1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
|
Internet Engineering Task Force (IETF) R. van Brandenburg
Request for Comments: 9246 Tiledmedia
Category: Standards Track K. Leung
ISSN: 2070-1721
P. Sorber
Apple, Inc.
June 2022
URI Signing for Content Delivery Network Interconnection (CDNI)
Abstract
This document describes how the concept of URI Signing supports the
content access control requirements of Content Delivery Network
Interconnection (CDNI) and proposes a URI Signing method as a JSON
Web Token (JWT) profile.
The proposed URI Signing method specifies the information needed to
be included in the URI to transmit the signed JWT, as well as the
claims needed by the signed JWT to authorize a User Agent (UA). The
mechanism described can be used both in CDNI and single Content
Delivery Network (CDN) scenarios.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
https://www.rfc-editor.org/info/rfc9246.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Revised BSD License text as described in Section 4.e of the
Trust Legal Provisions and are provided without warranty as described
in the Revised BSD License.
Table of Contents
1. Introduction
1.1. Terminology
1.2. Background and Overview on URI Signing
1.3. CDNI URI Signing Overview
1.4. URI Signing in a Non-CDNI Context
2. JWT Format and Processing Requirements
2.1. JWT Claims
2.1.1. Issuer (iss) Claim
2.1.2. Subject (sub) Claim
2.1.3. Audience (aud) Claim
2.1.4. Expiry Time (exp) Claim
2.1.5. Not Before (nbf) Claim
2.1.6. Issued At (iat) Claim
2.1.7. JWT ID (jti) Claim
2.1.8. CDNI Claim Set Version (cdniv) Claim
2.1.9. CDNI Critical Claims Set (cdnicrit) Claim
2.1.10. Client IP Address (cdniip) Claim
2.1.11. CDNI URI Container (cdniuc) Claim
2.1.12. CDNI Expiration Time Setting (cdniets) Claim
2.1.13. CDNI Signed Token Transport (cdnistt) Claim
2.1.14. CDNI Signed Token Depth (cdnistd) Claim
2.1.15. URI Container Forms
2.1.15.1. URI Hash Container (hash:)
2.1.15.2. URI Regular Expression Container (regex:)
2.2. JWT Header
3. URI Signing Token Renewal
3.1. Overview
3.2. Signed Token Renewal Mechanism
3.2.1. Required Claims
3.3. Communicating a Signed JWT in Signed Token Renewal
3.3.1. Support for Cross-Domain Redirection
4. Relationship with CDNI Interfaces
4.1. CDNI Control Interface
4.2. CDNI Footprint & Capabilities Advertisement Interface
4.3. CDNI Request Routing Redirection Interface
4.4. CDNI Metadata Interface
4.5. CDNI Logging Interface
5. URI Signing Message Flow
5.1. HTTP Redirection
5.2. DNS Redirection
6. IANA Considerations
6.1. CDNI Payload Type
6.1.1. CDNI UriSigning Payload Type
6.2. CDNI Logging Record Type
6.2.1. CDNI Logging Record Version 2 for HTTP
6.3. CDNI Logging Field Names
6.4. CDNI URI Signing Verification Code
6.5. CDNI URI Signing Signed Token Transport
6.6. JSON Web Token Claims Registration
6.6.1. Registry Contents
6.7. Expert Review Guidance
7. Security Considerations
8. Privacy
9. References
9.1. Normative References
9.2. Informative References
Appendix A. Signed URI Package Example
A.1. Simple Example
A.2. Complex Example
A.3. Signed Token Renewal Example
Acknowledgements
Contributors
Authors' Addresses
1. Introduction
This document describes the concept of URI Signing and how it can be
used to provide access authorization in the case of redirection
between cooperating CDNs and between a Content Service Provider (CSP)
and a CDN. The primary goal of URI Signing is to make sure that only
authorized UAs are able to access the content, with a CSP being able
to authorize every individual request. It should be noted that URI
Signing is not a content protection scheme; if a CSP wants to protect
the content itself, other mechanisms, such as Digital Rights
Management (DRM), are more appropriate. In addition to access
control, URI Signing also has benefits in reducing the impact of
denial-of-service attacks.
The overall problem space for CDN Interconnection (CDNI) is described
in the CDNI Problem Statement [RFC6707] specification. This
document, along with the Content Distribution Network Interconnection
(CDNI) Requirements [RFC7337] document and the Framework for Content
Distribution Network Interconnection (CDNI) [RFC7336], describes the
need for interconnected CDNs to be able to implement an access
control mechanism that enforces a CSP's distribution policies.
Specifically, the CDNI Framework [RFC7336] states:
The CSP may also trust the CDN operator to perform actions such as
delegating traffic to additional downstream CDNs, and to enforce
per-request authorization performed by the CSP using techniques
such as URI Signing.
In particular, the following requirement is listed in the CDNI
Requirements [RFC7337]:
| MI-16 {HIGH} The CDNI Metadata interface shall allow signaling
| of authorization checks and validation that are to be
| performed by the Surrogate before delivery. For example,
| this could potentially include the need to validate
| information (e.g., Expiry time, Client IP address) required
| for access authorization.
This document defines a method of signing URIs that allows Surrogates
in interconnected CDNs to enforce a per-request authorization
initiated by the CSP. Splitting the role of initiating per-request
authorization by the CSP and the role of verifying this authorization
by the CDN allows any arbitrary distribution policy to be enforced
across CDNs without the need of CDNs to have any awareness of the
specific CSP distribution policies.
The method is implemented using signed JSON Web Tokens (JWTs)
[RFC7519].
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the terminology defined in the CDNI Problem
Statement [RFC6707].
This document also uses the terminology of the JSON Web Token (JWT)
[RFC7519].
In addition, the following terms are used throughout this document:
FCI: Footprint & Capabilities Advertisement interface
Signed URI: A URI for which a signed JWT is provided.
Target CDN URI: A URI created by the CSP to direct a UA towards the
upstream CDN (uCDN). The Target CDN URI can be signed by the CSP
and verified by the uCDN and possibly further downstream CDNs
(dCDNs).
Redirection URI: A URI created by the uCDN to redirect a UA towards
the dCDN. The Redirection URI can be signed by the uCDN and
verified by the dCDN. In a cascaded CDNI scenario, there can be
more than one Redirection URI.
Signed Token Renewal: A series of signed JWTs that are used for
subsequent access to a set of related resources in a CDN, such as
a set of HTTP Adaptive Streaming files. Every time a signed JWT
is used to access a particular resource, a new signed JWT is sent
along with the resource that can be used to request the next
resource in the set. When generating a new signed JWT in Signed
Token Renewal, parameters are carried over from one signed JWT to
the next.
1.2. Background and Overview on URI Signing
A CSP and CDN are assumed to have a trust relationship that enables
the CSP to authorize access to a content item, which is realized in
practice by including a set of claims in a signed JWT in the URI
before redirecting a UA to the CDN. Using these attributes, it is
possible for a CDN to check an incoming content request to see
whether it was authorized by the CSP (e.g., based on a time window or
pattern matching the URI). To prevent the UA from altering the
claims, the JWT MUST be signed.
Figure 1 presents an overview of the URI Signing mechanism in the
case of a CSP with a single CDN. When the UA browses for content on
CSP's website (1), it receives HTML web pages with embedded content
URIs. Upon requesting these URIs, the CSP redirects to a CDN,
creating a Target CDN URI (2) (alternatively, the Target CDN URI
itself is embedded in the HTML). The Target CDN URI is the Signed
URI, which may include the IP address of the UA and/or a time window.
The Signed URI always contains a signed JWT generated by the CSP
using a shared secret or private key. Once the UA receives the
response with the Signed URI, it sends a new HTTP request using the
Signed URI to the CDN (3). Upon receiving the request, the CDN
authenticates the Signed URI by verifying the signed JWT. If
applicable, the CDN checks whether the time window is still valid in
the Signed URI and the pattern matches the URI of the request. After
these claims are verified, the CDN delivers the content (4).
Note: While using a symmetric shared key is supported, it is NOT
RECOMMENDED. See the Security Considerations (Section 7) about the
limitations of shared keys.
--------
/ \
| CSP |< * * * * * * * * * * *
\ / Trust *
-------- relationship *
^ | *
| | *
1. Browse | | 2. Signed *
for | | URI *
content | | *
| v v
+------+ 3. Signed URI --------
| User |----------------->/ \
| Agent| | CDN |
| |<-----------------\ /
+------+ 4. Content --------
Delivery
Figure 1: URI Signing in a CDN Environment
1.3. CDNI URI Signing Overview
In a CDNI environment, as shown in Figure 2 below, URI Signing
operates the same way in the initial steps 1 and 2, but the later
steps involve multiple CDNs delivering the content. The main
difference from the single CDN case is a redirection step between the
uCDN and the dCDN. In step 3, the UA may send an HTTP request or a
DNS request, depending on whether HTTP-based or DNS-based request
routing is used. The uCDN responds by directing the UA towards the
dCDN using either a Redirection URI (i.e., a Signed URI generated by
the uCDN) or a DNS reply, respectively (4). Once the UA receives the
response, it sends the Redirection URI/Target CDN URI to the dCDN
(5). The received URI is verified by the dCDN before delivering the
content (6).
