Re: CDN versus edge compute use case distinction (was: Requesting reviews of draft-vanrein-httpauth-sasl)

Eric Rescorla <ekr@rtfm.com> Fri, 15 May 2020 13:14 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFA763A09DC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 May 2020 06:14:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.647
X-Spam-Level:
X-Spam-Status: No, score=-2.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dw_wVERV8vyE for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 15 May 2020 06:14:55 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 439FA3A09DA for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 15 May 2020 06:14:54 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jZa89-0007AU-8G for ietf-http-wg-dist@listhub.w3.org; Fri, 15 May 2020 13:12:01 +0000
Resent-Date: Fri, 15 May 2020 13:12:01 +0000
Resent-Message-Id: <E1jZa89-0007AU-8G@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ekr@rtfm.com>) id 1jZa88-00079j-4f for ietf-http-wg@listhub.w3.org; Fri, 15 May 2020 13:12:00 +0000
Received: from mail-lf1-x136.google.com ([2a00:1450:4864:20::136]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <ekr@rtfm.com>) id 1jZa86-0005px-41 for ietf-http-wg@w3.org; Fri, 15 May 2020 13:11:59 +0000
Received: by mail-lf1-x136.google.com with SMTP id v5so1745006lfp.13 for <ietf-http-wg@w3.org>; Fri, 15 May 2020 06:11:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3SiZa9SZ4olbAwdCDAQQGTAe9dbHlyN0UqnMxEwlKX0=; b=psVMHTOXDVmR4+Goi2oMnxhyadrvOKYxMGvZLsLX2xIotiFBq/qo14+7VUpq4bE9pw akeLvl5uALnstku46apEgQzV13WtqiOUrN51fbBq2ghE4FWK8I2XafvpZSw/ZkQmaBVf 1Gt0AbsqZZcTOY5eRChS5c+ppO3Xa7q7kx9UaQnNnxrkPUwvZyrZYDNH7qwYbYaMLD2D n9L9+mmujvlYX7cWk7lMwF8qmdmuE+SgYn2t5uMU4CoA0CcRqVSdEQ3ThAF26Nu16YRe oZHuIec41lHovrz6SZAtIdOngtiALTM6aSEyX8D/kg61qX1hNHFrBxd4aKiWLUHVXwro GwnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3SiZa9SZ4olbAwdCDAQQGTAe9dbHlyN0UqnMxEwlKX0=; b=Y6ySb6lX0fVW5GBnTDELXsOa4ERScTob0pYV3MK/cIdK61k2r8mQn3YBa8rInbuT7+ +ATzwKa0mYU8nyNePJ3gmRiIxdBN/jK/Gb40itpDOyOtU1q00qPZUklFp+cxSiBaNppc TEgqYxIgcbtwoOJTebZNvKjkfAsQESvPmjcTzUSpyB2bPx7Np20TjjwE37aRv1B4wiuF u8s1jrtTv3cXra0yB7HS85KKlC6/Kap/Tu25uluHQo6GokmliqGVyEpa1gJTa0ddhTB3 yol5pJ5s/fM24qGAMfWNqOtomSD4h1AZVDn6qOAS8XCloGb00HCqgoZ0QWrZ6hDIr2BV NRkQ==
X-Gm-Message-State: AOAM533a+gI9oVd5ZNt3t93pRFp4DK6LeZPq8YMKSi7WzXanIL4I013M peqoMV1EYN8F9PTXhEvLWhPJk4ptoER7tE48F0Z7zg==
X-Google-Smtp-Source: ABdhPJw++Cx0w7JmwZUVzRsIC2WIOQRJ49XUw/ZGqwS8Tc8WnmDLGoqvEw5D+lfA6WvQS1jD4Mt9PI1rkIWEC7jsyMw=
X-Received: by 2002:a19:5502:: with SMTP id n2mr2357476lfe.168.1589548306152; Fri, 15 May 2020 06:11:46 -0700 (PDT)
MIME-Version: 1.0
References: <B9974B38-6CC7-4979-B08C-ADA6EB22A66A@apple.com> <CABcZeBMD8++_dRtSD704Ymchi2hBxw74Xs+fLSXWj_6WS5d97g@mail.gmail.com> <217a4fc6-4805-4ee2-bd04-6fbe1d99c35c@nlnet.nl> <3041889.qWDYiAHMai@linux-9daj> <3b1b613f-fcd8-4b2a-84ab-10f7e0cd22d7@nlnet.nl>
In-Reply-To: <3b1b613f-fcd8-4b2a-84ab-10f7e0cd22d7@nlnet.nl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 15 May 2020 06:11:10 -0700
Message-ID: <CABcZeBM_hbd6jt2q8SL1ixT-CqLQKdhdekETXbpGCDH0qR+4iQ@mail.gmail.com>
To: Michiel Leenaars <michiel.ml@nlnet.nl>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000246a2005a5af8ec3"
Received-SPF: none client-ip=2a00:1450:4864:20::136; envelope-from=ekr@rtfm.com; helo=mail-lf1-x136.google.com
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jZa86-0005px-41 03186523a3e17b12d19c4408fe69b88d
X-Original-To: ietf-http-wg@w3.org
Subject: Re: CDN versus edge compute use case distinction (was: Requesting reviews of draft-vanrein-httpauth-sasl)
Archived-At: <https://www.w3.org/mid/CABcZeBM_hbd6jt2q8SL1ixT-CqLQKdhdekETXbpGCDH0qR+4iQ@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37629
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, May 15, 2020 at 1:17 AM Michiel Leenaars <michiel.ml@nlnet.nl>
wrote:

>
>
> Fulfillment (like edge computing) is a different role from delivery, as
> the
> content or service delived by the edge node (like the postal piece) would
> just not exist. It is outsourcing core functionality. My reason to reply
> to
> the original thread was that the traditional CDN role can take place fully
> without authentication (even by pushing it to another subdomain),


I'm not going to get involved in a definitional argument here about what
a CDN is, but in the Web security model, the role of hosting static assets
generally cannot be done without authentication. The reason for this is
that those assets impact the semantics of the web page into which they
are loaded.

Specifically: When JS modules are loaded into a page using
a <script> tag they become part of the context of the page and have the
same privileges as if they were loaded from the origin server. If these
are not authenticated there are trivial attacks. There are other resource
types that are more "static" from the Web's perspective (images
for instance) but these also can be used for more subtle attacks.

-Ekr