection (CDNI) and proposes a URI Signing method as a JSON + Web Token (JWT) profile. + + The proposed URI Signing method specifies the information needed to + be included in the URI to transmit the signed JWT, as well as the + claims needed by the signed JWT to authorize a User Agent (UA). The + mechanism described can be used both in CDNI and single Content + Delivery Network (CDN) scenarios. + +Status of This Memo + + This is an Internet Standards Track document. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Further information on + Internet Standards is available in Section 2 of RFC 7841. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + https://www.rfc-editor.org/info/rfc9246. + +Copyright Notice + + Copyright (c) 2022 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Revised BSD License text as described in Section 4.e of the + Trust Legal Provisions and are provided without warranty as described + in the Revised BSD License. + +Table of Contents + + 1. Introduction + 1.1. Terminology + 1.2. Background and Overview on URI Signing + 1.3. CDNI URI Signing Overview + 1.4. URI Signing in a Non-CDNI Context + 2. JWT Format and Processing Requirements + 2.1. JWT Claims + 2.1.1. Issuer (iss) Claim + 2.1.2. Subject (sub) Claim + 2.1.3. Audience (aud) Claim + 2.1.4. Expiry Time (exp) Claim + 2.1.5. Not Before (nbf) Claim + 2.1.6. Issued At (iat) Claim + 2.1.7. JWT ID (jti) Claim + 2.1.8. CDNI Claim Set Version (cdniv) Claim + 2.1.9. CDNI Critical Claims Set (cdnicrit) Claim + 2.1.10. Client IP Address (cdniip) Claim + 2.1.11. CDNI URI Container (cdniuc) Claim + 2.1.12. CDNI Expiration Time Setting (cdniets) Claim + 2.1.13. CDNI Signed Token Transport (cdnistt) Claim + 2.1.14. CDNI Signed Token Depth (cdnistd) Claim + 2.1.15. URI Container Forms + 2.1.15.1. URI Hash Container (hash:) + 2.1.15.2. URI Regular Expression Container (regex:) + 2.2. JWT Header + 3. URI Signing Token Renewal + 3.1. Overview + 3.2. Signed Token Renewal Mechanism + 3.2.1. Required Claims + 3.3. Communicating a Signed JWT in Signed Token Renewal + 3.3.1. Support for Cross-Domain Redirection + 4. Relationship with CDNI Interfaces + 4.1. CDNI Control Interface + 4.2. CDNI Footprint & Capabilities Advertisement Interface + 4.3. CDNI Request Routing Redirection Interface + 4.4. CDNI Metadata Interface + 4.5. CDNI Logging Interface + 5. URI Signing Message Flow + 5.1. HTTP Redirection + 5.2. DNS Redirection + 6. IANA Considerations + 6.1. CDNI Payload Type + 6.1.1. CDNI UriSigning Payload Type + 6.2. CDNI Logging Record Type + 6.2.1. CDNI Logging Record Version 2 for HTTP + 6.3. CDNI Logging Field Names + 6.4. CDNI URI Signing Verification Code + 6.5. CDNI URI Signing Signed Token Transport + 6.6. JSON Web Token Claims Registration + 6.6.1. Registry Contents + 6.7. Expert Review Guidance + 7. Security Considerations + 8. Privacy + 9. References + 9.1. Normative References + 9.2. Informative References + Appendix A. Signed URI Package Example + A.1. Simple Example + A.2. Complex Example + A.3. Signed Token Renewal Example + Acknowledgements + Contributors + Authors' Addresses + +1. Introduction + + This document describes the concept of URI Signing and how it can be + used to provide access authorization in the case of redirection + between cooperating CDNs and between a Content Service Provider (CSP) + and a CDN. The primary goal of URI Signing is to make sure that only + authorized UAs are able to access the content, with a CSP being able + to authorize every individual request. It should be noted that URI + Signing is not a content protection scheme; if a CSP wants to protect + the content itself, other mechanisms, such as Digital Rights + Management (DRM), are more appropriate. In addition to access + control, URI Signing also has benefits in reducing the impact of + denial-of-service attacks. + + The overall problem space for CDN Interconnection (CDNI) is described + in the CDNI Problem Statement [RFC6707] specification. This + document, along with the Content Distribution Network Interconnection + (CDNI) Requirements [RFC7337] document and the Framework for Content + Distribution Network Interconnection (CDNI) [RFC7336], describes the + need for interconnected CDNs to be able to implement an access + control mechanism that enforces a CSP's distribution policies. + + Specifically, the CDNI Framework [RFC7336] states: + + The CSP may also trust the CDN operator to perform actions such as + delegating traffic to additional downstream CDNs, and to enforce + per-request authorization performed by the CSP using techniques + such as URI Signing. + + In particular, the following requirement is listed in the CDNI + Requirements [RFC7337]: + + | MI-16 {HIGH} The CDNI Metadata interface shall allow signaling + | of authorization checks and validation that are to be + | performed by the Surrogate before delivery. For example, + | this could potentially include the need to validate + | information (e.g., Expiry time, Client IP address) required + | for access authorization. + + This document defines a method of signing URIs that allows Surrogates + in interconnected CDNs to enforce a per-request authorization + initiated by the CSP. Splitting the role of initiating per-request + authorization by the CSP and the role of verifying this authorization + by the CDN allows any arbitrary distribution policy to be enforced + across CDNs without the need of CDNs to have any awareness of the + specific CSP distribution policies. + + The method is implemented using signed JSON Web Tokens (JWTs) + [RFC7519]. + +1.1. Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and + "OPTIONAL" in this document are to be interpreted as described in + BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all + capitals, as shown here. + + This document uses the terminology defined in the CDNI Problem + Statement [RFC6707]. + + This document also uses the terminology of the JSON Web Token (JWT) + [RFC7519]. + + In addition, the following terms are used throughout this document: + + FCI: Footprint & Capabilities Advertisement interface + + Signed URI: A URI for which a signed JWT is provided. + + Target CDN URI: A URI created by the CSP to direct a UA towards the + upstream CDN (uCDN). The Target CDN URI can be signed by the CSP + and verified by the uCDN and possibly further downstream CDNs + (dCDNs). + + Redirection URI: A URI created by the uCDN to redirect a UA towards + the dCDN. The Redirection URI can be signed by the uCDN and + verified by the dCDN. In a cascaded CDNI scenario, there can be + more than one Redirection URI. + + Signed Token Renewal: A series of signed JWTs that are used for + subsequent access to a set of related resources in a CDN, such as + a set of HTTP Adaptive Streaming files. Every time a signed JWT + is used to access a particular resource, a new signed JWT is sent + along with the resource that can be used to request the next + resource in the set. When generating a new signed JWT in Signed + Token Renewal, parameters are carried over from one signed JWT to + the next. + +1.2. Background and Overview on URI Signing + + A CSP and CDN are assumed to have a trust relationship that enables + the CSP to authorize access to a content item, which is realized in + practice by including a set of claims in a signed JWT in the URI + before redirecting a UA to the CDN. Using these attributes, it is + possible for a CDN to check an incoming content request to see + whether it was authorized by the CSP (e.g., based on a time window or + pattern matching the URI). To prevent the UA from altering the + claims, the JWT MUST be signed. + + Figure 1 presents an overview of the URI Signing mechanism in the + case of a CSP with a single CDN. When the UA browses for content on + CSP's website (1), it receives HTML web pages with embedded content + URIs. Upon requesting these URIs, the CSP redirects to a CDN, + creating a Target CDN URI (2) (alternatively, the Target CDN URI + itself is embedded in the HTML). The Target CDN URI is the Signed + URI, which may include the IP address of the UA and/or a time window. + The Signed URI always contains a signed JWT generated by the CSP + using a shared secret or private key. Once the UA receives the + response with the Signed URI, it sends a new HTTP request using the + Signed URI to the CDN (3). Upon receiving the request, the CDN + authenticates the Signed URI by verifying the signed JWT. If + applicable, the CDN checks whether the time window is still valid in + the Signed URI and the pattern matches the URI of the request. After + these claims are verified, the CDN delivers the content (4). + + Note: While using a symmetric shared key is supported, it is NOT + RECOMMENDED. See the Security Considerations (Section 7) about the + limitations of shared keys. + + -------- + / \ + | CSP |< * * * * * * * * * * * + \ / Trust * + -------- relationship * + ^ | * + | | * + 1. Browse | | 2. Signed * + for | | URI * + content | | * + | v v + +------+ 3. Signed URI -------- + | User |----------------->/ \ + | Agent| | CDN | + | |<-----------------\ / + +------+ 4. Content -------- + Delivery + + Figure 1: URI Signing in a CDN Environment + +1.3. CDNI URI Signing Overview + + In a CDNI environment, as shown in Figure 2 below, URI Signing + operates the same way in the initial steps 1 and 2, but the later + steps involve multiple CDNs delivering the content. The main + difference from the single CDN case is a redirection step between the + uCDN and the dCDN. In step 3, the UA may send an HTTP request or a + DNS request, depending on whether HTTP-based or DNS-based request + routing is used. The uCDN responds by directing the UA towards the + dCDN using either a Redirection URI (i.e., a Signed URI generated by + the uCDN) or a DNS reply, respectively (4). Once the UA receives the + response, it sends the Redirection URI/Target CDN URI to the dCDN + (5). The received URI is verified by the dCDN before delivering