Note: The CDNI call flows are covered in URI Signing Message Flow
(Section 5).
+-------------------------+
|Request Redirection Modes|
+-------------------------+
| a) HTTP |
| b) DNS |
+-------------------------+
--------
/ \< * * * * * * * * * * * * * *
| CSP |< * * * * * * * * * * * *
\ / Trust * *
-------- relationship * *
^ | * *
| | 2. Signed * *
1. Browse | | URI in * *
for | | HTML * *
content | | * *
| v 3.a)Signed URI v *
+------+ b)DNS request -------- * Trust
| User |----------------->/ \ * relationship
| Agent| | uCDN | * (optional)
| |<-----------------\ / *
+------+ 4.a)Redirection URI------- *
^ | b)DNS Reply ^ *
| | * *
| | Trust relationship * *
| | * *
6. Content | | 5.a)Redirection URI * *
delivery | | b)Signed URI(after v v
| | DNS exchange) --------
| +---------------------->/ \ [May be
| | dCDN | cascaded
+--------------------------\ / CDNs]
--------
Figure 2: URI Signing in a CDNI Environment
The trust relationships between CSP, uCDN, and dCDN have direct
implications for URI Signing. In the case shown in Figure 2, the CSP
has a trust relationship with the uCDN. The delivery of the content
may be delegated to a dCDN, which has a relationship with the uCDN
but may have no relationship with the CSP.
In CDNI, there are two methods for request routing: DNS-based and
HTTP-based. For DNS-based request routing, the Signed URI (i.e., the
Target CDN URI) provided by the CSP reaches the CDN directly. In the
case where the dCDN does not have a trust relationship with the CSP,
this means that either an asymmetric public/private key method needs
to be used for computing the signed JWT (because the CSP and dCDN are
not able to exchange symmetric shared secret keys). Shared keys MUST
NOT be redistributed.
For HTTP-based request routing, the Signed URI (i.e., the Target CDN
URI) provided by the CSP reaches the uCDN. After this URI has been
verified by the uCDN, the uCDN creates and signs a new Redirection
URI, redirecting the UA to the dCDN. Since this new URI can have a
new signed JWT, the relationship between the dCDN and CSP is not
relevant. Because a relationship between uCDN and dCDN always
exists, either asymmetric public/private keys or symmetric shared
secret keys can be used for URI Signing with HTTP-based request
routing. Note that the signed Redirection URI MUST maintain HTTPS as
the scheme if it was present in the original, and it MAY be upgraded
from "http:" to "https:".
Two types of keys can be used for URI Signing: asymmetric keys and
symmetric shared keys. Asymmetric keys are based on a public/private
key pair mechanism and always contain a private key known only to the
entity signing the URI (either CSP or uCDN) and a public key for the
verification of the Signed URI. With symmetric keys, the same key is
used by both the signing entity for signing the URI and the verifying
entity for verifying the Signed URI. Regardless of the type of keys
used, the verifying entity has to obtain the key in a manner that
allows trust to be placed in the assertions made using that key
(either the public or the symmetric key). There are very different
requirements (outside the scope of this document) for distributing
asymmetric keys and symmetric keys. Key distribution for symmetric
keys requires confidentiality to prevent third parties from getting
access to the key, since they could then generate valid Signed URIs
for unauthorized requests. Key distribution for asymmetric keys does
not require confidentiality since public keys can typically be
distributed openly (because they cannot be used to sign URIs) and the
corresponding private keys are kept secret by the URI signer.
Note: While using a symmetric shared key is supported, it is NOT
RECOMMENDED. See the Security Considerations (Section 7) about the
limitations of shared keys.
1.4. URI Signing in a Non-CDNI Context
While the URI Signing method defined in this document was primarily
created for the purpose of allowing URI Signing in CDNI scenarios,
i.e., between a uCDN and a dCDN, there is nothing in the defined URI
Signing method that precludes it from being used in a non-CDNI
context. As such, the described mechanism could be used in a single-
CDN scenario such as shown in Figure 1 in Section 1.2 for example to
allow a CSP that uses different CDNs to only have to implement a
single URI Signing mechanism.
2. JWT Format and Processing Requirements
The concept behind URI Signing is based on embedding a signed JSON
Web Token (JWT) [RFC7519] in an HTTP or HTTPS URI [RFC7230] (see
Section 2.7 of [RFC7230]). The signed JWT contains a number of
claims that can be verified to ensure the UA has legitimate access to
the content.
This document specifies the following attribute for embedding a
signed JWT in a Target CDN URI or Redirection URI:
URI Signing Package (URISigningPackage): The URI attribute that
encapsulates all the URI Signing claims in a signed JWT encoded
format. This attribute is exposed in the Signed URI as a path-
style parameter or a form-style parameter.
The parameter name of the URI Signing Package Attribute is defined in
the CDNI Metadata (Section 4.4). If the CDNI Metadata interface is
not used, or does not include a parameter name for the URI Signing
Package Attribute, the parameter name can be set by configuration
(out of scope of this document).
The URI Signing Package will be found by parsing any path-style
parameters and form-style parameters looking for a key name matching
the URI Signing Package Attribute. Both parameter styles MUST be
supported to allow flexibility of operation. The first matching
parameter SHOULD be taken to provide the signed JWT, though providing
more than one matching key is undefined behavior. Path-style
parameters generated in the form indicated by Section 3.2.7 of
[RFC6570] and Form-style parameters generated in the form indicated
by Sections 3.2.8 and 3.2.9 of [RFC6570] MUST be supported.
The following is an example where the URI Signing Package Attribute
name is "token" and the signed JWT is "SIGNEDJWT":
http://example.com/media/path?come=data&token=SIGNEDJWT&other=data
2.1. JWT Claims
This section identifies the set of claims that can be used to enforce
the CSP distribution policy. New claims can be introduced in the
future to extend the distribution policy capabilities.
In order to provide distribution policy flexibility, the exact subset
of claims used in a given signed JWT is a runtime decision. Claim
requirements are defined in the CDNI Metadata (Section 4.4). If the
CDNI Metadata interface is not used, or does not include claim
requirements, the claim requirements can be set by configuration (out
of scope of this document).
The following claims (where the "JSON Web Token Claims" registry
claim name is specified in parentheses below) are used to enforce the
distribution policies. All of the listed claims are mandatory to
implement in a URI Signing implementation but are not necessarily
mandatory to use in a given signed JWT. (The "optional" and
"mandatory" identifiers in square brackets refer to whether or not a
given claim MUST be present in a URI Signing JWT.)
Note: The time on the entities that generate and verify the Signed
URI MUST be in sync. In the CDNI case, this means that CSP, uCDN,
and dCDN servers need to be time synchronized. It is RECOMMENDED to
use NTP [RFC5905] for time synchronization.
Note: See the Security Considerations (Section 7) on the limitations
of using an expiration time and Client IP address for distribution
policy enforcement.
2.1.1. Issuer (iss) Claim
Issuer (iss) [optional] - The semantics in Section 4.1.1 of [RFC7519]
MUST be followed. If this claim is used, it MUST be used to identify
the Issuer (signer) of the JWT. In particular, the recipient will
have already received, in trusted configuration, a mapping of Issuer
name to one or more keys used to sign JWTs and must verify that the
JWT was signed by one of those keys. If this claim is used and the
CDN verifying the signed JWT does not support Issuer verification, or
if the Issuer in the signed JWT does not match the list of known
acceptable Issuers, or if the Issuer claim does not match the key
used to sign the JWT, the CDN MUST reject the request. If the
received signed JWT contains an Issuer claim, then any JWT
subsequently generated for CDNI redirection MUST also contain an
Issuer claim, and the Issuer value MUST be updated to identify the
redirecting CDN. If the received signed JWT does not contain an
Issuer claim, an Issuer claim MAY be added to a signed JWT generated
for CDNI redirection.
2.1.2. Subject (sub) Claim
Subject (sub) [optional] - The semantics in Section 4.1.2 of
[RFC7519] MUST be followed. If this claim is used, it MUST be a JSON
Web Encryption (JWE [RFC7516]) Object in compact serialization form,
because it contains personally identifiable information. This claim
contains information about the Subject (for example, a user or an
agent) that MAY be used to verify the signed JWT. If the received
signed JWT contains a Subject claim, then any JWT subsequently
generated for CDNI redirection MUST also contain a Subject claim, and
the Subject value MUST be the same as in the received signed JWT. A
signed JWT generated for CDNI redirection MUST NOT add a Subject
claim if no Subject claim existed in the received signed JWT.
2.1.3. Audience (aud) Claim
Audience (aud) [optional] - The semantics in Section 4.1.3 of
[RFC7519] MUST be followed. This claim is used to ensure that the
CDN verifying the JWT is an intended recipient of the request. The
claim MUST contain an identity belonging to the chain of entities
involved in processing the request (e.g., identifying the CSP or any
CDN in the chain) that the recipient is configured to use for the
processing of this request. A CDN MAY modify the claim as long it
can generate a valid signature.
