Re: HTTPSig authentication

On Tue, Jun 13, 2023 at 10:00 AM Henry Story <henry.story@bblfish.net>
wrote:

> I have been working on an Authentication mechanism working purely at
> the HTTP layer by building just very lightly on the IETFs “Signing HTTP
> Messages”
> Specification.
>

I'd like to share a real world use-case, one of the larger websites I run
has the following setup:

a) AWS Global Accelerator
- takes incoming connections and routes them to the "nearest" data center
b) 4x EC2 Load Balancers
- one in each data center
- handles TLS termination
- each has a unique SSL certificate
- protocol versions http2 & 1.1
c) 8x Reverse Proxies (haproxy) listening
- each load balancer above, balances over 2 reverse proxies, each reverse
proxy listens on http1.1
- each reverse proxy semi-persistently connects to a pool of reverse
proxies over h2c (HTTP/2 Cleartext - 2 over 1.1 without TLS)
d) multiple haproxies listening on h2c then keep-alived through to web
servers
e, f) ... irrelevant, but distant.

I'll spare the details, but the pertinent parts are as follows:
- TLS is lost at level (b), this is true for many others, the TLS is
terminated well before anything we can control and modify in any
consequential manner
- There is not 1, but rather multiple SSL certificates, in our case 4, I
could easily scale this up to 20+, and many larger still sites will.
- Anything application level or modifiable, is 3 steps away from TLS
termination, and juggled over different connection types, with non static
redundant routes.

That is, if any solution is TLS+SSL based, unless it's implemented within
majors like AWS/EC2 services, or at the very least haproxy and similar,
without any requirements which run down to application level, literally
cannot deploy or utilize it at scale, since the vast majority of scaled
services terminate TLS as early in the process as possible, to cast of that
weight and allow scaling.