the + content (6). + + Note: The CDNI call flows are covered in URI Signing Message Flow + (Section 5). + + +-------------------------+ + |Request Redirection Modes| + +-------------------------+ + | a) HTTP | + | b) DNS | + +-------------------------+ + -------- + / \< * * * * * * * * * * * * * * + | CSP |< * * * * * * * * * * * * + \ / Trust * * + -------- relationship * * + ^ | * * + | | 2. Signed * * + 1. Browse | | URI in * * + for | | HTML * * + content | | * * + | v 3.a)Signed URI v * + +------+ b)DNS request -------- * Trust + | User |----------------->/ \ * relationship + | Agent| | uCDN | * (optional) + | |<-----------------\ / * + +------+ 4.a)Redirection URI------- * + ^ | b)DNS Reply ^ * + | | * * + | | Trust relationship * * + | | * * + 6. Content | | 5.a)Redirection URI * * + delivery | | b)Signed URI(after v v + | | DNS exchange) -------- + | +---------------------->/ \ [May be + | | dCDN | cascaded + +--------------------------\ / CDNs] + -------- + + Figure 2: URI Signing in a CDNI Environment + + The trust relationships between CSP, uCDN, and dCDN have direct + implications for URI Signing. In the case shown in Figure 2, the CSP + has a trust relationship with the uCDN. The delivery of the content + may be delegated to a dCDN, which has a relationship with the uCDN + but may have no relationship with the CSP. + + In CDNI, there are two methods for request routing: DNS-based and + HTTP-based. For DNS-based request routing, the Signed URI (i.e., the + Target CDN URI) provided by the CSP reaches the CDN directly. In the + case where the dCDN does not have a trust relationship with the CSP, + this means that either an asymmetric public/private key method needs + to be used for computing the signed JWT (because the CSP and dCDN are + not able to exchange symmetric shared secret keys). Shared keys MUST + NOT be redistributed. + + For HTTP-based request routing, the Signed URI (i.e., the Target CDN + URI) provided by the CSP reaches the uCDN. After this URI has been + verified by the uCDN, the uCDN creates and signs a new Redirection + URI, redirecting the UA to the dCDN. Since this new URI can have a + new signed JWT, the relationship between the dCDN and CSP is not + relevant. Because a relationship between uCDN and dCDN always + exists, either asymmetric public/private keys or symmetric shared + secret keys can be used for URI Signing with HTTP-based request + routing. Note that the signed Redirection URI MUST maintain HTTPS as + the scheme if it was present in the original, and it MAY be upgraded + from "http:" to "https:". + + Two types of keys can be used for URI Signing: asymmetric keys and + symmetric shared keys. Asymmetric keys are based on a public/private + key pair mechanism and always contain a private key known only to the + entity signing the URI (either CSP or uCDN) and a public key for the + verification of the Signed URI. With symmetric keys, the same key is + used by both the signing entity for signing the URI and the verifying + entity for verifying the Signed URI. Regardless of the type of keys + used, the verifying entity has to obtain the key in a manner that + allows trust to be placed in the assertions made using that key + (either the public or the symmetric key). There are very different + requirements (outside the scope of this document) for distributing + asymmetric keys and symmetric keys. Key distribution for symmetric + keys requires confidentiality to prevent third parties from getting + access to the key, since they could then generate valid Signed URIs + for unauthorized requests. Key distribution for asymmetric keys does + not require confidentiality since public keys can typically be + distributed openly (because they cannot be used to sign URIs) and the + corresponding private keys are kept secret by the URI signer. + + Note: While using a symmetric shared key is supported, it is NOT + RECOMMENDED. See the Security Considerations (Section 7) about the + limitations of shared keys. + +1.4. URI Signing in a Non-CDNI Context + + While the URI Signing method defined in this document was primarily + created for the purpose of allowing URI Signing in CDNI scenarios, + i.e., between a uCDN and a dCDN, there is nothing in the defined URI + Signing method that precludes it from being used in a non-CDNI + context. As such, the described mechanism could be used in a single- + CDN scenario such as shown in Figure 1 in Section 1.2 for example to + allow a CSP that uses different CDNs to only have to implement a + single URI Signing mechanism. + +2. JWT Format and Processing Requirements + + The concept behind URI Signing is based on embedding a signed JSON + Web Token (JWT) [RFC7519] in an HTTP or HTTPS URI [RFC7230] (see + Section 2.7 of [RFC7230]). The signed JWT contains a number of + claims that can be verified to ensure the UA has legitimate access to + the content. + + This document specifies the following attribute for embedding a + signed JWT in a Target CDN URI or Redirection URI: + + URI Signing Package (URISigningPackage): The URI attribute that + encapsulates all the URI Signing claims in a signed JWT encoded + format. This attribute is exposed in the Signed URI as a path- + style parameter or a form-style parameter. + + The parameter name of the URI Signing Package Attribute is defined in + the CDNI Metadata (Section 4.4). If the CDNI Metadata interface is + not used, or does not include a parameter name for the URI Signing + Package Attribute, the parameter name can be set by configuration + (out of scope of this document). + + The URI Signing Package will be found by parsing any path-style + parameters and form-style parameters looking for a key name matching + the URI Signing Package Attribute. Both parameter styles MUST be + supported to allow flexibility of operation. The first matching + parameter SHOULD be taken to provide the signed JWT, though providing + more than one matching key is undefined behavior. Path-style + parameters generated in the form indicated by Section 3.2.7 of + [RFC6570] and Form-style parameters generated in the form indicated + by Sections 3.2.8 and 3.2.9 of [RFC6570] MUST be supported. + + The following is an example where the URI Signing Package Attribute + name is "token" and the signed JWT is "SIGNEDJWT": + + http://example.com/media/path?come=data&token=SIGNEDJWT&other=data + +2.1. JWT Claims + + This section identifies the set of claims that can be used to enforce + the CSP distribution policy. New claims can be introduced in the + future to extend the distribution policy capabilities. + + In order to provide distribution policy flexibility, the exact subset + of claims used in a given signed JWT is a runtime decision. Claim + requirements are defined in the CDNI Metadata (Section 4.4). If the + CDNI Metadata interface is not used, or does not include claim + requirements, the claim requirements can be set by configuration (out + of scope of this document). + + The following claims (where the "JSON Web Token Claims" registry + claim name is specified in parentheses below) are used to enforce the + distribution policies. All of the listed claims are mandatory to + implement in a URI Signing implementation but are not necessarily + mandatory to use in a given signed JWT. (The "optional" and + "mandatory" identifiers in square brackets refer to whether or not a + given claim MUST be present in a URI Signing JWT.) + + Note: The time on the entities that generate and verify the Signed + URI MUST be in sync. In the CDNI case, this means that CSP, uCDN, + and dCDN servers need to be time synchronized. It is RECOMMENDED to + use NTP [RFC5905] for time synchronization. + + Note: See the Security Considerations (Section 7) on the limitations + of using an expiration time and Client IP address for distribution + policy enforcement. + +2.1.1. Issuer (iss) Claim + + Issuer (iss) [optional] - The semantics in Section 4.1.1 of [RFC7519] + MUST be followed. If this claim is used, it MUST be used to identify + the Issuer (signer) of the JWT. In particular, the recipient will + have already received, in trusted configuration, a mapping of Issuer + name to one or more keys used to sign JWTs and must verify that the + JWT was signed by one of those keys. If this claim is used and the + CDN verifying the signed JWT does not support Issuer verification, or + if the Issuer in the signed JWT does not match the list of known + acceptable Issuers, or if the Issuer claim does not match the key + used to sign the JWT, the CDN MUST reject the request. If the + received signed JWT contains an Issuer claim, then any JWT + subsequently generated for CDNI redirection MUST also contain an + Issuer claim, and the Issuer value MUST be updated to identify the + redirecting CDN. If the received signed JWT does not contain an + Issuer claim, an Issuer claim MAY be added to a signed JWT generated + for CDNI redirection. + +2.1.2. Subject (sub) Claim + + Subject (sub) [optional] - The semantics in Section 4.1.2 of + [RFC7519] MUST be followed. If this claim is used, it MUST be a JSON + Web Encryption (JWE [RFC7516]) Object in compact serialization form, + because it contains personally identifiable information. This claim + contains information about the Subject (for example, a user or an + agent) that MAY be used to verify the signed JWT. If the received + signed JWT contains a Subject claim, then any JWT subsequently + generated for CDNI redirection MUST also contain a Subject claim, and + the Subject value MUST be the same as in the received signed JWT. A + signed JWT generated for CDNI redirection MUST NOT add a Subject + claim if no Subject claim existed in the received signed JWT. + +2.1.3. Audience (aud) Claim + + Audience (aud) [optional] - The semantics in Section 4.1.3 of + [RFC7519] MUST be followed. This claim is used to ensure that the + CDN verifying the JWT is an intended recipient of the request. The + claim MUST contain an identity