2.1.4. Expiry Time (exp) Claim
Expiry Time (exp) [optional] - The semantics in Section 4.1.4 of
[RFC7519] MUST be followed, though URI Signing implementations MUST
NOT allow for any time-synchronization "leeway". If this claim is
used and the CDN verifying the signed JWT does not support Expiry
Time verification, or if the Expiry Time in the signed JWT
corresponds to a time equal to or earlier than the time of the
content request, the CDN MUST reject the request. If the received
signed JWT contains an Expiry Time claim, then any JWT subsequently
generated for CDNI redirection MUST also contain an Expiry Time
claim, and the Expiry Time value MUST be the same as in the received
signed JWT. A signed JWT generated for CDNI redirection MUST NOT add
an Expiry Time claim if no Expiry Time claim existed in the received
signed JWT.
2.1.5. Not Before (nbf) Claim
Not Before (nbf) [optional] - The semantics in Section 4.1.5 of
[RFC7519] MUST be followed, though URI Signing implementations MUST
NOT allow for any time-synchronization "leeway". If this claim is
used and the CDN verifying the signed JWT does not support Not Before
time verification, or if the Not Before time in the signed JWT
corresponds to a time later than the time of the content request, the
CDN MUST reject the request. If the received signed JWT contains a
Not Before time claim, then any JWT subsequently generated for CDNI
redirection MUST also contain a Not Before time claim, and the Not
Before time value MUST be the same as in the received signed JWT. A
signed JWT generated for CDNI redirection MUST NOT add a Not Before
time claim if no Not Before time claim existed in the received signed
JWT.
2.1.6. Issued At (iat) Claim
Issued At (iat) [optional] - The semantics in Section 4.1.6 of
[RFC7519] MUST be followed. If the received signed JWT contains an
Issued At claim, then any JWT subsequently generated for CDNI
redirection MUST also contain an Issued At claim, and the Issued At
value MUST be updated to identify the time the new JWT was generated.
If the received signed JWT does not contain an Issued At claim, an
Issued At claim MAY be added to a signed JWT generated for CDNI
redirection.
2.1.7. JWT ID (jti) Claim
JWT ID (jti) [optional] - The semantics in Section 4.1.7 of [RFC7519]
MUST be followed. A JWT ID can be used to prevent replay attacks if
the CDN stores a list of all previously used values and verifies that
the value in the current JWT has never been used before. If the
signed JWT contains a JWT ID claim and the CDN verifying the signed
JWT either does not support JWT ID storage or has previously seen the
value used in a request for the same content, then the CDN MUST
reject the request. If the received signed JWT contains a JWT ID
claim, then any JWT subsequently generated for CDNI redirection MUST
also contain a JWT ID claim, and the value MUST be the same as in the
received signed JWT. If the received signed JWT does not contain a
JWT ID claim, a JWT ID claim MUST NOT be added to a signed JWT
generated for CDNI redirection. Sizing of the JWT ID is application
dependent given the desired security constraints.
2.1.8. CDNI Claim Set Version (cdniv) Claim
CDNI Claim Set Version (cdniv) [optional] - The CDNI Claim Set
Version (cdniv) claim provides a means within a signed JWT to tie the
claim set to a specific version of this specification. The cdniv
claim is intended to allow changes in and facilitate upgrades across
specifications. The type is a JSON integer and the value MUST be set
to "1" for this version of the specification. In the absence of this
claim, the value is assumed to be "1". For future versions, this
claim will be mandatory. Implementations MUST reject signed JWTs
with unsupported CDNI Claim Set versions.
2.1.9. CDNI Critical Claims Set (cdnicrit) Claim
CDNI Critical Claims Set (cdnicrit) [optional] - The CDNI Critical
Claims Set (cdnicrit) claim indicates that extensions to this
specification are being used that MUST be understood and processed.
Its value is a comma-separated listing of claims in the Signed JWT
that use those extensions. If any of the listed extension claims are
not understood and supported by the recipient, then the Signed JWT
MUST be rejected. Producers MUST NOT include claim names defined by
this specification, duplicate names, or names that do not occur as
claim names within the Signed JWT in the cdnicrit list. Producers
MUST NOT use the empty list "" as the cdnicrit value. Recipients MAY
consider the Signed JWT to be invalid if the cdnicrit list contains
any claim names defined by this specification or if any other
constraints on its use are violated. This claim MUST be understood
and processed by all implementations.
2.1.10. Client IP Address (cdniip) Claim
Client IP Address (cdniip) [optional] - The Client IP Address
(cdniip) claim holds an IP address or IP prefix for which the Signed
URI is valid. This is represented in CIDR notation with dotted
decimal format for IPv4 addresses [RFC0791] or canonical text
representation for IPv6 addresses [RFC5952]. The request MUST be
rejected if sourced from a client outside the specified IP range.
Since the Client IP is considered personally identifiable
information, this field MUST be a JSON Web Encryption (JWE [RFC7516])
Object in compact serialization form. If the CDN verifying the
signed JWT does not support Client IP verification, or if the Client
IP in the signed JWT does not match the source IP address in the
content request, the CDN MUST reject the request. The type of this
claim is a JSON string that contains the JWE. If the received signed
JWT contains a Client IP claim, then any JWT subsequently generated
for CDNI redirection MUST also contain a Client IP claim, and the
Client IP value MUST be the same as in the received signed JWT. A
signed JWT generated for CDNI redirection MUST NOT add a Client IP
claim if no Client IP claim existed in the received signed JWT.
It should be noted that use of this claim can cause issues, for
example, in situations with dual-stack IPv4 and IPv6 networks, MPTCP,
QUIC, and mobile clients switching from Wi-Fi to Cellular networks
where the client's source address can change, even between address
families. This claim exists mainly for legacy feature parity
reasons; therefore, use of this claim should be done judiciously. An
example of a reasonable use case would be making a signed JWT for an
internal preview of an asset where the end consumer understands that
they must be originated from the same IP for the entirety of the
session. Using this claim at large is NOT RECOMMENDED.
2.1.11. CDNI URI Container (cdniuc) Claim
URI Container (cdniuc) [mandatory] - The URI Container (cdniuc) holds
the URI representation before a URI Signing Package is added. This
representation can take one of several forms detailed in
Section 2.1.15. If the URI Container used in the signed JWT does not
match the URI of the content request, the CDN verifying the signed
JWT MUST reject the request. When comparing the URI, the percent
encoded form as defined in Section 2.1 of [RFC3986] MUST be used.
When redirecting a URI, the CDN generating the new signed JWT MAY
change the URI Container to comport with the URI being used in the
redirection.
2.1.12. CDNI Expiration Time Setting (cdniets) Claim
CDNI Expiration Time Setting (cdniets) [optional] - The CDNI
Expiration Time Setting (cdniets) claim provides a means for setting
the value of the Expiry Time (exp) claim when generating a subsequent
signed JWT in Signed Token Renewal. Its type is a JSON numeric
value. It denotes the number of seconds to be added to the time at
which the JWT is verified that gives the value of the Expiry Time
(exp) claim of the next signed JWT. The CDNI Expiration Time Setting
(cdniets) SHOULD NOT be used when not using Signed Token Renewal and
MUST be present when using Signed Token Renewal.
2.1.13. CDNI Signed Token Transport (cdnistt) Claim
CDNI Signed Token Transport (cdnistt) [optional] - The CDNI Signed
Token Transport (cdnistt) claim provides a means of signaling the
method through which a new signed JWT is transported from the CDN to
the UA and vice versa for the purpose of Signed Token Renewal. Its
type is a JSON integer. Values for this claim are defined in
Section 6.5. If using this claim, you MUST also specify a CDNI
Expiration Time Setting (cdniets) as noted above.
2.1.14. CDNI Signed Token Depth (cdnistd) Claim
CDNI Signed Token Depth (cdnistd) [optional] - The CDNI Signed Token
Depth (cdnistd) claim is used to associate a subsequent signed JWT,
generated as the result of a CDNI Signed Token Transport claim, with
a specific URI subset. Its type is a JSON integer. Signed JWTs MUST
NOT use a negative value for the CDNI Signed Token Depth claim.
If the transport used for Signed Token Transport allows the CDN to
associate the path component of a URI with tokens (e.g., an HTTP
Cookie Path as described in Section 4.1.2.4 of [RFC6265]), the CDNI
Signed Token Depth value is the number of path segments that should
be considered significant for this association. A CDNI Signed Token
Depth of zero means that the client SHOULD be directed to return the
token with requests for any path. If the CDNI Signed Token Depth is
greater than zero, then the CDN SHOULD send the client a token to
return for future requests wherein the first CDNI Signed Token Depth
segments of the path match the first CDNI Signed Token Depth segments
of the Signed URI path. This matching MUST use the URI with the
token removed, as specified in Section 2.1.15.
If the URI path to match contains fewer segments than the CDNI Signed
Token Depth claim, a signed JWT MUST NOT be generated for the
purposes of Signed Token Renewal. If the CDNI Signed Token Depth
claim is omitted, it means the same thing as if its value were zero.
If the received signed JWT contains a CDNI Signed Token Depth claim,
then any JWT subsequently generated for CDNI redirection or Signed
Token Transport MUST also contain a CDNI Signed Token Depth claim,
and the value MUST be the same as in the received signed JWT.
