Re: Client-Cert Header draft from Lucas Pardue on 2020-04-20 (ietf-http-wg@w3.org from April to June 2020)

From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Tue, 21 Apr 2020 00:44:01 +0100
To: "Soni L." <fakedme+http@gmail.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CALGR9oYWJSkaZgtCMSpTZGRJqHJdStZDS64f2mySq-eZo9afGw@mail.gmail.com>

On Tue, Apr 21, 2020 at 12:10 AM Soni L. <fakedme+http@gmail.com> wrote:

> the CDN would have to consent to the client interacting with the server,
> thus not affecting performance, scale and security, and it'd only be for
> non-CDN-safe resources such as private content anyway.
>
>
The CDN provides those features for the origin. That's the purpose.
Allowing clients direct access to the origin means that the origin has to
duplicate the functions a CDN provides or not have them at all. I don't
think that's what people are asking for, particularly people that are happy
to delegate their TLS termination as happens today. What I am aware of is a
desire to understand a property of the TLS connection, just like wanting to
see the negotiated ALPN ID, ciphersuite, client IP address etc. for the
purposes of auditing, analysis or some application logic.

Plus, what you're describing requires a client that is savvy enough to
understand content and the distribution architecture of deployments in
order to decide when to punch through the CDN. That becomes fragile very
quickly.

Received on Monday, 20 April 2020 23:44:25 UTC