belonging to the chain of entities + involved in processing the request (e.g., identifying the CSP or any + CDN in the chain) that the recipient is configured to use for the + processing of this request. A CDN MAY modify the claim as long it + can generate a valid signature. + +2.1.4. Expiry Time (exp) Claim + + Expiry Time (exp) [optional] - The semantics in Section 4.1.4 of + [RFC7519] MUST be followed, though URI Signing implementations MUST + NOT allow for any time-synchronization "leeway". If this claim is + used and the CDN verifying the signed JWT does not support Expiry + Time verification, or if the Expiry Time in the signed JWT + corresponds to a time equal to or earlier than the time of the + content request, the CDN MUST reject the request. If the received + signed JWT contains an Expiry Time claim, then any JWT subsequently + generated for CDNI redirection MUST also contain an Expiry Time + claim, and the Expiry Time value MUST be the same as in the received + signed JWT. A signed JWT generated for CDNI redirection MUST NOT add + an Expiry Time claim if no Expiry Time claim existed in the received + signed JWT. + +2.1.5. Not Before (nbf) Claim + + Not Before (nbf) [optional] - The semantics in Section 4.1.5 of + [RFC7519] MUST be followed, though URI Signing implementations MUST + NOT allow for any time-synchronization "leeway". If this claim is + used and the CDN verifying the signed JWT does not support Not Before + time verification, or if the Not Before time in the signed JWT + corresponds to a time later than the time of the content request, the + CDN MUST reject the request. If the received signed JWT contains a + Not Before time claim, then any JWT subsequently generated for CDNI + redirection MUST also contain a Not Before time claim, and the Not + Before time value MUST be the same as in the received signed JWT. A + signed JWT generated for CDNI redirection MUST NOT add a Not Before + time claim if no Not Before time claim existed in the received signed + JWT. + +2.1.6. Issued At (iat) Claim + + Issued At (iat) [optional] - The semantics in Section 4.1.6 of + [RFC7519] MUST be followed. If the received signed JWT contains an + Issued At claim, then any JWT subsequently generated for CDNI + redirection MUST also contain an Issued At claim, and the Issued At + value MUST be updated to identify the time the new JWT was generated. + If the received signed JWT does not contain an Issued At claim, an + Issued At claim MAY be added to a signed JWT generated for CDNI + redirection. + +2.1.7. JWT ID (jti) Claim + + JWT ID (jti) [optional] - The semantics in Section 4.1.7 of [RFC7519] + MUST be followed. A JWT ID can be used to prevent replay attacks if + the CDN stores a list of all previously used values and verifies that + the value in the current JWT has never been used before. If the + signed JWT contains a JWT ID claim and the CDN verifying the signed + JWT either does not support JWT ID storage or has previously seen the + value used in a request for the same content, then the CDN MUST + reject the request. If the received signed JWT contains a JWT ID + claim, then any JWT subsequently generated for CDNI redirection MUST + also contain a JWT ID claim, and the value MUST be the same as in the + received signed JWT. If the received signed JWT does not contain a + JWT ID claim, a JWT ID claim MUST NOT be added to a signed JWT + generated for CDNI redirection. Sizing of the JWT ID is application + dependent given the desired security constraints. + +2.1.8. CDNI Claim Set Version (cdniv) Claim + + CDNI Claim Set Version (cdniv) [optional] - The CDNI Claim Set + Version (cdniv) claim provides a means within a signed JWT to tie the + claim set to a specific version of this specification. The cdniv + claim is intended to allow changes in and facilitate upgrades across + specifications. The type is a JSON integer and the value MUST be set + to "1" for this version of the specification. In the absence of this + claim, the value is assumed to be "1". For future versions, this + claim will be mandatory. Implementations MUST reject signed JWTs + with unsupported CDNI Claim Set versions. + +2.1.9. CDNI Critical Claims Set (cdnicrit) Claim + + CDNI Critical Claims Set (cdnicrit) [optional] - The CDNI Critical + Claims Set (cdnicrit) claim indicates that extensions to this + specification are being used that MUST be understood and processed. + Its value is a comma-separated listing of claims in the Signed JWT + that use those extensions. If any of the listed extension claims are + not understood and supported by the recipient, then the Signed JWT + MUST be rejected. Producers MUST NOT include claim names defined by + this specification, duplicate names, or names that do not occur as + claim names within the Signed JWT in the cdnicrit list. Producers + MUST NOT use the empty list "" as the cdnicrit value. Recipients MAY + consider the Signed JWT to be invalid if the cdnicrit list contains + any claim names defined by this specification or if any other + constraints on its use are violated. This claim MUST be understood + and processed by all implementations. + +2.1.10. Client IP Address (cdniip) Claim + + Client IP Address (cdniip) [optional] - The Client IP Address + (cdniip) claim holds an IP address or IP prefix for which the Signed + URI is valid. This is represented in CIDR notation with dotted + decimal format for IPv4 addresses [RFC0791] or canonical text + representation for IPv6 addresses [RFC5952]. The request MUST be + rejected if sourced from a client outside the specified IP range. + Since the Client IP is considered personally identifiable + information, this field MUST be a JSON Web Encryption (JWE [RFC7516]) + Object in compact serialization form. If the CDN verifying the + signed JWT does not support Client IP verification, or if the Client + IP in the signed JWT does not match the source IP address in the + content request, the CDN MUST reject the request. The type of this + claim is a JSON string that contains the JWE. If the received signed + JWT contains a Client IP claim, then any JWT subsequently generated + for CDNI redirection MUST also contain a Client IP claim, and the + Client IP value MUST be the same as in the received signed JWT. A + signed JWT generated for CDNI redirection MUST NOT add a Client IP + claim if no Client IP claim existed in the received signed JWT. + + It should be noted that use of this claim can cause issues, for + example, in situations with dual-stack IPv4 and IPv6 networks, MPTCP, + QUIC, and mobile clients switching from Wi-Fi to Cellular networks + where the client's source address can change, even between address + families. This claim exists mainly for legacy feature parity + reasons; therefore, use of this claim should be done judiciously. An + example of a reasonable use case would be making a signed JWT for an + internal preview of an asset where the end consumer understands that + they must be originated from the same IP for the entirety of the + session. Using this claim at large is NOT RECOMMENDED. + +2.1.11. CDNI URI Container (cdniuc) Claim + + URI Container (cdniuc) [mandatory] - The URI Container (cdniuc) holds + the URI representation before a URI Signing Package is added. This + representation can take one of several forms detailed in + Section 2.1.15. If the URI Container used in the signed JWT does not + match the URI of the content request, the CDN verifying the signed + JWT MUST reject the request. When comparing the URI, the percent + encoded form as defined in Section 2.1 of [RFC3986] MUST be used. + When redirecting a URI, the CDN generating the new signed JWT MAY + change the URI Container to comport with the URI being used in the + redirection. + +2.1.12. CDNI Expiration Time Setting (cdniets) Claim + + CDNI Expiration Time Setting (cdniets) [optional] - The CDNI + Expiration Time Setting (cdniets) claim provides a means for setting + the value of the Expiry Time (exp) claim when generating a subsequent + signed JWT in Signed Token Renewal. Its type is a JSON numeric + value. It denotes the number of seconds to be added to the time at + which the JWT is verified that gives the value of the Expiry Time + (exp) claim of the next signed JWT. The CDNI Expiration Time Setting + (cdniets) SHOULD NOT be used when not using Signed Token Renewal and + MUST be present when using Signed Token Renewal. + +2.1.13. CDNI Signed Token Transport (cdnistt) Claim + + CDNI Signed Token Transport (cdnistt) [optional] - The CDNI Signed + Token Transport (cdnistt) claim provides a means of signaling the + method through which a new signed JWT is transported from the CDN to + the UA and vice versa for the purpose of Signed Token Renewal. Its + type is a JSON integer. Values for this claim are defined in + Section 6.5. If using this claim, you MUST also specify a CDNI + Expiration Time Setting (cdniets) as noted above. + +2.1.14. CDNI Signed Token Depth (cdnistd) Claim + + CDNI Signed Token Depth (cdnistd) [optional] - The CDNI Signed Token + Depth (cdnistd) claim is used to associate a subsequent signed JWT, + generated as the result of a CDNI Signed Token Transport claim, with + a specific URI subset. Its type is a JSON integer. Signed JWTs MUST + NOT use a negative value for the CDNI Signed Token Depth claim. + + If the transport used for Signed Token Transport allows the CDN to + associate the path component of a URI with tokens (e.g., an HTTP + Cookie Path as described in Section 4.1.2.4 of [RFC6265]), the CDNI + Signed Token Depth value is the number of path segments that should + be considered significant for this association. A CDNI Signed Token + Depth of zero means that the client SHOULD be directed to return the + token with requests for any path. If the CDNI Signed Token Depth is + greater than zero, then the CDN SHOULD send the client a token to + return for future requests wherein the first CDNI Signed Token Depth + segments of the