2.1.15. URI Container Forms
The URI Container (cdniuc) claim takes one of the following forms:
'hash:' or 'regex:'. More forms may be added in the future to extend
the capabilities.
Before comparing a URI with contents of this container, the following
steps MUST be performed:
* Prior to verification, remove the signed JWT from the URI. This
removal is only for the purpose of determining if the URI matches;
all other purposes will use the original URI. If the signed JWT
is terminated by anything other than a sub-delimiter (as defined
in Section 2.2 of [RFC3986]), everything from the reserved
character (as defined in Section 2.2 of [RFC3986]) that precedes
the URI Signing Package Attribute to the last character of the
signed JWT will be removed, inclusive. Otherwise, everything from
the first character of the URI Signing Package Attribute to the
sub-delimiter that terminates the signed JWT will be removed,
inclusive.
* Normalize the URI according to Section 2.7.3 of [RFC7230] and
Sections 6.2.2 and 6.2.3 of [RFC3986]. This applies to both
generation and verification of the signed JWT.
2.1.15.1. URI Hash Container (hash:)
Prefixed with 'hash:', this string is a URL Segment form (Section 5
of [RFC6920]) of the URI.
2.1.15.2. URI Regular Expression Container (regex:)
Prefixed with 'regex:', this string is any regular expression
compatible with POSIX (Section 9 of [POSIX.1]) Extended Regular
Expression used to match against the requested URI. These regular
expressions MUST be evaluated in the POSIX locale (Section 7.2 of
[POSIX.1]).
Note: Because '\' has special meaning in JSON [RFC8259] as the escape
character within JSON strings, the regular expression character '\'
MUST be escaped as '\\'.
An example of a 'regex:' is the following:
[^:]*\\://[^/]*/dir/content/quality_[^/]*/segment.{3}\\.mp4(\\?.*)?
Note: Due to computational complexity of executing arbitrary regular
expressions, it is RECOMMENDED to only execute after verifying the
JWT to ensure its authenticity.
2.2. JWT Header
The header of the JWT MAY be passed via the CDNI Metadata interface
instead of being included in the URISigningPackage. The header value
MUST be transmitted in the serialized encoded form and prepended to
the JWT payload and signature passed in the URISigningPackage prior
to verification. This reduces the size of the signed JWT token.
3. URI Signing Token Renewal
3.1. Overview
For content that is delivered via HTTP in a segmented fashion, such
as MPEG-DASH [MPEG-DASH] or HTTP Live Streaming (HLS) [RFC8216],
special provisions need to be made in order to ensure URI Signing can
be applied. In general, segmented protocols work by breaking large
objects (e.g., videos) into a sequence of small independent segments.
Such segments are then referenced by a separate manifest file, which
either includes a list of URLs to the segments or specifies an
algorithm through which a User Agent can construct the URLs to the
segments. Requests for segments therefore originate from the
manifest file and, unless the URLs in the manifest file point to the
CSP, are not subjected to redirection and URI Signing. This opens up
a vulnerability to malicious User Agents sharing the manifest file
and deep linking to the segments.
One method for dealing with this vulnerability would be to include,
in the manifest itself, Signed URIs that point to the individual
segments. There exist a number of issues with that approach. First,
it requires the CDN delivering the manifest to rewrite the manifest
file for each User Agent, which would require the CDN to be aware of
the exact segmentation protocol used. Secondly, it could also
require the expiration time of the Signed URIs to be valid for an
extended duration if the content described by the manifest is meant
to be consumed in real time. For instance, if the manifest file were
to contain a segmented video stream of more than 30 minutes in
length, Signed URIs would require to be valid for at least 30
minutes, thereby reducing their effectiveness and that of the URI
Signing mechanism in general. For a more detailed analysis of how
segmented protocols such as HTTP Adaptive Streaming protocols affect
CDNI, see Models for HTTP-Adaptive-Streaming-Aware Content
Distribution Network Interconnection (CDNI) [RFC6983].
The method described in this section allows CDNs to use URI Signing
for segmented content without having to include the Signed URIs in
the manifest files themselves.
3.2. Signed Token Renewal Mechanism
In order to allow for effective access control of segmented content,
the URI Signing mechanism defined in this section is based on a
method through which subsequent segment requests can be linked
together. As part of the JWT verification procedure, the CDN can
generate a new signed JWT that the UA can use to do a subsequent
request. More specifically, whenever a UA successfully retrieves a
segment, it receives, in the HTTP 2xx Successful message, a signed
JWT that it can use whenever it requests the next segment. As long
as each successive signed JWT is correctly verified before a new one
is generated, the model is not broken, and the User Agent can
successfully retrieve additional segments. Given the fact that with
segmented protocols it is usually not possible to determine a priori
which segment will be requested next (i.e., to allow for seeking
within the content and for switching to a different representation),
the Signed Token Renewal uses the URI Regular Expression Container
scoping mechanisms in the URI Container (cdniuc) claim to allow a
signed JWT to be valid for more than one URL.
In order for this renewal of signed JWTs to work, it is necessary for
a UA to extract the signed JWT from the HTTP 2xx Successful message
of an earlier request and use it to retrieve the next segment. The
exact mechanism by which the client does this is outside the scope of
this document. However, in order to also support legacy UAs that do
not include any specific provisions for the handling of signed JWTs,
Section 3.3 defines a mechanism using HTTP Cookies [RFC6265] that
allows such UAs to support the concept of renewing signed JWTs
without requiring any additional UA support.
3.2.1. Required Claims
The cdnistt claim (Section 2.1.13) and cdniets claim (Section 2.1.12)
MUST both be present for Signed Token Renewal. cdnistt MAY be set to
a value of '0' to mean no Signed Token Renewal, but there still MUST
be a corresponding cdniets that verifies as a JSON number. However,
if use of Signed Token Renewal is not desired, it is RECOMMENDED to
simply omit both.
3.3. Communicating a Signed JWT in Signed Token Renewal
This section assumes the value of the CDNI Signed Token Transport
(cdnistt) claim has been set to 1.
When using the Signed Token Renewal mechanism, the signed JWT is
transported to the UA via a 'URISigningPackage' cookie added to the
HTTP 2xx Successful message along with the content being returned to
the UA, or to the HTTP 3xx Redirection message in case the UA is
redirected to a different server.
3.3.1. Support for Cross-Domain Redirection
For security purposes, the use of cross-domain cookies is not
supported in some application environments. As a result, the Cookie-
based method for transport of the Signed Token described in
Section 3.3 might break if used in combination with an HTTP 3xx
Redirection response where the target URL is in a different domain.
In such scenarios, Signed Token Renewal of a signed JWT SHOULD be
communicated via the query string instead, in a similar fashion to
how regular signed JWTs (outside of Signed Token Renewal) are
communicated. Note the value of the CDNI Signed Token Transport
(cdnistt) claim MUST be set to 2.
Note that the process described herein only works in cases where both
the manifest file and segments constituting the segmented content are
delivered from the same domain. In other words, any redirection
between different domains needs to be carried out while retrieving
the manifest file.
4. Relationship with CDNI Interfaces
Some of the CDNI Interfaces need enhancements to support URI Signing.
A dCDN that supports URI Signing needs to be able to advertise this
capability to the uCDN. The uCDN needs to select a dCDN based on
such capability when the CSP requires access control to enforce its
distribution policy via URI Signing. Also, the uCDN needs to be able
to distribute via the CDNI Metadata interface the information
necessary to allow the dCDN to verify a Signed URI. Events that
pertain to URI Signing (e.g., request denial or delivery after an
access authorization decision has been made) need to be included in
the logs communicated through the CDNI Logging interface.
4.1. CDNI Control Interface
URI Signing has no impact on this interface.
4.2. CDNI Footprint & Capabilities Advertisement Interface
The CDNI Request Routing: Footprint and Capabilities Semantics
document [RFC8008] defines support for advertising CDNI Metadata
capabilities via CDNI Payload Type. The CDNI Payload Type registered
in Section 6.1 can be used for capability advertisement.
4.3. CDNI Request Routing Redirection Interface
The CDNI Request Routing Redirection Interface [RFC7975] describes
the recursive request redirection method. For URI Signing, the uCDN
signs the URI provided by the dCDN. URI Signing therefore has no
impact on this interface.
4.4. CDNI Metadata Interface
The CDNI Metadata Interface [RFC8006] describes the CDNI Metadata
distribution needed to enable content acquisition and delivery. For
URI Signing, a new CDNI Metadata object is specified.
The UriSigning Metadata object contains information to enable URI
Signing and verification by a dCDN. The UriSigning properties are
defined below.
Property: enforce
Description: URI Signing enforcement flag. Specifically, this
flag indicates if the access to content is subject to URI
Signing. URI Signing requires the dCDN to ensure that the
URI is signed and verified before delivering content.
Otherwise, the dCDN does not perform verification,
regardless of whether or not the URI is signed.
Type: Boolean
Mandatory-to-Specify: No. The default is true.
Property: issuers
Description: A list of valid Issuers against which the Issuer
claim in the signed JWT may be cross-referenced.
Type: Array of Strings
Mandatory-to-Specify: No. The default is an empty list. An
empty list means that any Issuer in the trusted key store of
Issuers is acceptable.
