Re: Client-Cert Header draft

Lucas Pardue <lucaspardue.24.7@gmail.com> Mon, 20 April 2020 23:02 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 787D93A1245 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 16:02:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.85
X-Spam-Level:
X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ro9VbiMPElTl for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 16:02:39 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A4713A1243 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Apr 2020 16:02:39 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQfO6-0000i5-Rj for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Apr 2020 22:59:38 +0000
Resent-Date: Mon, 20 Apr 2020 22:59:38 +0000
Resent-Message-Id: <E1jQfO6-0000i5-Rj@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <lucaspardue.24.7@gmail.com>) id 1jQfO5-0000gw-HW for ietf-http-wg@listhub.w3.org; Mon, 20 Apr 2020 22:59:37 +0000
Received: from mail-wr1-x42e.google.com ([2a00:1450:4864:20::42e]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <lucaspardue.24.7@gmail.com>) id 1jQfO3-00027A-CE for ietf-http-wg@w3.org; Mon, 20 Apr 2020 22:59:37 +0000
Received: by mail-wr1-x42e.google.com with SMTP id x18so14277150wrq.2 for <ietf-http-wg@w3.org>; Mon, 20 Apr 2020 15:59:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g7TumUtAAE70wgGkzQj49U5dsbCwCpSYrYo/XrKX0SQ=; b=KXkwgWMrR7/YvkdVTk2jlbx0uhN9tOwMNHdxCFfGH8AXWwiukrjKJ4sw8ZtYvTL8cP KTSPB7vTwTAZ05gPZHMqnqkjUYn8q8aifzqzye0T4R40NHs9vld8d6xrtb6AsMzGab+i U8v3YqcYBeXDI9g08/rFipEc7VPaq0jLzw0wfDm0frHHiE8NNvMvuuJjhsdaKbZmQT9f n3mKidRplbeP7XnxlJZKOJ7amP5ZXEFTZlwysIdDo7/C/7URUPUafOJTJ34vRiJz+1Jh BvLKg6aygZgF4VXr5PpouM2bSUSm9pEtOT9bl5y7KaMs/a1Cq08UIHXAyQw6AZfEHD4b Q2CQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g7TumUtAAE70wgGkzQj49U5dsbCwCpSYrYo/XrKX0SQ=; b=mVjeA5j5vPqHaIQVmEoHaWikAzBWdXFTqLHlBqzTogIGN2Ib4ZOwnIdXESb9T5gHrd ziHLS5nAAJFSyrnYJhXwtRGXCUZ2bbB3kz0S+bCBe+xdy0YdAf1kMHsvsrjt0VMwCErj yj4ex6Rawgl/p1uT/0rIU05PuTEJcgSI7xT20yh9fE/LCEKyx10lFqsYhOSIh4CBY+TF qCIYzVOhfL6EN7v0eJc/XGWOE6Y1UMh9MpkB0lXdZyvqhNgHwutAJQJWafekBlu+ePRS uxUID2ced8AluDPv433Nt8Ef9MBPJoHMrKacZnlP2/3zkBYknLL6V4w904+6k/VL/gIO M7fA==
X-Gm-Message-State: AGi0PuaGEWidnQEbGS8RRb1OMXWEpQ33rAr8wEyAQFIbWBEP3nq7Df7D rxLpiRlsy2tFKu06PpxcXpYYoK2u2KPbzqyQIDI=
X-Google-Smtp-Source: APiQypLfHVXlCz2ZBSSwZTH9vmOdlL1s1gSia6PUAEKI2prxeFKHNLHDU07UEYxKWdVVfd2ji1xsFHhmdqLKXpw62DA=
X-Received: by 2002:adf:b1d1:: with SMTP id r17mr18670529wra.85.1587423563928; Mon, 20 Apr 2020 15:59:23 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu> <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com> <CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com> <c2ea39c4-904f-7c15-b45f-b8b5bf96ad8d@gmail.com>
In-Reply-To: <c2ea39c4-904f-7c15-b45f-b8b5bf96ad8d@gmail.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 20 Apr 2020 23:59:14 +0100
Message-ID: <CALGR9oY6C7kAkUtGti5RdhWtAem3wqX4L4PJoXEweEpxH4NDiA@mail.gmail.com>
To: "Soni L." <fakedme+http@gmail.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000a2d92e05a3c0d90e"
Received-SPF: pass client-ip=2a00:1450:4864:20::42e; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-wr1-x42e.google.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jQfO3-00027A-CE d72ba8a35cb7c91b067046f57a5a80c9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CALGR9oY6C7kAkUtGti5RdhWtAem3wqX4L4PJoXEweEpxH4NDiA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37528
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hey,

On Mon, Apr 20, 2020 at 11:28 PM Soni L. <fakedme+http@gmail.com> wrote:

> you'd still have a reverse proxy that's terminating TLS and talking HTTP
> with the backend.
>
> you'd just also have a way for that reverse proxy to pass a raw TLS stream
> through, so the client can talk HTTPS with the backend when needed. it'd
> still be in the middle of the connection and fully capable of terminating
> it if it detects potentially abusive behaviour.
>
> On 2020-04-20 7:20 p.m., Brian Campbell wrote:
>
> That's really quite different than the intended scope of the draft, which
> was/is a reverse proxy that's terminating TLS (from the client's
> perspective anyway) and taking HTTP with the backend.
>
> I'm with Brian on this; CDN/reverse proxies provide an offload of HTTP
processing from the origin that brings advantages such as performance,
scale, and security. Although it could be technically possible to pass
through TLS (pretty much covered by CONNECT already), the concept negates
the value proposition of a CDN architecture. I think Brian's document has
more value with the scope that he has described.

Cheers
Lucas