path match the first CDNI Signed Token Depth segments + of the Signed URI path. This matching MUST use the URI with the + token removed, as specified in Section 2.1.15. + + If the URI path to match contains fewer segments than the CDNI Signed + Token Depth claim, a signed JWT MUST NOT be generated for the + purposes of Signed Token Renewal. If the CDNI Signed Token Depth + claim is omitted, it means the same thing as if its value were zero. + If the received signed JWT contains a CDNI Signed Token Depth claim, + then any JWT subsequently generated for CDNI redirection or Signed + Token Transport MUST also contain a CDNI Signed Token Depth claim, + and the value MUST be the same as in the received signed JWT. + +2.1.15. URI Container Forms + + The URI Container (cdniuc) claim takes one of the following forms: + 'hash:' or 'regex:'. More forms may be added in the future to extend + the capabilities. + + Before comparing a URI with contents of this container, the following + steps MUST be performed: + + * Prior to verification, remove the signed JWT from the URI. This + removal is only for the purpose of determining if the URI matches; + all other purposes will use the original URI. If the signed JWT + is terminated by anything other than a sub-delimiter (as defined + in Section 2.2 of [RFC3986]), everything from the reserved + character (as defined in Section 2.2 of [RFC3986]) that precedes + the URI Signing Package Attribute to the last character of the + signed JWT will be removed, inclusive. Otherwise, everything from + the first character of the URI Signing Package Attribute to the + sub-delimiter that terminates the signed JWT will be removed, + inclusive. + + * Normalize the URI according to Section 2.7.3 of [RFC7230] and + Sections 6.2.2 and 6.2.3 of [RFC3986]. This applies to both + generation and verification of the signed JWT. + +2.1.15.1. URI Hash Container (hash:) + + Prefixed with 'hash:', this string is a URL Segment form (Section 5 + of [RFC6920]) of the URI. + +2.1.15.2. URI Regular Expression Container (regex:) + + Prefixed with 'regex:', this string is any regular expression + compatible with POSIX (Section 9 of [POSIX.1]) Extended Regular + Expression used to match against the requested URI. These regular + expressions MUST be evaluated in the POSIX locale (Section 7.2 of + [POSIX.1]). + + Note: Because '\' has special meaning in JSON [RFC8259] as the escape + character within JSON strings, the regular expression character '\' + MUST be escaped as '\\'. + + An example of a 'regex:' is the following: + + [^:]*\\://[^/]*/dir/content/quality_[^/]*/segment.{3}\\.mp4(\\?.*)? + + Note: Due to computational complexity of executing arbitrary regular + expressions, it is RECOMMENDED to only execute after verifying the + JWT to ensure its authenticity. + +2.2. JWT Header + + The header of the JWT MAY be passed via the CDNI Metadata interface + instead of being included in the URISigningPackage. The header value + MUST be transmitted in the serialized encoded form and prepended to + the JWT payload and signature passed in the URISigningPackage prior + to verification. This reduces the size of the signed JWT token. + +3. URI Signing Token Renewal + +3.1. Overview + + For content that is delivered via HTTP in a segmented fashion, such + as MPEG-DASH [MPEG-DASH] or HTTP Live Streaming (HLS) [RFC8216], + special provisions need to be made in order to ensure URI Signing can + be applied. In general, segmented protocols work by breaking large + objects (e.g., videos) into a sequence of small independent segments. + Such segments are then referenced by a separate manifest file, which + either includes a list of URLs to the segments or specifies an + algorithm through which a User Agent can construct the URLs to the + segments. Requests for segments therefore originate from the + manifest file and, unless the URLs in the manifest file point to the + CSP, are not subjected to redirection and URI Signing. This opens up + a vulnerability to malicious User Agents sharing the manifest file + and deep linking to the segments. + + One method for dealing with this vulnerability would be to include, + in the manifest itself, Signed URIs that point to the individual + segments. There exist a number of issues with that approach. First, + it requires the CDN delivering the manifest to rewrite the manifest + file for each User Agent, which would require the CDN to be aware of + the exact segmentation protocol used. Secondly, it could also + require the expiration time of the Signed URIs to be valid for an + extended duration if the content described by the manifest is meant + to be consumed in real time. For instance, if the manifest file were + to contain a segmented video stream of more than 30 minutes in + length, Signed URIs would require to be valid for at least 30 + minutes, thereby reducing their effectiveness and that of the URI + Signing mechanism in general. For a more detailed analysis of how + segmented protocols such as HTTP Adaptive Streaming protocols affect + CDNI, see Models for HTTP-Adaptive-Streaming-Aware Content + Distribution Network Interconnection (CDNI) [RFC6983]. + + The method described in this section allows CDNs to use URI Signing + for segmented content without having to include the Signed URIs in + the manifest files themselves. + +3.2. Signed Token Renewal Mechanism + + In order to allow for effective access control of segmented content, + the URI Signing mechanism defined in this section is based on a + method through which subsequent segment requests can be linked + together. As part of the JWT verification procedure, the CDN can + generate a new signed JWT that the UA can use to do a subsequent + request. More specifically, whenever a UA successfully retrieves a + segment, it receives, in the HTTP 2xx Successful message, a signed + JWT that it can use whenever it requests the next segment. As long + as each successive signed JWT is correctly verified before a new one + is generated, the model is not broken, and the User Agent can + successfully retrieve additional segments. Given the fact that with + segmented protocols it is usually not possible to determine a priori + which segment will be requested next (i.e., to allow for seeking + within the content and for switching to a different representation), + the Signed Token Renewal uses the URI Regular Expression Container + scoping mechanisms in the URI Container (cdniuc) claim to allow a + signed JWT to be valid for more than one URL. + + In order for this renewal of signed JWTs to work, it is necessary for + a UA to extract the signed JWT from the HTTP 2xx Successful message + of an earlier request and use it to retrieve the next segment. The + exact mechanism by which the client does this is outside the scope of + this document. However, in order to also support legacy UAs that do + not include any specific provisions for the handling of signed JWTs, + Section 3.3 defines a mechanism using HTTP Cookies [RFC6265] that + allows such UAs to support the concept of renewing signed JWTs + without requiring any additional UA support. + +3.2.1. Required Claims + + The cdnistt claim (Section 2.1.13) and cdniets claim (Section 2.1.12) + MUST both be present for Signed Token Renewal. cdnistt MAY be set to + a value of '0' to mean no Signed Token Renewal, but there still MUST + be a corresponding cdniets that verifies as a JSON number. However, + if use of Signed Token Renewal is not desired, it is RECOMMENDED to + simply omit both. + +3.3. Communicating a Signed JWT in Signed Token Renewal + + This section assumes the value of the CDNI Signed Token Transport + (cdnistt) claim has been set to 1. + + When using the Signed Token Renewal mechanism, the signed JWT is + transported to the UA via a 'URISigningPackage' cookie added to the + HTTP 2xx Successful message along with the content being returned to + the UA, or to the HTTP 3xx Redirection message in case the UA is + redirected to a different server. + +3.3.1. Support for Cross-Domain Redirection + + For security purposes, the use of cross-domain cookies is not + supported in some application environments. As a result, the Cookie- + based method for transport of the Signed Token described in + Section 3.3 might break if used in combination with an HTTP 3xx + Redirection response where the target URL is in a different domain. + In such scenarios, Signed Token Renewal of a signed JWT SHOULD be + communicated via the query string instead, in a similar fashion to + how regular signed JWTs (outside of Signed Token Renewal) are + communicated. Note the value of the CDNI Signed Token Transport + (cdnistt) claim MUST be set to 2. + + Note that the process described herein only works in cases where both + the manifest file and segments constituting the segmented content are + delivered from the same domain. In other words, any redirection + between different domains needs to be carried out while retrieving + the manifest file. + +4. Relationship with CDNI Interfaces + + Some of the CDNI Interfaces need enhancements to support URI Signing. + A dCDN that supports URI Signing needs to be able to advertise this + capability to the uCDN. The uCDN needs to select a dCDN based on + such capability when the CSP requires access control to enforce its + distribution policy via URI Signing. Also, the uCDN needs to be able + to distribute via the CDNI Metadata interface the information + necessary to allow the dCDN to verify a Signed URI. Events that + pertain to URI Signing (e.g., request denial or delivery after an + access authorization decision has been made) need to be included in + the logs communicated through the CDNI Logging interface. + +4.1. CDNI Control Interface + + URI Signing has no impact on this interface. + +4.2. CDNI Footprint & Capabilities Advertisement Interface + + The CDNI Request Routing: Footprint and Capabilities Semantics + document [RFC8008] defines support for advertising