Property: package-attribute
Description: The attribute name to use for the URI Signing
Package.
Type: String
Mandatory-to-Specify: No. The default is "URISigningPackage".
Property: jwt-header
Description: The header part of JWT that is used for verifying
a signed JWT when the JWT token in the URI Signing Package
does not contain a header part.
Type: String
Mandatory-to-Specify: No. By default, the header is assumed
to be included in the JWT token.
The following is an example of a URI Signing metadata payload with
all default values:
{
"generic-metadata-type": "MI.UriSigning"
"generic-metadata-value": {}
}
The following is an example of a URI Signing metadata payload with
explicit values:
{
"generic-metadata-type": "MI.UriSigning"
"generic-metadata-value":
{
"enforce": true,
"issuers": ["csp", "ucdn1", "ucdn2"],
"package-attribute": "usp",
"jwt-header":
{
"alg": "ES256",
"kid": "P5UpOv0eMq1wcxLf7WxIg09JdSYGYFDOWkldueaImf0"
}
}
}
4.5. CDNI Logging Interface
For URI Signing, the dCDN reports that enforcement of the access
control was applied to the request for content delivery. When the
request is denied due to enforcement of URI Signing, the reason is
logged.
The following CDNI Logging field for URI Signing SHOULD be supported
in the HTTP Request Logging Record as specified in "Content
Distribution Network Interconnection (CDNI) Logging Interface"
[RFC7937] using the new "cdni_http_request_v2" record-type registered
in Section 6.2.1.
* s-uri-signing (mandatory):
Format: 3DIGIT
Field value: this characterizes the URI Signing verification
performed by the Surrogate on the request. The allowed values
are registered in Section 6.4.
Occurrence: there MUST be zero or exactly one instance of this
field.
* s-uri-signing-deny-reason (optional):
Format: QSTRING
Field value: a string for providing further information in case
the signed JWT was rejected, e.g., for debugging purposes.
Occurrence: there MUST be zero or exactly one instance of this
field.
5. URI Signing Message Flow
URI Signing supports both HTTP-based and DNS-based request routing.
JSON Web Token (JWT) [RFC7519] defines a compact, URL-safe means of
representing claims to be transferred between two parties. The
claims in a Signed JWT are encoded as a JSON object that is used as
the payload of a JSON Web Signature (JWS) structure enabling the
claims to be digitally signed or integrity protected with a Message
Authentication Code (MAC).
5.1. HTTP Redirection
For HTTP-based request routing, a set of information that is unique
to a given end user content request is included in a Signed JWT,
using key information that is specific to a pair of adjacent CDNI
hops (e.g., between the CSP and the uCDN or between the uCDN and a
dCDN). This allows a CDNI hop to ascertain the authenticity of a
given request received from a previous CDNI hop.
The URI Signing method (assuming HTTP redirection, iterative request
routing, and a CDN path with two CDNs) includes the following steps:
End-User dCDN uCDN CSP
| | | |
| 1.CDNI FCI used to | |
| advertise URI Signing capability | |
| |------------------->| |
| | | |
| 2.Provides information to verify Signed JWT |
| | |<-------------------|
| | | |
| 3.CDNI Metadata interface used to| |
| provide URI Signing attributes| |
| |<-------------------| |
: : : :
: (Later in time) : : :
|4.Authorization request | |
|------------------------------------------------------------->|
| | | [Apply distribution
| | | policy] |
| | | |
| | (ALT: Authorization decision)
|5.Request is denied | | <Negative> |
|<-------------------------------------------------------------|
| | | |
|6.CSP provides Signed URI | <Positive> |
|<-------------------------------------------------------------|
| | | |
|7.Content request | | |
|---------------------------------------->| [Verify URI |
| | | signature] |
| | | |
| | (ALT: Verification result) |
|8.Request is denied | <Negative>| |
|<----------------------------------------| |
| | | |
|9.Re-sign URI and redirect to <Positive>| |
| dCDN (newly Signed URI) | |
|<----------------------------------------| |
| | | |
|10.Content request | | |
|------------------->| [Verify URI | |
| | signature] | |
| | | |
| (ALT: Verification result) | |
|11.Request is denied| <Negative> | |
|<-------------------| | |
| | | |
|12.Content delivery | <Positive> | |
|<-------------------| | |
: : : :
: (Later in time) : : :
|13.CDNI Logging interface to include URI Signing information |
| |------------------->| |
Figure 3: HTTP-Based Request Routing with URI Signing
1. Using the CDNI Footprint & Capabilities Advertisement interface,
the dCDN advertises its capabilities including URI Signing
support to the uCDN.
2. CSP provides to the uCDN the information needed to verify Signed
URIs from that CSP. For example, this information will include
one or more keys used for validation.
3. Using the CDNI Metadata interface, the uCDN communicates to a
dCDN the information needed to verify Signed URIs from the uCDN
for the given CSP. For example, this information may include
the URI query string parameter name for the URI Signing Package
Attribute in addition to keys used for validation.
4. When a UA requests a piece of protected content from the CSP,
the CSP makes a specific authorization decision for this unique
request based on its local distribution policy.
5. If the authorization decision is negative, the CSP rejects the
request and sends an error code (e.g., 403 Forbidden) in the
HTTP response.
6. If the authorization decision is positive, the CSP computes a
Signed JWT that is based on unique parameters of that request
and conveys it to the end user as the URI to use to request the
content.
7. On receipt of the corresponding content request, the uCDN
verifies the Signed JWT in the URI using the information
provided by the CSP.
8. If the verification result is negative, the uCDN rejects the
request and sends an error code 403 Forbidden in the HTTP
response.
9. If the verification result is positive, the uCDN computes a
Signed JWT that is based on unique parameters of that request
and provides it to the end user as the URI to use to further
request the content from the dCDN.
10. On receipt of the corresponding content request, the dCDN
verifies the Signed JWT in the Signed URI using the information
provided by the uCDN in the CDNI Metadata.
11. If the verification result is negative, the dCDN rejects the
request and sends an error code 403 Forbidden in the HTTP
response.
12. If the verification result is positive, the dCDN serves the
request and delivers the content.
13. At a later time, the dCDN reports logging events that include
URI Signing information.
With HTTP-based request routing, URI Signing matches well the general
chain of trust model of CDNI both with symmetric and asymmetric keys
because the key information only needs to be specific to a pair of
adjacent CDNI hops.
Note: While using a symmetric shared key is supported, it is NOT
RECOMMENDED. See the Security Considerations (Section 7) about the
limitations of shared keys.
5.2. DNS Redirection
For DNS-based request routing, the CSP and uCDN must agree on a trust
model appropriate to the security requirements of the CSP's
particular content. Use of asymmetric public/private keys allows for
unlimited distribution of the public key to dCDNs. However, if a
shared secret key is required, then the distribution SHOULD be
performed by the CSP directly.
Note: While using a symmetric shared key is supported, it is NOT
RECOMMENDED. See the Security Considerations (Section 7) about the
limitations of shared keys.
The URI Signing method (assuming iterative DNS request routing and a
CDN path with two CDNs) includes the following steps.
End-User dCDN uCDN CSP
| | | |
| 1.CDNI FCI used to | |
| advertise URI Signing capability | |
| |------------------->| |
| | | |
| 2.Provides information to verify Signed JWT |
| | |<-------------------|
| 3.CDNI Metadata interface used to| |
| provide URI Signing attributes| |
| |<-------------------| |
: : : :
: (Later in time) : : :
|4.Authorization request | |
|------------------------------------------------------------->|
| | | [Apply distribution
| | | policy] |
| | | |
| | (ALT: Authorization decision)
|5.Request is denied | | <Negative> |
|<-------------------------------------------------------------|
| | | |
|6.Provides Signed URI | <Positive> |
|<-------------------------------------------------------------|
| | | |
|7.DNS request | | |
|---------------------------------------->| |
| | | |
|8.Redirect DNS to dCDN | |
|<----------------------------------------| |
| | | |
|9.DNS request | | |
|------------------->| | |
| | | |
|10.IP address of Surrogate | |
|<-------------------| | |
| | | |
|11.Content request | | |
|------------------->| [Verify URI | |
| | signature] | |
| | | |
| (ALT: Verification result) | |
|12.Request is denied| <Negative> | |
|<-------------------| | |
| | | |
|13.Content delivery | <Positive> | |
|<-------------------| | |
: : : :
: (Later in time) : : :
|14.CDNI Logging interface to report URI Signing information |
| |------------------->| |
Figure 4: DNS-based Request Routing with URI Signing
1. Using the CDNI Footprint & Capabilities Advertisement interface,
the dCDN advertises its capabilities including URI Signing
support to the uCDN.
2. CSP provides to the uCDN the information needed to verify Signed
JWTs from that CSP. For example, this information will include
one or more keys used for validation.
3. Using the CDNI Metadata interface, the uCDN communicates to a
dCDN the information needed to verify Signed JWTs from the CSP
(e.g., the URI query string parameter name for the URI Signing
Package Attribute). In the case of symmetric shared key, the
uCDN MUST NOT share the key with a dCDN.
4. When a UA requests a piece of protected content from the CSP,
the CSP makes a specific authorization decision for this unique
request based on its local distribution policy.
