Re: Client-Cert Header draft

Lucas Pardue <lucaspardue.24.7@gmail.com> Mon, 20 April 2020 23:47 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7EE3A1330 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 16:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.85
X-Spam-Level:
X-Spam-Status: No, score=-0.85 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rgfgz2_BGKKd for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 20 Apr 2020 16:47:10 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2B40F3A1332 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 20 Apr 2020 16:47:09 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jQg5S-00079V-BI for ietf-http-wg-dist@listhub.w3.org; Mon, 20 Apr 2020 23:44:26 +0000
Resent-Date: Mon, 20 Apr 2020 23:44:26 +0000
Resent-Message-Id: <E1jQg5S-00079V-BI@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <lucaspardue.24.7@gmail.com>) id 1jQg5R-00078k-3A for ietf-http-wg@listhub.w3.org; Mon, 20 Apr 2020 23:44:25 +0000
Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <lucaspardue.24.7@gmail.com>) id 1jQg5O-0004Sg-RX for ietf-http-wg@w3.org; Mon, 20 Apr 2020 23:44:24 +0000
Received: by mail-wm1-x32f.google.com with SMTP id y24so1564463wma.4 for <ietf-http-wg@w3.org>; Mon, 20 Apr 2020 16:44:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0/NWj+bAntiKx6MzgTV04BzAvuJiaD2j6gq7bUrTQ78=; b=em+ujrNhdRQUzJTMNc5IraUOxv1/gNUbxzTaF4C3NRQp3i/F74bhB8mrH6laeRdfw8 9WNYGxaCDxy/tDmlGqLvkw8kvayN4nlMU+L+9Bv9svjulQhghrEBeI5x8oLmLIwFujc4 SKdcFaJsBZSuQKPWTSDEgIdYbw7e4wwJGwDlwQXfpn4w+gJ2aciR+yzAkKdRvT/uantX VyVJHnuvoii72/qVrTIAbZzFohCj6O2SbZTK4v9ANhCuPU8vv95qscl6T8gtbS6mQ7Dt alooO9/ZfeEWFbNizCYdfN5bfekNmeCFQa6iD2gqzrHKBIGg7Qr325xyoxx9unrEuFi1 O9kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0/NWj+bAntiKx6MzgTV04BzAvuJiaD2j6gq7bUrTQ78=; b=L4pq4ivJ0ftImeslkmiaJpiQ7L16Ilm4FPsq5/ZXqdspE/yiVqUsvHVu2tG4qxozkt OOVDz8w84SFJgZVXyoumR7LCy3wMNzA9uxnqF5fYBi6ypjbAK8eGcg+xvk7s8ydFTzg3 F0P5Wgrcu6NBhHqn5TlqhXvH2fp80HSV5TJS36YznKEYaSAAgHEScTMnmY4pFxoiRrUe MawLEasihzaxTcwf+21l4tbNCDB187KBDybG2uBPORZL0Z0FutK8uVBQP5zwf+lRkrlH Nq+cmIeSNqoB+t331uBk7Et8S1lFxQzVqo5eZ2lIFl1fxYJKFkveDV5zHwl0m4OdAjrJ 6MZQ==
X-Gm-Message-State: AGi0PubQMab6UHsBXiyduDxGvJ8C/vY8ueBDZPP33ZMziZAKv7at6sEt ACrJV8ZNMLatcijeyDBlKNrbN3uy0rrmFWyQIL4=
X-Google-Smtp-Source: APiQypJVOYfACQi+rPUfU6jeYu7ua255UZD1ITDaYOSmMwY4H8ps6pE0lNZOTvZlxSQQ4ivVYSPOdtznkDyeKlTSkU4=
X-Received: by 2002:a05:600c:c9:: with SMTP id u9mr1812853wmm.15.1587426251472; Mon, 20 Apr 2020 16:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRQhuS9TyEVdF6ZAfLSyPngjDLvctUTc++2Ok+RJmw0qA@mail.gmail.com> <C8B0E972-CE82-495D-B657-E5B52B6EAE20@mit.edu> <515d3c47-11c5-c557-f5eb-4c98fff86416@gmail.com> <CA+k3eCRa8YYWVHTkpUGGQj61Uqmp1T_gZyuOTMD=yCXQJ3ZHTA@mail.gmail.com> <c2ea39c4-904f-7c15-b45f-b8b5bf96ad8d@gmail.com> <CALGR9oY6C7kAkUtGti5RdhWtAem3wqX4L4PJoXEweEpxH4NDiA@mail.gmail.com> <f6631a9f-1034-0ad8-7590-aa7cc39ebec1@gmail.com>
In-Reply-To: <f6631a9f-1034-0ad8-7590-aa7cc39ebec1@gmail.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Tue, 21 Apr 2020 00:44:01 +0100
Message-ID: <CALGR9oYWJSkaZgtCMSpTZGRJqHJdStZDS64f2mySq-eZo9afGw@mail.gmail.com>
To: "Soni L." <fakedme+http@gmail.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000d384d805a3c179b0"
Received-SPF: pass client-ip=2a00:1450:4864:20::32f; envelope-from=lucaspardue.24.7@gmail.com; helo=mail-wm1-x32f.google.com
X-W3C-Hub-Spam-Status: No, score=-2.8
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1jQg5O-0004Sg-RX 05c213cdd414ad222876d0538ff4fa42
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Client-Cert Header draft
Archived-At: <https://www.w3.org/mid/CALGR9oYWJSkaZgtCMSpTZGRJqHJdStZDS64f2mySq-eZo9afGw@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37530
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Apr 21, 2020 at 12:10 AM Soni L. <fakedme+http@gmail.com> wrote:

> the CDN would have to consent to the client interacting with the server,
> thus not affecting performance, scale and security, and it'd only be for
> non-CDN-safe resources such as private content anyway.
>
>
The CDN provides those features for the origin. That's the purpose.
Allowing clients direct access to the origin means that the origin has to
duplicate the functions a CDN provides or not have them at all. I don't
think that's what people are asking for, particularly people that are happy
to delegate their TLS termination as happens today. What I am aware of is a
desire to understand a property of the TLS connection, just like wanting to
see the negotiated ALPN ID, ciphersuite, client IP address etc. for the
purposes of auditing, analysis or some application logic.

Plus, what you're describing requires a client that is savvy enough to
understand content and the distribution architecture of deployments in
order to decide when to punch through the CDN. That becomes fragile very
quickly.