CDNI Metadata + capabilities via CDNI Payload Type. The CDNI Payload Type registered + in Section 6.1 can be used for capability advertisement. + +4.3. CDNI Request Routing Redirection Interface + + The CDNI Request Routing Redirection Interface [RFC7975] describes + the recursive request redirection method. For URI Signing, the uCDN + signs the URI provided by the dCDN. URI Signing therefore has no + impact on this interface. + +4.4. CDNI Metadata Interface + + The CDNI Metadata Interface [RFC8006] describes the CDNI Metadata + distribution needed to enable content acquisition and delivery. For + URI Signing, a new CDNI Metadata object is specified. + + The UriSigning Metadata object contains information to enable URI + Signing and verification by a dCDN. The UriSigning properties are + defined below. + + Property: enforce + + Description: URI Signing enforcement flag. Specifically, this + flag indicates if the access to content is subject to URI + Signing. URI Signing requires the dCDN to ensure that the + URI is signed and verified before delivering content. + Otherwise, the dCDN does not perform verification, + regardless of whether or not the URI is signed. + + Type: Boolean + + Mandatory-to-Specify: No. The default is true. + + Property: issuers + + Description: A list of valid Issuers against which the Issuer + claim in the signed JWT may be cross-referenced. + + Type: Array of Strings + + Mandatory-to-Specify: No. The default is an empty list. An + empty list means that any Issuer in the trusted key store of + Issuers is acceptable. + + Property: package-attribute + + Description: The attribute name to use for the URI Signing + Package. + + Type: String + + Mandatory-to-Specify: No. The default is "URISigningPackage". + + Property: jwt-header + + Description: The header part of JWT that is used for verifying + a signed JWT when the JWT token in the URI Signing Package + does not contain a header part. + + Type: String + + Mandatory-to-Specify: No. By default, the header is assumed + to be included in the JWT token. + + The following is an example of a URI Signing metadata payload with + all default values: + + { + "generic-metadata-type": "MI.UriSigning" + "generic-metadata-value": {} + } + + The following is an example of a URI Signing metadata payload with + explicit values: + + { + "generic-metadata-type": "MI.UriSigning" + "generic-metadata-value": + { + "enforce": true, + "issuers": ["csp", "ucdn1", "ucdn2"], + "package-attribute": "usp", + "jwt-header": + { + "alg": "ES256", + "kid": "P5UpOv0eMq1wcxLf7WxIg09JdSYGYFDOWkldueaImf0" + } + } + } + +4.5. CDNI Logging Interface + + For URI Signing, the dCDN reports that enforcement of the access + control was applied to the request for content delivery. When the + request is denied due to enforcement of URI Signing, the reason is + logged. + + The following CDNI Logging field for URI Signing SHOULD be supported + in the HTTP Request Logging Record as specified in "Content + Distribution Network Interconnection (CDNI) Logging Interface" + [RFC7937] using the new "cdni_http_request_v2" record-type registered + in Section 6.2.1. + + * s-uri-signing (mandatory): + + Format: 3DIGIT + + Field value: this characterizes the URI Signing verification + performed by the Surrogate on the request. The allowed values + are registered in Section 6.4. + + Occurrence: there MUST be zero or exactly one instance of this + field. + + * s-uri-signing-deny-reason (optional): + + Format: QSTRING + + Field value: a string for providing further information in case + the signed JWT was rejected, e.g., for debugging purposes. + + Occurrence: there MUST be zero or exactly one instance of this + field. + +5. URI Signing Message Flow + + URI Signing supports both HTTP-based and DNS-based request routing. + JSON Web Token (JWT) [RFC7519] defines a compact, URL-safe means of + representing claims to be transferred between two parties. The + claims in a Signed JWT are encoded as a JSON object that is used as + the payload of a JSON Web Signature (JWS) structure enabling the + claims to be digitally signed or integrity protected with a Message + Authentication Code (MAC). + +5.1. HTTP Redirection + + For HTTP-based request routing, a set of information that is unique + to a given end user content request is included in a Signed JWT, + using key information that is specific to a pair of adjacent CDNI + hops (e.g., between the CSP and the uCDN or between the uCDN and a + dCDN). This allows a CDNI hop to ascertain the authenticity of a + given request received from a previous CDNI hop. + + The URI Signing method (assuming HTTP redirection, iterative request + routing, and a CDN path with two CDNs) includes the following steps: + + End-User dCDN uCDN CSP + | | | | + | 1.CDNI FCI used to | | + | advertise URI Signing capability | | + | |------------------->| | + | | | | + | 2.Provides information to verify Signed JWT | + | | |<-------------------| + | | | | + | 3.CDNI Metadata interface used to| | + | provide URI Signing attributes| | + | |<-------------------| | + : : : : + : (Later in time) : : : + |4.Authorization request | | + |------------------------------------------------------------->| + | | | [Apply distribution + | | | policy] | + | | | | + | | (ALT: Authorization decision) + |5.Request is denied | | <Negative> | + |<-------------------------------------------------------------| + | | | | + |6.CSP provides Signed URI | <Positive> | + |<-------------------------------------------------------------| + | | | | + |7.Content request | | | + |---------------------------------------->| [Verify URI | + | | | signature] | + | | | | + | | (ALT: Verification result) | + |8.Request is denied | <Negative>| | + |<----------------------------------------| | + | | | | + |9.Re-sign URI and redirect to <Positive>| | + | dCDN (newly Signed URI) | | + |<----------------------------------------| | + | | | | + |10.Content request | | | + |------------------->| [Verify URI | | + | | signature] | | + | | | | + | (ALT: Verification result) | | + |11.Request is denied| <Negative> | | + |<-------------------| | | + | | | | + |12.Content delivery | <Positive> | | + |<-------------------| | | + : : : : + : (Later in time) : : : + |13.CDNI Logging interface to include URI Signing information | + | |------------------->| | + + Figure 3: HTTP-Based Request Routing with URI Signing + + 1. Using the CDNI Footprint & Capabilities Advertisement interface, + the dCDN advertises its capabilities including URI Signing + support to the uCDN. + + 2. CSP provides to the uCDN the information needed to verify Signed + URIs from that CSP. For example, this information will include + one or more keys used for validation. + + 3. Using the CDNI Metadata interface, the uCDN communicates to a + dCDN the information needed to verify Signed URIs from the uCDN + for the given CSP. For example, this information may include + the URI query string parameter name for the URI Signing Package + Attribute in addition to keys used for validation. + + 4. When a UA requests a piece of protected content from the CSP, + the CSP makes a specific authorization decision for this unique + request based on its local distribution policy. + + 5. If the authorization decision is negative, the CSP rejects the + request and sends an error code (e.g., 403 Forbidden) in the + HTTP response. + + 6. If the authorization decision is positive, the CSP computes a + Signed JWT that is based on unique parameters of that request + and conveys it to the end user as the URI to use to request the + content. + + 7. On receipt of the corresponding content request, the uCDN + verifies the Signed JWT in the URI using the information + provided by the CSP. + + 8. If the verification result is negative, the uCDN rejects the + request and sends an error code 403 Forbidden in the HTTP + response. + + 9. If the verification result is positive, the uCDN computes a + Signed JWT that is based on unique parameters of that request + and provides it to the end user as the URI to use to further + request the content from the dCDN. + + 10. On receipt of the corresponding content request, the dCDN + verifies the Signed JWT in the Signed URI using the information + provided by the uCDN in the CDNI Metadata. + + 11. If the verification result is negative, the dCDN rejects the + request and sends an error code 403 Forbidden in the HTTP + response. + + 12. If the verification result is positive, the dCDN serves the + request and delivers the content. + + 13. At a later time, the dCDN reports logging events that include + URI Signing information. + + With HTTP-based request routing, URI Signing matches well the general + chain of trust model of CDNI both with symmetric and asymmetric keys + because the key information only needs to be specific to a pair of + adjacent CDNI hops. + + Note: While using a symmetric shared key is supported, it is NOT + RECOMMENDED. See the Security Considerations (Section 7) about the + limitations of shared keys. + +5.2. DNS Redirection + + For DNS-based request routing, the CSP and uCDN must agree on a trust + model appropriate to the security requirements of the CSP's + particular content. Use of asymmetric public/private keys allows for + unlimited distribution of the public key to dCDNs. However, if a + shared secret key is required, then the distribution SHOULD be + performed by the CSP directly. + + Note: While using a symmetric shared key is supported, it is NOT + RECOMMENDED. See the Security Considerations (Section 7) about the + limitations of shared keys. + + The URI Signing method (assuming iterative DNS request routing and a + CDN path with two CDNs) includes the following steps. + + End-User dCDN uCDN CSP + | | | | + | 1.CDNI FCI used to | | + | advertise URI Signing capability | | + | |------------------->| | + | | | | + | 2.Provides information to verify Signed JWT | + | | |<-------------------| + | 3.CDNI Metadata interface used