5. If the authorization decision is negative, the CSP rejects the
request and sends an error code (e.g., 403 Forbidden) in the
HTTP response.
6. If the authorization decision is positive, the CSP computes a
Signed JWT that is based on unique parameters of that request
and includes it in the URI provided to the end user to request
the content.
7. The end user sends a DNS request to the uCDN.
8. On receipt of the DNS request, the uCDN redirects the request to
the dCDN.
9. The end user sends a DNS request to the dCDN.
10. On receipt of the DNS request, the dCDN responds with IP address
of one of its Surrogates.
11. On receipt of the corresponding content request, the dCDN
verifies the Signed JWT in the URI using the information
provided by the uCDN in the CDNI Metadata.
12. If the verification result is negative, the dCDN rejects the
request and sends an error code 403 Forbidden in the HTTP
response.
13. If the verification result is positive, the dCDN serves the
request and delivers the content.
14. At a later time, dCDN reports logging events that includes URI
Signing information.
With DNS-based request routing, URI Signing matches well the general
chain of trust model of CDNI when used with asymmetric keys because
the only key information that needs to be distributed across
multiple, possibly untrusted, CDNI hops is the public key, which is
generally not confidential.
With DNS-based request routing, URI Signing does not match well with
the general chain of trust model of CDNI when used with symmetric
keys because the symmetric key information needs to be distributed
across multiple CDNI hops to CDNs with which the CSP may not have a
trust relationship. This raises a security concern for applicability
of URI Signing with symmetric keys in case of DNS-based inter-CDN
request routing. Due to these flaws, this architecture MUST NOT be
implemented.
Note: While using a symmetric shared key is supported, it is NOT
RECOMMENDED. See the Security Considerations (Section 7) about the
limitations of shared keys.
6. IANA Considerations
6.1. CDNI Payload Type
IANA has registered the following CDNI Payload Type under the IANA
"CDNI Payload Types" registry:
+===============+===============+
| Payload Type | Specification |
+===============+===============+
| MI.UriSigning | RFC 9246 |
+---------------+---------------+
Table 1
6.1.1. CDNI UriSigning Payload Type
Purpose: The purpose of this payload type is to distinguish
UriSigning Metadata interface (MI) objects (and any associated
capability advertisement).
Interface: MI/FCI
Encoding: see Section 4.4
6.2. CDNI Logging Record Type
IANA has registered the following CDNI Logging record-type under the
IANA "CDNI Logging record-types" registry:
+======================+===========+===========================+
| record-types | Reference | Description |
+======================+===========+===========================+
| cdni_http_request_v2 | RFC 9246 | Extension to CDNI Logging |
| | | Record version 1 for |
| | | content delivery using |
| | | HTTP, to include URI |
| | | Signing Logging fields |
+----------------------+-----------+---------------------------+
Table 2
6.2.1. CDNI Logging Record Version 2 for HTTP
The "cdni_http_request_v2" record-type supports all of the fields
supported by the "cdni_http_request_v1" record-type [RFC7937] plus
the two additional fields "s-uri-signing" and "s-uri-signing-deny-
reason", registered by this document in Section 6.3. The name,
format, field value, and occurrence information for the two new
fields can be found in Section 4.5 of this document.
6.3. CDNI Logging Field Names
IANA has registered the following CDNI Logging fields under the IANA
"CDNI Logging Field Names" registry:
+===========================+===========+
| Field Name | Reference |
+===========================+===========+
| s-uri-signing | RFC 9246 |
+---------------------------+-----------+
| s-uri-signing-deny-reason | RFC 9246 |
+---------------------------+-----------+
Table 3
6.4. CDNI URI Signing Verification Code
IANA has created a new "CDNI URI Signing Verification Code"
subregistry in the "Content Delivery Networks Interconnection (CDNI)
Parameters" registry. The "CDNI URI Signing Verification Code"
namespace defines the valid values associated with the s-uri-signing
CDNI Logging field. The CDNI URI Signing Verification Code is a
3DIGIT value as defined in Section 4.5. Additions to the CDNI URI
Signing Verification Code namespace will conform to the
"Specification Required" policy as defined in [RFC8126]. Updates to
this subregistry are expected to be infrequent.
+=======+===========+=====================================+
| Value | Reference | Description |
+=======+===========+=====================================+
| 000 | RFC 9246 | No signed JWT verification |
| | | performed |
+-------+-----------+-------------------------------------+
| 200 | RFC 9246 | Signed JWT verification performed |
| | | and verified |
+-------+-----------+-------------------------------------+
| 400 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of incorrect |
| | | signature |
+-------+-----------+-------------------------------------+
| 401 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Issuer |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 402 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Subject |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 403 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Audience |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 404 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Expiration |
| | | Time enforcement |
+-------+-----------+-------------------------------------+
| 405 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Not Before |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 406 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because only one of |
| | | CDNI Signed Token Transport or CDNI |
| | | Expiration Time Setting present |
+-------+-----------+-------------------------------------+
| 407 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of JWT ID |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 408 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Version |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 409 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Critical |
| | | Extension enforcement |
+-------+-----------+-------------------------------------+
| 410 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of Client IP |
| | | enforcement |
+-------+-----------+-------------------------------------+
| 411 | RFC 9246 | Signed JWT verification performed |
| | | and rejected because of URI |
| | | Container enforcement |
+-------+-----------+-------------------------------------+
| 500 | RFC 9246 | Unable to perform signed JWT |
| | | verification because of malformed |
| | | URI |
+-------+-----------+-------------------------------------+
Table 4
6.5. CDNI URI Signing Signed Token Transport
IANA has created a new "CDNI URI Signing Signed Token Transport"
subregistry in the "Content Delivery Networks Interconnection (CDNI)
Parameters" registry. The "CDNI URI Signing Signed Token Transport"
namespace defines the valid values that may be in the Signed Token
Transport (cdnistt) JWT claim. Additions to the Signed Token
Transport namespace conform to the "Specification Required" policy as
defined in [RFC8126]. Updates to this subregistry are expected to be
infrequent.
The following table defines the initial Enforcement Information
Elements:
+=======+=============================================+==========+
| Value | Description | RFC |
+=======+=============================================+==========+
| 0 | Designates token transport is not enabled | RFC 9246 |
+-------+---------------------------------------------+----------+
| 1 | Designates token transport via cookie | RFC 9246 |
+-------+---------------------------------------------+----------+
| 2 | Designates token transport via query string | RFC 9246 |
+-------+---------------------------------------------+----------+
Table 5
6.6. JSON Web Token Claims Registration
This specification registers the following claims in the IANA "JSON
Web Token Claims" registry [IANA.JWT.Claims] established by
[RFC7519].
6.6.1. Registry Contents
Claim Name: cdniv
Claim Description: CDNI Claim Set Version
Change Controller: IESG
Specification Document(s): Section 2.1.8 of RFC 9246
Claim Name: cdnicrit
Claim Description: CDNI Critical Claims Set
Change Controller: IESG
Specification Document(s): Section 2.1.9 of RFC 9246
Claim Name: cdniip
Claim Description: CDNI IP Address
Change Controller: IESG
Specification Document(s): Section 2.1.10 of RFC 9246
Claim Name: cdniuc
Claim Description: CDNI URI Container
Change Controller: IESG
Specification Document(s): Section 2.1.11 of RFC 9246
Claim Name: cdniets
Claim Description: CDNI Expiration Time Setting for Signed Token
Renewal
Change Controller: IESG
Specification Document(s): Section 2.1.12 of RFC 9246
Claim Name: cdnistt
Claim Description: CDNI Signed Token Transport Method for Signed
Token Renewal
Change Controller: IESG
Specification Document(s): Section 2.1.13 of RFC 9246
Claim Name: cdnistd
Claim Description: CDNI Signed Token Depth
Change Controller: IESG
Specification Document(s): Section 2.1.14 of RFC 9246
6.7. Expert Review Guidance
Generally speaking, we should determine the registration has a
rational justification and does not duplicate a previous
registration. Early assignment should be permissible as long as
there is a reasonable expectation that the specification will become
formalized. Expert Reviewers should be empowered to make
determinations, but generally speaking they should allow new claims
that do not otherwise introduce conflicts with implementation or
things that may lead to confusion. They should also follow the
guidelines of Section 5 of [RFC8126] when sensible.
7. Security Considerations
This document describes the concept of URI Signing and how it can be
used to provide access authorization in the case of CDNI. The
primary goal of URI Signing is to make sure that only authorized UAs
are able to access the content, with a CSP being able to authorize
every individual request. It should be noted that URI Signing is not
a content protection scheme; if a CSP wants to protect the content
itself, other mechanisms, such as DRM, are more appropriate.
CDNI URI Signing Signed Tokens leverage JSON Web Tokens and thus,
guidelines in [RFC8725] are applicable for all JWT interactions.
In general, it holds that the level of protection against
illegitimate access can be increased by including more claims in the
signed JWT. The current version of this document includes claims for
enforcing Issuer, Client IP Address, Not Before time, and Expiration
Time; however, this list can be extended with other more complex
attributes that are able to provide some form of protection against
some of the vulnerabilities highlighted below.
