IETF Logo Mail Archive

Re: Client-Cert Header draft

"Soni L." <fakedme+http@gmail.com> Mon, 20 April 2020 23:13 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64AB93A1274 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 16:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.85
X-Spam-Level:
X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GBwmpT5gkhdj for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 16:13:24 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D62C73A1272 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Apr 2020 16:13:24 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQfYv-0001tK-Ju for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Apr 2020 23:10:49 +0000
Resent-Date: Mon, 20 Apr 2020 23:10:49 +0000
Resent-Message-Id: <E1jQfYv-0001tK-Ju@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1jQfYu-0001sY-Ff for ietf-http-wg@listhub.w3.org; Mon, 20 Apr 2020 23:10:48 +0000
Received: from mail-ua1-x930.google.com ([2607:f8b0:4864:20::930]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <fakedme+http@gmail.com>) id 1jQfYs-0002k3-9M for ietf-http-wg@w3.org; Mon, 20 Apr 2020 23:10:48 +0000
Received: by mail-ua1-x930.google.com with SMTP id u12so4362717uau.10 for <ietf-http-wg@w3.org>; Mon, 20 Apr 2020 16:10:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=QXpnBzUSM5PjyWek5sS4aYTzX071tr72s/4kG0dh4aE=; b=BFcYLPoHRF0KqeEuscGWG/VRgWeG+X09Ak4eSUQKujkVoCzZ3smlNCWO/SGFu6Lof3 jiTXe1he41MLINg+IRzT8fSUZbRNek0h+gxF40VCxXAPKHkm+i+KSN2rK6MN0GKP14DT yok/hGg+sT1ycpvyimHrkgCPQB2MbuY+YKnGFc0H0iPOsQAiVom6qqn39tATGEYvDPiZ UD8zPNQ6ve8D6iJyH4c2YGJl/WGWTHiWsgE5F0HxF2DExjVuTDd86ZnJK5TCBI4jcTIu RBEQRrVHKndlY+YPNeHRz/5+Tq5+ugNFcZwXDAIivUVuXP1SJZYu6n2AbjHkruBse4Jv k1sQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:subject:to:cc:references:from:message-id :date:user-agent:mime-version:in-reply-to:content-language; bh=QXpnBzUSM5PjyWek5sS4aYTzX071tr72s/4kG0dh4aE=; b=lrz68A2XGCyWPQXl6UzD4CPTbal6hGG+bSZHINt0dt4tPNwAGLrNMFiOyv/Uvr408J JmRBeCfpL7cNbaYO5olCwvRsu0Vd8uOBZ7wzZRYsHGhTozQBWWvi3YleWY1j6WB8fY7C 0Y9BOv2STFJ4FibnlaFl7LUfW1ey0exgLlpeR18xHSaqfVs67eYpLW+xVZ7JfI7WCujP PbbjKLvwSlWrEH5ns/FwMgpcxRH5vuAyE7PSBSL8Mby4vunO8QqP7y6kw8j8MEZ09GWC vNoXJDkPqXXnPR34NyIytPZsQID4CBuK8+XFJg1A02Aot1cbknC5QqJxEafdMF13aHkQ bh3g==
X-Gm-Message-State: AGi0PuaLXPFpkeM81549HP/8si1mZ65vCBOb/qaYfp/XB+HcHZGOPuzy 96G7MX16Uo8BKndJyxccSPv33g5+
X-Google-Smtp-Source: APiQypKcgKSKqkAO5A4Pq/UnRiAsJYsQmWRUOad/I2XJ+M6NIre2hh9LtEIMlNhQjU32amMN4QZNBw==
X-Received: by 2002:ab0:3016:: with SMTP id f22mr9017818ual.130.1587424234756; Mon, 20 Apr 2020 16:10:34 -0700 (PDT)
Received: from ?IPv6:2804:431:d77d:d864:2e0:4bff:fe37:ec7? ([2804:431:d77d:d864:2e0:4bff:fe37:ec7]) by smtp.googlemail.com with ESMTPSA id a18sm225231vsq.7.2020.04.20.16.10.32 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 Apr 2020 16:10:33 -0700 (PDT)
Sender: "Soni L." <fakedme@gmail.com>
To: Lucas Pardue <lucaspardue.24.7@gmail.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, HTTP Working Group <ietf-http-wg@w3.org>
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu> <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com> <CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com> <c2ea39c4-904f-7c15-b45f-b8b5bf96ad8d@gmail.com> <CALGR9oY6C7kAkUtGti5RdhWtAem3wqX4L4PJoXEweEpxH4NDiA@mail.gmail.com>
From: "Soni L." <fakedme+http@gmail.com>
Message-ID: <f6631a9f-1034-0ad8-7590-aa7cc39ebec1@gmail.com>
Date: Mon, 20 Apr 2020 20:10:31 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CALGR9oY6C7kAkUtGti5RdhWtAem3wqX4L4PJoXEweEpxH4NDiA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------38EA10036799126A9971E034"
Content-Language: en-US
Received-SPF: pass client-ip=2607:f8b0:4864:20::930; envelope-from=fakedme+http@gmail.com; helo=mail-ua1-x930.google.com
X-W3C-Hub-Spam-Status: No, score=-3.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jQfYs-0002k3-9M 245ade63666a35910182a200486968a9
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/f6631a9f-1034-0ad8-7590-aa7cc39ebec1@gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37529
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

the CDN would have to consent to the client interacting with the server, 
thus not affecting performance, scale and security, and it'd only be for 
non-CDN-safe resources such as private content anyway.

On 2020-04-20 7:59 p.m., Lucas Pardue wrote:
> Hey,
>
> On Mon, Apr 20, 2020 at 11:28 PM Soni L. <fakedme+http@gmail.com 
> <mailto:fakedme%2Bhttp@gmail.com>> wrote:
>
>     you'd still have a reverse proxy that's terminating TLS and
>     talking HTTP with the backend.
>
>     you'd just also have a way for that reverse proxy to pass a raw
>     TLS stream through, so the client can talk HTTPS with the backend
>     when needed. it'd still be in the middle of the connection and
>     fully capable of terminating it if it detects potentially abusive
>     behaviour.
>
>     On 2020-04-20 7:20 p.m., Brian Campbell wrote:
>>     That's really quite different than the intended scope of the
>>     draft, which was/is a reverse proxy that's terminating TLS (from
>>     the client's perspective anyway) and taking HTTP with the backend.
>>
> I'm with Brian on this; CDN/reverse proxies provide an offload of HTTP 
> processing from the origin that brings advantages such as performance, 
> scale, and security. Although it could be technically possible to pass 
> through TLS (pretty much covered by CONNECT already), the concept 
> negates the value proposition of a CDN architecture. I think Brian's 
> document has more value with the scope that he has described.
>
> Cheers
> Lucas
>
>

v2.23.0 | Report a Bug | By Email