to| | + | provide URI Signing attributes| | + | |<-------------------| | + : : : : + : (Later in time) : : : + |4.Authorization request | | + |------------------------------------------------------------->| + | | | [Apply distribution + | | | policy] | + | | | | + | | (ALT: Authorization decision) + |5.Request is denied | | <Negative> | + |<-------------------------------------------------------------| + | | | | + |6.Provides Signed URI | <Positive> | + |<-------------------------------------------------------------| + | | | | + |7.DNS request | | | + |---------------------------------------->| | + | | | | + |8.Redirect DNS to dCDN | | + |<----------------------------------------| | + | | | | + |9.DNS request | | | + |------------------->| | | + | | | | + |10.IP address of Surrogate | | + |<-------------------| | | + | | | | + |11.Content request | | | + |------------------->| [Verify URI | | + | | signature] | | + | | | | + | (ALT: Verification result) | | + |12.Request is denied| <Negative> | | + |<-------------------| | | + | | | | + |13.Content delivery | <Positive> | | + |<-------------------| | | + : : : : + : (Later in time) : : : + |14.CDNI Logging interface to report URI Signing information | + | |------------------->| | + + Figure 4: DNS-based Request Routing with URI Signing + + 1. Using the CDNI Footprint & Capabilities Advertisement interface, + the dCDN advertises its capabilities including URI Signing + support to the uCDN. + + 2. CSP provides to the uCDN the information needed to verify Signed + JWTs from that CSP. For example, this information will include + one or more keys used for validation. + + 3. Using the CDNI Metadata interface, the uCDN communicates to a + dCDN the information needed to verify Signed JWTs from the CSP + (e.g., the URI query string parameter name for the URI Signing + Package Attribute). In the case of symmetric shared key, the + uCDN MUST NOT share the key with a dCDN. + + 4. When a UA requests a piece of protected content from the CSP, + the CSP makes a specific authorization decision for this unique + request based on its local distribution policy. + + 5. If the authorization decision is negative, the CSP rejects the + request and sends an error code (e.g., 403 Forbidden) in the + HTTP response. + + 6. If the authorization decision is positive, the CSP computes a + Signed JWT that is based on unique parameters of that request + and includes it in the URI provided to the end user to request + the content. + + 7. The end user sends a DNS request to the uCDN. + + 8. On receipt of the DNS request, the uCDN redirects the request to + the dCDN. + + 9. The end user sends a DNS request to the dCDN. + + 10. On receipt of the DNS request, the dCDN responds with IP address + of one of its Surrogates. + + 11. On receipt of the corresponding content request, the dCDN + verifies the Signed JWT in the URI using the information + provided by the uCDN in the CDNI Metadata. + + 12. If the verification result is negative, the dCDN rejects the + request and sends an error code 403 Forbidden in the HTTP + response. + + 13. If the verification result is positive, the dCDN serves the + request and delivers the content. + + 14. At a later time, dCDN reports logging events that includes URI + Signing information. + + With DNS-based request routing, URI Signing matches well the general + chain of trust model of CDNI when used with asymmetric keys because + the only key information that needs to be distributed across + multiple, possibly untrusted, CDNI hops is the public key, which is + generally not confidential. + + With DNS-based request routing, URI Signing does not match well with + the general chain of trust model of CDNI when used with symmetric + keys because the symmetric key information needs to be distributed + across multiple CDNI hops to CDNs with which the CSP may not have a + trust relationship. This raises a security concern for applicability + of URI Signing with symmetric keys in case of DNS-based inter-CDN + request routing. Due to these flaws, this architecture MUST NOT be + implemented. + + Note: While using a symmetric shared key is supported, it is NOT + RECOMMENDED. See the Security Considerations (Section 7) about the + limitations of shared keys. + +6. IANA Considerations + +6.1. CDNI Payload Type + + IANA has registered the following CDNI Payload Type under the IANA + "CDNI Payload Types" registry: + + +===============+===============+ + | Payload Type | Specification | + +===============+===============+ + | MI.UriSigning | RFC 9246 | + +---------------+---------------+ + + Table 1 + +6.1.1. CDNI UriSigning Payload Type + + Purpose: The purpose of this payload type is to distinguish + UriSigning Metadata interface (MI) objects (and any associated + capability advertisement). + + Interface: MI/FCI + + Encoding: see Section 4.4 + +6.2. CDNI Logging Record Type + + IANA has registered the following CDNI Logging record-type under the + IANA "CDNI Logging record-types" registry: + + +======================+===========+===========================+ + | record-types | Reference | Description | + +======================+===========+===========================+ + | cdni_http_request_v2 | RFC 9246 | Extension to CDNI Logging | + | | | Record version 1 for | + | | | content delivery using | + | | | HTTP, to include URI | + | | | Signing Logging fields | + +----------------------+-----------+---------------------------+ + + Table 2 + +6.2.1. CDNI Logging Record Version 2 for HTTP + + The "cdni_http_request_v2" record-type supports all of the fields + supported by the "cdni_http_request_v1" record-type [RFC7937] plus + the two additional fields "s-uri-signing" and "s-uri-signing-deny- + reason", registered by this document in Section 6.3. The name, + format, field value, and occurrence information for the two new + fields can be found in Section 4.5 of this document. + +6.3. CDNI Logging Field Names + + IANA has registered the following CDNI Logging fields under the IANA + "CDNI Logging Field Names" registry: + + +===========================+===========+ + | Field Name | Reference | + +===========================+===========+ + | s-uri-signing | RFC 9246 | + +---------------------------+-----------+ + | s-uri-signing-deny-reason | RFC 9246 | + +---------------------------+-----------+ + + Table 3 + +6.4. CDNI URI Signing Verification Code + + IANA has created a new "CDNI URI Signing Verification Code" + subregistry in the "Content Delivery Networks Interconnection (CDNI) + Parameters" registry. The "CDNI URI Signing Verification Code" + namespace defines the valid values associated with the s-uri-signing + CDNI Logging field. The CDNI URI Signing Verification Code is a + 3DIGIT value as defined in Section 4.5. Additions to the CDNI URI + Signing Verification Code namespace will conform to the + "Specification Required" policy as defined in [RFC8126]. Updates to + this subregistry are expected to be infrequent. + + +=======+===========+=====================================+ + | Value | Reference | Description | + +=======+===========+=====================================+ + | 000 | RFC 9246 | No signed JWT verification | + | | | performed | + +-------+-----------+-------------------------------------+ + | 200 | RFC 9246 | Signed JWT verification performed | + | | | and verified | + +-------+-----------+-------------------------------------+ + | 400 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of incorrect | + | | | signature | + +-------+-----------+-------------------------------------+ + | 401 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Issuer | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 402 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Subject | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 403 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Audience | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 404 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Expiration | + | | | Time enforcement | + +-------+-----------+-------------------------------------+ + | 405 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Not Before | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 406 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because only one of | + | | | CDNI Signed Token Transport or CDNI | + | | | Expiration Time Setting present | + +-------+-----------+-------------------------------------+ + | 407 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of JWT ID | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 408 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Version | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 409 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Critical | + | | | Extension enforcement | + +-------+-----------+-------------------------------------+ + | 410 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of Client IP | + | | | enforcement | + +-------+-----------+-------------------------------------+ + | 411 | RFC 9246 | Signed JWT verification performed | + | | | and rejected because of URI | + | | | Container enforcement | + +-------+-----------+-------------------------------------+ + | 500 | RFC 9246 | Unable to perform signed JWT | + | | | verification because of malformed | + | | | URI | + +-------+-----------+-------------------------------------+ + + Table 4 + +6.5. CDNI URI Signing Signed Token Transport + + IANA has created a new "CDNI URI Signing Signed Token Transport" + subregistry in the "Content Delivery Networks Interconnection (CDNI) + Parameters" registry. The "CDNI URI Signing Signed Token Transport" + namespace defines the valid values that may be in the Signed Token + Transport (cdnistt) JWT claim. Additions to the Signed Token + Transport namespace conform to the "Specification Required" policy as + defined in [RFC8126]. Updates to this subregistry are expected to be + infrequent. + + The following table defines the initial Enforcement