That said, there are a number of aspects that limit the level of
security offered by URI Signing and that anybody implementing URI
Signing should be aware of.
Replay attacks: A (valid) Signed URI may be used to perform replay
attacks. The vulnerability to replay attacks can be reduced by
picking a relatively short window between the Not Before time and
Expiration Time attributes, although this is limited by the fact
that any HTTP-based request needs a window of at least a couple of
seconds to prevent sudden network issues from denying legitimate
UAs access to the content. One may also reduce exposure to replay
attacks by including a unique one-time access ID via the JWT ID
attribute (jti claim). Whenever the dCDN receives a request with
a given unique ID, it adds that ID to the list of 'used' IDs. In
the case an illegitimate UA tries to use the same URI through a
replay attack, the dCDN can deny the request based on the already
used access ID. This list should be kept bounded. A reasonable
approach would be to expire the entries based on the exp claim
value. If no exp claim is present, then a simple Least Recently
Used (LRU) cache could be used; however, this would allow values
to eventually be reused.
Illegitimate clients behind a NAT: In cases where there are multiple
users behind the same NAT, all users will have the same IP address
from the point of view of the dCDN. This results in the dCDN not
being able to distinguish between different users based on Client
IP Address, which can lead to illegitimate users being able to
access the content. One way to reduce exposure to this kind of
attack is to not only check for Client IP but also for other
attributes, e.g., attributes that can be found in HTTP headers.
However, this may be easily circumvented by a sophisticated
attacker.
A shared key distributed between CSP and uCDN is more likely to be
compromised. Since this key can be used to legitimately sign a URL
for content access authorization, it is important to know the
implications of a compromised shared key. While using a shared key
scheme can be convenient, this architecture is NOT RECOMMENDED due to
the risks associated. It is included for legacy feature parity and
is highly discouraged in new implementations.
If a shared key usable for signing is compromised, an attacker can
use it to perform a denial-of-service attack by forcing the CDN to
evaluate prohibitively expensive regular expressions embedded in a
URI Container (cdniuc) claim. As a result, compromised keys should
be timely revoked in order to prevent exploitation.
The URI Container (cdniuc) claim can be given a wildcard value.
This, combined with the fact that it is the only mandatory claim,
means you can effectively make a skeleton key. Doing this does not
sufficiently limit the scope of the JWT and is NOT RECOMMENDED. The
only way to prevent such a key from being used after it is
distributed is to revoke the signing key so it no longer validates.
8. Privacy
The privacy protection concerns described in "Content Distribution
Network Interconnection (CDNI) Logging Interface" [RFC7937] apply
when the client's IP address (cdniip) or Subject (sub) is embedded in
the Signed URI. For this reason, the mechanism described in
Section 2 encrypts the Client IP or Subject before including it in
the URI Signing Package (and thus the URL itself).
9. References
9.1. Normative References
[POSIX.1] The Open Group, "IEEE Standard for Information Technology
-- Portable Operating System Interface (POSIX(TM)) Base
Specifications, Issue 7", (Revision of IEEE Std
1003.1-2008), IEEE Std 1003.1-2017, January 2018,
<https://pubs.opengroup.org/onlinepubs/9699919799/>.
[RFC0791] Postel, J., "Internet Protocol", STD 5, RFC 791,
DOI 10.17487/RFC0791, September 1981,
<https://www.rfc-editor.org/info/rfc791>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>.
[RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch,
"Network Time Protocol Version 4: Protocol and Algorithms
Specification", RFC 5905, DOI 10.17487/RFC5905, June 2010,
<https://www.rfc-editor.org/info/rfc5905>.
[RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
Address Text Representation", RFC 5952,
DOI 10.17487/RFC5952, August 2010,
<https://www.rfc-editor.org/info/rfc5952>.
[RFC6265] Barth, A., "HTTP State Management Mechanism", RFC 6265,
DOI 10.17487/RFC6265, April 2011,
<https://www.rfc-editor.org/info/rfc6265>.
[RFC6570] Gregorio, J., Fielding, R., Hadley, M., Nottingham, M.,
and D. Orchard, "URI Template", RFC 6570,
DOI 10.17487/RFC6570, March 2012,
<https://www.rfc-editor.org/info/rfc6570>.
[RFC6707] Niven-Jenkins, B., Le Faucheur, F., and N. Bitar, "Content
Distribution Network Interconnection (CDNI) Problem
Statement", RFC 6707, DOI 10.17487/RFC6707, September
2012, <https://www.rfc-editor.org/info/rfc6707>.
[RFC6920] Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B.,
Keranen, A., and P. Hallam-Baker, "Naming Things with
Hashes", RFC 6920, DOI 10.17487/RFC6920, April 2013,
<https://www.rfc-editor.org/info/rfc6920>.
[RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Message Syntax and Routing",
RFC 7230, DOI 10.17487/RFC7230, June 2014,
<https://www.rfc-editor.org/info/rfc7230>.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015,
<https://www.rfc-editor.org/info/rfc7516>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>.
[RFC7937] Le Faucheur, F., Ed., Bertrand, G., Ed., Oprescu, I., Ed.,
and R. Peterkofsky, "Content Distribution Network
Interconnection (CDNI) Logging Interface", RFC 7937,
DOI 10.17487/RFC7937, August 2016,
<https://www.rfc-editor.org/info/rfc7937>.
[RFC8006] Niven-Jenkins, B., Murray, R., Caulfield, M., and K. Ma,
"Content Delivery Network Interconnection (CDNI)
Metadata", RFC 8006, DOI 10.17487/RFC8006, December 2016,
<https://www.rfc-editor.org/info/rfc8006>.
[RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Writing an IANA Considerations Section in RFCs", BCP 26,
RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
9.2. Informative References
[IANA.JWT.Claims]
IANA, "JSON Web Token (JWT)",
<https://www.iana.org/assignments/jwt>.
[MPEG-DASH]
ISO, "Information technology -- Dynamic adaptive streaming
over HTTP (DASH) -- Part 1: Media presentation description
and segment formats", ISO/IEC 23009-1:2019, Edition 4,
December 2019, <https://www.iso.org/standard/79329.html>.
[RFC6983] van Brandenburg, R., van Deventer, O., Le Faucheur, F.,
and K. Leung, "Models for HTTP-Adaptive-Streaming-Aware
Content Distribution Network Interconnection (CDNI)",
RFC 6983, DOI 10.17487/RFC6983, July 2013,
<https://www.rfc-editor.org/info/rfc6983>.
[RFC7336] Peterson, L., Davie, B., and R. van Brandenburg, Ed.,
"Framework for Content Distribution Network
Interconnection (CDNI)", RFC 7336, DOI 10.17487/RFC7336,
August 2014, <https://www.rfc-editor.org/info/rfc7336>.
[RFC7337] Leung, K., Ed. and Y. Lee, Ed., "Content Distribution
Network Interconnection (CDNI) Requirements", RFC 7337,
DOI 10.17487/RFC7337, August 2014,
<https://www.rfc-editor.org/info/rfc7337>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015,
<https://www.rfc-editor.org/info/rfc7517>.
[RFC7975] Niven-Jenkins, B., Ed. and R. van Brandenburg, Ed.,
"Request Routing Redirection Interface for Content
Delivery Network (CDN) Interconnection", RFC 7975,
DOI 10.17487/RFC7975, October 2016,
<https://www.rfc-editor.org/info/rfc7975>.
[RFC8008] Seedorf, J., Peterson, J., Previdi, S., van Brandenburg,
R., and K. Ma, "Content Delivery Network Interconnection
(CDNI) Request Routing: Footprint and Capabilities
Semantics", RFC 8008, DOI 10.17487/RFC8008, December 2016,
<https://www.rfc-editor.org/info/rfc8008>.
[RFC8216] Pantos, R., Ed. and W. May, "HTTP Live Streaming",
RFC 8216, DOI 10.17487/RFC8216, August 2017,
<https://www.rfc-editor.org/info/rfc8216>.
[RFC8725] Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best
Current Practices", BCP 225, RFC 8725,
DOI 10.17487/RFC8725, February 2020,
<https://www.rfc-editor.org/info/rfc8725>.
Appendix A. Signed URI Package Example
This section contains three examples of token usage: a simple example
with only the required claim present, a complex example that
demonstrates the full JWT claims set, including an encrypted Client
IP Address (cdniip), and one that uses a Signed Token Renewal.
Note: All of the examples have empty space added to improve
formatting and readability, but are not present in the generated
content.
