Re: Requesting reviews of draft-vanrein-httpauth-sasl

On Thu, May 14, 2020 at 9:01 AM Michiel Leenaars <michiel.ml@nlnet.nl>
wrote:

> Hi James,
>
> >> This means that a secure transport layer must be used, like
> >> TLS.  The termination of such a secure layer MUST also
> >> terminate any ongoing SASL handshakes.
> >
> > Isn't this incompatible with use cases where TLS termination is
> > separated from the processing of the HTTP request such is common
> > in CDNs, or where a trusted proxy is involved?
>
> arguably, resources fetched from a public CDN are (or should be)
> exclusively static assets,


"Arguably" is doing a lot of work here, as CDNs have already evolved well
beyond this (cf. edge compute).



> which of course can be used in an authenticated
> session but are not part of it.


I'm not sure how to formalize this as a security property. Certainly from
the perspective of the origin
model and the browser the CDN *is* the origin. And for that reason, as a
practical matter it is in
part responsible for anything that the browser generates, including
authenticated traffic. (For instance,
it can cause the browser to make authenticated HTTPS requests just as the
origin server can).
Can you elaborate on what you mean here?


TLS can be provided for integrity, but not
> for confidentiality.
>

This seems wrong to me. It's certainly important to users to have the
information they exchange
with the CDN be confidential from other actors on the network. Consider,
for instance, a photo
sharing site; I don't want random people to know which photos I view.

-Ekr


> Since a CDN is essentially a cache with man-in-the-middle capabilities
> allowing to observe all the traffic that passes by, it cannot be
> end-to-end
> secure in the actual sense of the word and should not be used as such. So
> I
> do not see an incompatibility...
>
> Best,
> Michiel Leenaars
> NLnet Foundation
>
>
>