Information + Elements: + + +=======+=============================================+==========+ + | Value | Description | RFC | + +=======+=============================================+==========+ + | 0 | Designates token transport is not enabled | RFC 9246 | + +-------+---------------------------------------------+----------+ + | 1 | Designates token transport via cookie | RFC 9246 | + +-------+---------------------------------------------+----------+ + | 2 | Designates token transport via query string | RFC 9246 | + +-------+---------------------------------------------+----------+ + + Table 5 + +6.6. JSON Web Token Claims Registration + + This specification registers the following claims in the IANA "JSON + Web Token Claims" registry [IANA.JWT.Claims] established by + [RFC7519]. + +6.6.1. Registry Contents + + Claim Name: cdniv + Claim Description: CDNI Claim Set Version + Change Controller: IESG + Specification Document(s): Section 2.1.8 of RFC 9246 + + Claim Name: cdnicrit + Claim Description: CDNI Critical Claims Set + Change Controller: IESG + Specification Document(s): Section 2.1.9 of RFC 9246 + + Claim Name: cdniip + Claim Description: CDNI IP Address + Change Controller: IESG + Specification Document(s): Section 2.1.10 of RFC 9246 + + Claim Name: cdniuc + Claim Description: CDNI URI Container + Change Controller: IESG + Specification Document(s): Section 2.1.11 of RFC 9246 + + Claim Name: cdniets + Claim Description: CDNI Expiration Time Setting for Signed Token + Renewal + Change Controller: IESG + Specification Document(s): Section 2.1.12 of RFC 9246 + + Claim Name: cdnistt + Claim Description: CDNI Signed Token Transport Method for Signed + Token Renewal + Change Controller: IESG + Specification Document(s): Section 2.1.13 of RFC 9246 + + Claim Name: cdnistd + Claim Description: CDNI Signed Token Depth + Change Controller: IESG + Specification Document(s): Section 2.1.14 of RFC 9246 + +6.7. Expert Review Guidance + + Generally speaking, we should determine the registration has a + rational justification and does not duplicate a previous + registration. Early assignment should be permissible as long as + there is a reasonable expectation that the specification will become + formalized. Expert Reviewers should be empowered to make + determinations, but generally speaking they should allow new claims + that do not otherwise introduce conflicts with implementation or + things that may lead to confusion. They should also follow the + guidelines of Section 5 of [RFC8126] when sensible. + +7. Security Considerations + + This document describes the concept of URI Signing and how it can be + used to provide access authorization in the case of CDNI. The + primary goal of URI Signing is to make sure that only authorized UAs + are able to access the content, with a CSP being able to authorize + every individual request. It should be noted that URI Signing is not + a content protection scheme; if a CSP wants to protect the content + itself, other mechanisms, such as DRM, are more appropriate. + + CDNI URI Signing Signed Tokens leverage JSON Web Tokens and thus, + guidelines in [RFC8725] are applicable for all JWT interactions. + + In general, it holds that the level of protection against + illegitimate access can be increased by including more claims in the + signed JWT. The current version of this document includes claims for + enforcing Issuer, Client IP Address, Not Before time, and Expiration + Time; however, this list can be extended with other more complex + attributes that are able to provide some form of protection against + some of the vulnerabilities highlighted below. + + That said, there are a number of aspects that limit the level of + security offered by URI Signing and that anybody implementing URI + Signing should be aware of. + + Replay attacks: A (valid) Signed URI may be used to perform replay + attacks. The vulnerability to replay attacks can be reduced by + picking a relatively short window between the Not Before time and + Expiration Time attributes, although this is limited by the fact + that any HTTP-based request needs a window of at least a couple of + seconds to prevent sudden network issues from denying legitimate + UAs access to the content. One may also reduce exposure to replay + attacks by including a unique one-time access ID via the JWT ID + attribute (jti claim). Whenever the dCDN receives a request with + a given unique ID, it adds that ID to the list of 'used' IDs. In + the case an illegitimate UA tries to use the same URI through a + replay attack, the dCDN can deny the request based on the already + used access ID. This list should be kept bounded. A reasonable + approach would be to expire the entries based on the exp claim + value. If no exp claim is present, then a simple Least Recently + Used (LRU) cache could be used; however, this would allow values + to eventually be reused. + + Illegitimate clients behind a NAT: In cases where there are multiple + users behind the same NAT, all users will have the same IP address + from the point of view of the dCDN. This results in the dCDN not + being able to distinguish between different users based on Client + IP Address, which can lead to illegitimate users being able to + access the content. One way to reduce exposure to this kind of + attack is to not only check for Client IP but also for other + attributes, e.g., attributes that can be found in HTTP headers. + However, this may be easily circumvented by a sophisticated + attacker. + + A shared key distributed between CSP and uCDN is more likely to be + compromised. Since this key can be used to legitimately sign a URL + for content access authorization, it is important to know the + implications of a compromised shared key. While using a shared key + scheme can be convenient, this architecture is NOT RECOMMENDED due to + the risks associated. It is included for legacy feature parity and + is highly discouraged in new implementations. + + If a shared key usable for signing is compromised, an attacker can + use it to perform a denial-of-service attack by forcing the CDN to + evaluate prohibitively expensive regular expressions embedded in a + URI Container (cdniuc) claim. As a result, compromised keys should + be timely revoked in order to prevent exploitation. + + The URI Container (cdniuc) claim can be given a wildcard value. + This, combined with the fact that it is the only mandatory claim, + means you can effectively make a skeleton key. Doing this does not + sufficiently limit the scope of the JWT and is NOT RECOMMENDED. The + only way to prevent such a key from being used after it is + distributed is to revoke the signing key so it no longer validates. + +8. Privacy + + The privacy protection concerns described in "Content Distribution + Network Interconnection (CDNI) Logging Interface" [RFC7937] apply + when the client's IP address (cdniip) or Subject (sub) is embedded in + the Signed URI. For this reason, the mechanism described in + Section 2 encrypts the Client IP or Subject before including it in + the URI Signing Package (and thus the URL itself). + +9. References + +9.1. Normative References + + [POSIX.1] The Open Group, "IEEE Standard for Information Technology + -- Portable Operating System Interface (POSIX(TM)) Base + Specifications, Issue 7", (Revision of IEEE Std + 1003.1-2008), IEEE Std 1003.1-2017, January 2018, + <https://pubs.opengroup.org/onlinepubs/9699919799/>. + + [RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791, + DOI 10.17487/RFC0791, September 1981, + <https://www.rfc-editor.org/info/rfc791>. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + <https://www.rfc-editor.org/info/rfc2119>. + + [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform + Resource Identifier (URI): Generic Syntax", STD 66, + RFC 3986, DOI 10.17487/RFC3986, January 2005, + <https://www.rfc-editor.org/info/rfc3986>. + + [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, + "Network Time Protocol Version 4: Protocol and Algorithms + Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010, + <https://www.rfc-editor.org/info/rfc5905>. + + [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 + Address Text Representation", RFC 5952, + DOI 10.17487/RFC5952, August 2010, + <https://www.rfc-editor.org/info/rfc5952>. + + [RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265, + DOI 10.17487/RFC6265, April 2011, + <https://www.rfc-editor.org/info/rfc6265>. + + [RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M., + and D. Orchard, "URI Template", RFC 6570, + DOI 10.17487/RFC6570, March 2012, + <https://www.rfc-editor.org/info/rfc6570>. + + [RFC6707] Niven-Jenkins, B., Le Faucheur, F., and N. Bitar, "Content + Distribution Network Interconnection (CDNI) Problem + Statement", RFC 6707, DOI 10.17487/RFC6707, September + 2012, <https://www.rfc-editor.org/info/rfc6707>. + + [RFC6920] Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., + Keranen, A., and P. Hallam-Baker, "Naming Things with + Hashes", RFC 6920, DOI 10.17487/RFC6920, April 2013, + <https://www.rfc-editor.org/info/rfc6920>. + + [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer + Protocol (HTTP/1.1): Message Syntax and Routing", + RFC 7230, DOI 10.17487/RFC7230, June 2014, + <https://www.rfc-editor.org/info/rfc7230>. + + [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", + RFC 7516, DOI 10.17487/RFC7516, May 2015, + <https://www.rfc-editor.org/info/rfc7516>. + + [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token + (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, + <https://www.rfc-editor.org/info/rfc7519>. + + [RFC7937] Le Faucheur, F., Ed., Bertrand, G., Ed., Oprescu, I., Ed., + and R. Peterkofsky, "Content Distribution Network + Interconnection (CDNI) Logging Interface", RFC 7937, + DOI 10.17487/RFC7937, August 2016, + <https://www.rfc-editor.org/info/rfc7937>. + + [RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma, + "Content Delivery