All examples use the following JWK Set [RFC7517]:
{ "keys": [
{
"kty": "EC",
"kid": "P5UpOv0eMq1wcxLf7WxIg09JdSYGYFDOWkldueaImf0",
"use": "sig",
"alg": "ES256",
"crv": "P-256",
"x": "be807S4O7dzB6I4hTiCUvmxCI6FuxWba1xYBlLSSsZ8",
"y": "rOGC4vI69g-WF9AGEVI37sNNwbjIzBxSjLvIL7f3RBA"
},
{
"kty": "EC",
"kid": "P5UpOv0eMq1wcxLf7WxIg09JdSYGYFDOWkldueaImf0",
"use": "sig",
"alg": "ES256",
"crv": "P-256",
"x": "be807S4O7dzB6I4hTiCUvmxCI6FuxWba1xYBlLSSsZ8",
"y": "rOGC4vI69g-WF9AGEVI37sNNwbjIzBxSjLvIL7f3RBA",
"d": "yaowezrCLTU6yIwUL5RQw67cHgvZeMTLVZXjUGb1A1M"
},
{
"kty": "oct",
"kid": "f-WbjxBC3dPuI3d24kP2hfvos7Qz688UTi6aB0hN998",
"use": "enc",
"alg": "A128GCM",
"k": "4uFxxV7fhNmrtiah2d1fFg"
}
]}
Note: They are the public signing key, the private signing key, and
the shared secret encryption key, respectively. The public and
private signing keys have the same fingerprint and only vary by the
'd' parameter that is missing from the public signing key.
A.1. Simple Example
This example is a simple common usage example containing a minimal
subset of claims that the authors find most useful.
The JWT Claim Set before signing:
Note: "sha-256;2tderfWPa86Ku7YnzW51YUp7dGUjBS_3SW3ELx4hmWY" is the
URL Segment form (Section 5 of [RFC6920]) of
"http://cdni.example/foo/bar".
{
"exp": 1646867369,
"iss": "uCDN Inc",
"cdniuc":
"hash:sha-256;2tderfWPa86Ku7YnzW51YUp7dGUjBS_3SW3ELx4hmWY"
}
The signed JWT:
eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU
dZRkRPV2tsZHVlYUltZjAifQ.eyJleHAiOjE2NDY4NjczNjksImlzcyI6InVDRE4gS
W5jIiwiY2RuaXVjIjoiaGFzaDpzaGEtMjU2OzJ0ZGVyZldQYTg2S3U3WW56VzUxWVV
wN2RHVWpCU18zU1czRUx4NGhtV1kifQ.TaNlJM3D96i_9J9XvlICO6FUIDFTqt3E2Y
JkEUOLfcH0b89wYRKTbJ9Yj6h_GRgSoZoQO0cps3yUPcWGK3smCw
A.2. Complex Example
This example uses all fields except for those dealing with Signed
Token Renewal, including Client IP Address (cdniip) and Subject
(sub), which are encrypted. This significantly increases the size of
the signed JWT token.
JWE for Client IP Address (cdniip) of [2001:db8::1/32]:
eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XYmp4QkMzZFB1ST
NkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..aUDDFEQBIc3nWjOb.bGXWT
HPkntmPCKn0pPPNEQ.iyTttnFybO2YBLqwl_YSjA
JWE for Subject (sub) of "UserToken":
eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XYmp4QkMzZFB1ST
NkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..CLAu80xclc8Bp-Ui.6P1A3
F6ip2Dv.CohdtLLpgBnTvRJQCFuz-g
The JWT Claim Set before signing:
{
"aud": "dCDN LLC",
"sub": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XYmp4
QkMzZFB1STNkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..CLAu80xclc8B
p-Ui.6P1A3F6ip2Dv.CohdtLLpgBnTvRJQCFuz-g",
"cdniip": "eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIiwia2lkIjoiZi1XY
mp4QkMzZFB1STNkMjRrUDJoZnZvczdRejY4OFVUaTZhQjBoTjk5OCJ9..aUDDFEQBI
c3nWjOb.bGXWTHPkntmPCKn0pPPNEQ.iyTttnFybO2YBLqwl_YSjA",
"cdniv": 1,
"exp": 1646867369,
"iat": 1646694569,
"iss": "uCDN Inc",
"jti": "5DAafLhZAfhsbe",
"nbf": 1646780969,
"cdniuc": "regex:http://cdni\\.example/foo/bar/[0-9]{3}\\.png"
}
The signed JWT:
eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU
dZRkRPV2tsZHVlYUltZjAifQ.eyJhdWQiOiJkQ0ROIExMQyIsInN1YiI6ImV5Smxib
U1pT2lKQk1USTRSME5OSWl3aVlXeG5Jam9pWkdseUlpd2lhMmxrSWpvaVppMVhZbXA
0UWtNelpGQjFTVE5rTWpSclVESm9ablp2Y3pkUmVqWTRPRlZVYVRaaFFqQm9Uams1T
0NKOS4uQ0xBdTgweGNsYzhCcC1VaS42UDFBM0Y2aXAyRHYuQ29oZHRMTHBnQm5UdlJ
KUUNGdXotZyIsImNkbmlpcCI6ImV5SmxibU1pT2lKQk1USTRSME5OSWl3aVlXeG5Ja
m9pWkdseUlpd2lhMmxrSWpvaVppMVhZbXA0UWtNelpGQjFTVE5rTWpSclVESm9ablp
2Y3pkUmVqWTRPRlZVYVRaaFFqQm9Uams1T0NKOS4uYVVEREZFUUJJYzNuV2pPYi5iR
1hXVEhQa250bVBDS24wcFBQTkVRLml5VHR0bkZ5Yk8yWUJMcXdsX1lTakEiLCJjZG5
pdiI6MSwiZXhwIjoxNjQ2ODY3MzY5LCJpYXQiOjE2NDY2OTQ1NjksImlzcyI6InVDR
E4gSW5jIiwianRpIjoiNURBYWZMaFpBZmhzYmUiLCJuYmYiOjE2NDY3ODA5NjksImN
kbml1YyI6InJlZ2V4Omh0dHA6Ly9jZG5pXFwuZXhhbXBsZS9mb28vYmFyL1swLTlde
zN9XFwucG5nIn0.IjmVX0uD5MYqArc-M08uEsEeoDQn8kuYXZ9HGHDmDDxsHikT0c8
jcX8xYD0z3LzQclMG65i1kT2sRbZ7isUw8w
A.3. Signed Token Renewal Example
This example uses fields for Signed Token Renewal.
The JWT Claim Set before signing:
{
"cdniets": 30,
"cdnistt": 1,
"cdnistd": 2,
"exp": 1646867369,
"cdniuc": "regex:http://cdni\\.example/foo/bar/[0-9]{3}\\.ts"
}
The signed JWT:
eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU
dZRkRPV2tsZHVlYUltZjAifQ.eyJjZG5pZXRzIjozMCwiY2RuaXN0dCI6MSwiY2Rua
XN0ZCI6MiwiZXhwIjoxNjQ2ODY3MzY5LCJjZG5pdWMiOiJyZWdleDpodHRwOi8vY2R
uaVxcLmV4YW1wbGUvZm9vL2Jhci9bMC05XXszfVxcLnRzIn0.tlPvoKw3BCClw4Lx9
PQu7MK6b2IN55ZoCPSaxovGK0zS53Wpb1MbJBow7G8LiGR39h6-2Iq7PWUSr3MdTIz
HYw
Once the server verifies the signed JWT it will return a new signed
JWT with an updated Expiry Time (exp) as shown below. Note the
Expiry Time is increased by the expiration time setting (cdniets)
value.
The JWT Claim Set before signing:
{
"cdniets": 30,
"cdnistt": 1,
"cdnistd": 2,
"exp": 1646867399,
"cdniuc": "regex:http://cdni\\.example/foo/bar/[0-9]{3}\\.ts"
}
The signed JWT:
eyJhbGciOiJFUzI1NiIsImtpZCI6IlA1VXBPdjBlTXExd2N4TGY3V3hJZzA5SmRTWU
dZRkRPV2tsZHVlYUltZjAifQ.eyJjZG5pZXRzIjozMCwiY2RuaXN0dCI6MSwiY2Rua
XN0ZCI6MiwiZXhwIjoxNjQ2ODY3Mzk5LCJjZG5pdWMiOiJyZWdleDpodHRwOi8vY2R
uaVxcLmV4YW1wbGUvZm9vL2Jhci9bMC05XXszfVxcLnRzIn0.ivY5d_fKGd-OHTpUs
8uJUrnHvt-rduzu5H4zM7167pUUAghub53FqDQ5G16jRYX2sY73mA_uLpYDdb-CPts
8FA
Acknowledgements
The authors would like to thank the following people for their
contributions in reviewing this document and providing feedback:
Scott Leibrand, Kevin Ma, Ben Niven-Jenkins, Thierry Magnien, Dan
York, Bhaskar Bhupalam, Matt Caulfield, Samuel Rajakumar, Iuniana
Oprescu, Leif Hedstrom, Gancho Tenev, Brian Campbell, and Chris
Lemmons.
Contributors
In addition, the authors would also like to make special mentions for
certain people who contributed significant sections to this document.
* Matt Caulfield provided content for Section 4.4, "CDNI Metadata
Interface".
* Emmanuel Thomas provided content for HTTP Adaptive Streaming.
* Matt Miller provided consultation on JWT usage as well as code to
generate working JWT examples.
Authors' Addresses
Ray van Brandenburg
Tiledmedia
Anna van Buerenplein 1
2595DA Den Haag
Netherlands
Phone: +31 88 866 7000
Email: ray@tiledmedia.com
Kent Leung
Email: mail4kentl@gmail.com
Phil Sorber
Apple, Inc.
Suite 410
1800 Wazee Street
Denver, CO 80202
United States
Email: sorber@apple.com
|