Network Interconnection (CDNI) + Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016, + <https://www.rfc-editor.org/info/rfc8006>. + + [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for + Writing an IANA Considerations Section in RFCs", BCP 26, + RFC 8126, DOI 10.17487/RFC8126, June 2017, + <https://www.rfc-editor.org/info/rfc8126>. + + [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC + 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, + May 2017, <https://www.rfc-editor.org/info/rfc8174>. + + [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data + Interchange Format", STD 90, RFC 8259, + DOI 10.17487/RFC8259, December 2017, + <https://www.rfc-editor.org/info/rfc8259>. + +9.2. Informative References + + [IANA.JWT.Claims] + IANA, "JSON Web Token (JWT)", + <https://www.iana.org/assignments/jwt>. + + [MPEG-DASH] + ISO, "Information technology -- Dynamic adaptive streaming + over HTTP (DASH) -- Part 1: Media presentation description + and segment formats", ISO/IEC 23009-1:2019, Edition 4, + December 2019, <https://www.iso.org/standard/79329.html>. + + [RFC6983] van Brandenburg, R., van Deventer, O., Le Faucheur, F., + and K. Leung, "Models for HTTP-Adaptive-Streaming-Aware + Content Distribution Network Interconnection (CDNI)", + RFC 6983, DOI 10.17487/RFC6983, July 2013, + <https://www.rfc-editor.org/info/rfc6983>. + + [RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed., + "Framework for Content Distribution Network + Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336, + August 2014, <https://www.rfc-editor.org/info/rfc7336>. + + [RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution + Network Interconnection (CDNI) Requirements", RFC 7337, + DOI 10.17487/RFC7337, August 2014, + <https://www.rfc-editor.org/info/rfc7337>. + + [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, + DOI 10.17487/RFC7517, May 2015, + <https://www.rfc-editor.org/info/rfc7517>. + + [RFC7975] Niven-Jenkins, B., Ed. and R. van Brandenburg, Ed., + "Request Routing Redirection Interface for Content + Delivery Network (CDN) Interconnection", RFC 7975, + DOI 10.17487/RFC7975, October 2016, + <https://www.rfc-editor.org/info/rfc7975>. + + [RFC8008] Seedorf, J., Peterson, J., Previdi, S., van Brandenburg, + R., and K. Ma, "Content Delivery Network Interconnection + (CDNI) Request Routing: Footprint and Capabilities + Semantics", RFC 8008, DOI 10.17487/RFC8008, December 2016, + <https://www.rfc-editor.org/info/rfc8008>. + + [RFC8216] Pantos, R., Ed. and W. May, "HTTP Live Streaming", + RFC 8216, DOI 10.17487/RFC8216, August 2017, + <https://www.rfc-editor.org/info/rfc8216>. + + [RFC8725] Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best + Current Practices", BCP 225, RFC 8725, + DOI 10.17487/RFC8725, February 2020, + <https://www.rfc-editor.org/info/rfc8725>. + +Appendix A. Signed URI Package Example + + This section contains three examples of token usage: a simple example + with only the required claim present, a complex example that + demonstrates the full JWT claims set, including an encrypted Client + IP Address (cdniip), and one that uses a Signed Token Renewal. + + Note: All of the examples have empty space added to improve + formatting and readability, but are not present in the generated + content. + + All examples use the following JWK Set [RFC7517]: + + { "keys": [ + { + "kty": "EC", + "kid": "P5UpOv0eMq1wcxLf7WxIg09JdSYGYFDOWkldueaImf0", + "use": "sig", + "alg": "ES256", + "crv": "P-256", + "x": "be807S4O7dzB6I4hTiCUvmxCI6FuxWba1xYBlLSSsZ8", + "y": "rOGC4vI69g-WF9AGEVI37sNNwbjIzBxSjLvIL7f3RBA" + }, + { + "kty": "EC", + "kid": "P5UpOv0eMq1wcxLf7WxIg09JdSYGYFDOWkldueaImf0", + "use": "sig", + "alg": "ES256", + "crv": "P-256", + "x": "be807S4O7dzB6I4hTiCUvmxCI6FuxWba1xYBlLSSsZ8", + "y": "rOGC4vI69g-WF9AGEVI37sNNwbjIzBxSjLvIL7f3RBA", + "d": "yaowezrCLTU6yIwUL5RQw67cHgvZeMTLVZXjUGb1A1M" + }, + { + "kty": "oct", + "kid": "f-WbjxBC3dPuI3d24kP2hfvos7Qz688UTi6aB0hN998", + "use": "enc", + "alg": "A128GCM", + "k": "4uFxxV7fhNmrtiah2d1fFg" + } + ]} + + Note: They are the public signing key, the private signing key, and + the shared secret encryption key, respectively. The public and + private signing keys have the same fingerprint and only vary by the + 'd' parameter that is missing from the public signing key. + +A.1. Simple Example + + This example is a simple common usage example containing a minimal + subset of claims that the authors find most useful. + + The JWT Claim Set before signing: + + Note: "sha-256;2tderfWPa86Ku7YnzW51YUp7dGUjBS_3SW3ELx4hmWY" is the + URL Segment form (Section 5 of [RFC6920]) of + "http://cdni.example/foo/bar". + + { + "exp": 1646867369, + "iss": "uCDN Inc", + "cdniuc": + "hash:sha-256;2tderfWPa86Ku7YnzW51YUp7dGUjBS_3SW3ELx4hmWY" + } + + The signed JWT: + + eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU + dZRkRPV2tsZHVlYUltZjAifQ.eyJleHAiOjE2NDY4NjczNjksImlzcyI6InVDRE4gS + W5jIiwiY2RuaXVjIjoiaGFzaDpzaGEtMjU2OzJ0ZGVyZldQYTg2S3U3WW56VzUxWVV + wN2RHVWpCU18zU1czRUx4NGhtV1kifQ.TaNlJM3D96i_9J9XvlICO6FUIDFTqt3E2Y + JkEUOLfcH0b89wYRKTbJ9Yj6h_GRgSoZoQO0cps3yUPcWGK3smCw + +A.2. Complex Example + + This example uses all fields except for those dealing with Signed + Token Renewal, including Client IP Address (cdniip) and Subject + (sub), which are encrypted. This significantly increases the size of + the signed JWT token. + + JWE for Client IP Address (cdniip) of [2001:db8::1/32]: + + eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XYmp4QkMzZFB1ST + NkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..aUDDFEQBIc3nWjOb.bGXWT + HPkntmPCKn0pPPNEQ.iyTttnFybO2YBLqwl_YSjA + + JWE for Subject (sub) of "UserToken": + + eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XYmp4QkMzZFB1ST + NkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..CLAu80xclc8Bp-Ui.6P1A3 + F6ip2Dv.CohdtLLpgBnTvRJQCFuz-g + + The JWT Claim Set before signing: + + { + "aud": "dCDN LLC", + "sub": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XYmp4 + QkMzZFB1STNkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..CLAu80xclc8B + p-Ui.6P1A3F6ip2Dv.CohdtLLpgBnTvRJQCFuz-g", + "cdniip": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XY + mp4QkMzZFB1STNkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..aUDDFEQBI + c3nWjOb.bGXWTHPkntmPCKn0pPPNEQ.iyTttnFybO2YBLqwl_YSjA", + "cdniv": 1, + "exp": 1646867369, + "iat": 1646694569, + "iss": "uCDN Inc", + "jti": "5DAafLhZAfhsbe", + "nbf": 1646780969, + "cdniuc": "regex:http://cdni\\.example/foo/bar/[0-9]{3}\\.png" + } + + The signed JWT: + + eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU + dZRkRPV2tsZHVlYUltZjAifQ.eyJhdWQiOiJkQ0ROIExMQyIsInN1YiI6ImV5Smxib + U1pT2lKQk1USTRSME5OSWl3aVlXeG5Jam9pWkdseUlpd2lhMmxrSWpvaVppMVhZbXA + 0UWtNelpGQjFTVE5rTWpSclVESm9ablp2Y3pkUmVqWTRPRlZVYVRaaFFqQm9Uams1T + 0NKOS4uQ0xBdTgweGNsYzhCcC1VaS42UDFBM0Y2aXAyRHYuQ29oZHRMTHBnQm5UdlJ + KUUNGdXotZyIsImNkbmlpcCI6ImV5SmxibU1pT2lKQk1USTRSME5OSWl3aVlXeG5Ja + m9pWkdseUlpd2lhMmxrSWpvaVppMVhZbXA0UWtNelpGQjFTVE5rTWpSclVESm9ablp + 2Y3pkUmVqWTRPRlZVYVRaaFFqQm9Uams1T0NKOS4uYVVEREZFUUJJYzNuV2pPYi5iR + 1hXVEhQa250bVBDS24wcFBQTkVRLml5VHR0bkZ5Yk8yWUJMcXdsX1lTakEiLCJjZG5 + pdiI6MSwiZXhwIjoxNjQ2ODY3MzY5LCJpYXQiOjE2NDY2OTQ1NjksImlzcyI6InVDR + E4gSW5jIiwianRpIjoiNURBYWZMaFpBZmhzYmUiLCJuYmYiOjE2NDY3ODA5NjksImN + kbml1YyI6InJlZ2V4Omh0dHA6Ly9jZG5pXFwuZXhhbXBsZS9mb28vYmFyL1swLTlde + zN9XFwucG5nIn0.IjmVX0uD5MYqArc-M08uEsEeoDQn8kuYXZ9HGHDmDDxsHikT0c8 + jcX8xYD0z3LzQclMG65i1kT2sRbZ7isUw8w + +A.3. Signed Token Renewal Example + + This example uses fields for Signed Token Renewal. + + The JWT Claim Set before signing: + + { + "cdniets": 30, + "cdnistt": 1, + "cdnistd": 2, + "exp": 1646867369, + "cdniuc": "regex:http://cdni\\.example/foo/bar/[0-9]{3}\\.ts" + } + + The signed JWT: + + eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU + dZRkRPV2tsZHVlYUltZjAifQ.eyJjZG5pZXRzIjozMCwiY2RuaXN0dCI6MSwiY2Rua + XN0ZCI6MiwiZXhwIjoxNjQ2ODY3MzY5LCJjZG5pdWMiOiJyZWdleDpodHRwOi8vY2R + uaVxcLmV4YW1wbGUvZm9vL2Jhci9bMC05XXszfVxcLnRzIn0.tlPvoKw3BCClw4Lx9 + PQu7MK6b2IN55ZoCPSaxovGK0zS53Wpb1MbJBow7G8LiGR39h6-2Iq7PWUSr3MdTIz + HYw + + Once the server verifies the signed JWT it will return a new signed + JWT with an updated Expiry Time (exp) as shown below. Note the + Expiry Time is increased by the expiration time setting (cdniets) + value. + + The JWT Claim Set before signing: + + { + "cdniets": 30, + "cdnistt": 1, + "cdnistd": 2, + "exp": 1646867399, + "cdniuc": "regex:http://cdni\\.example/foo/bar/[0-9]{3}\\.ts" + } + + The signed JWT: + + eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU + dZRkRPV2tsZHVlYUltZjAifQ.eyJjZG5pZXRzIjozMCwiY2RuaXN0dCI6MSwiY2Rua + XN0ZCI6MiwiZXhwIjoxNjQ2ODY3Mzk5LCJjZG5pdWMiOiJyZWdleDpodHRwOi8vY2R + uaVxcLmV4YW1wbGUvZm9vL2Jhci9bMC05XXszfVxcLnRzIn0.ivY5d_fKGd-OHTpUs + 8uJUrnHvt-rduzu5H4zM7167pUUAghub53FqDQ5G16jRYX2sY73mA_uLpYDdb-CPts + 8FA + +Acknowledgements + + The authors would like to thank the following people for their + contributions in reviewing this document and providing feedback: + Scott Leibrand, Kevin Ma, Ben Niven-Jenkins, Thierry Magnien, Dan + York, Bhaskar Bhupalam, Matt Caulfield, Samuel Rajakumar, Iuniana + Oprescu, Leif Hedstrom, Gancho Tenev, Brian Campbell, and Chris + Lemmons. + +Contributors + + In addition, the authors would also like to make special mentions for + certain people who contributed significant sections to this document. + + * Matt Caulfield provided content for Section 4.4, "CDNI Metadata + Interface". + + * Emmanuel Thomas provided content for HTTP Adaptive Streaming. + + * Matt Miller provided consultation on JWT usage as well as code to + generate working JWT examples. + +Authors' Addresses + + Ray van Brandenburg + Tiledmedia + Anna van Buerenplein 1 + 2595DA Den Haag + Netherlands + Phone: +31 88 866 7000 + Email: ray@tiledmedia.com + + + Kent Leung + Email: mail4kentl@gmail.com + + + Phil Sorber + Apple, Inc. + Suite 410 + 1800 Wazee Street + Denver, CO 80202 + United States + Email: sorber@apple.com |