Re: Requesting reviews of draft-vanrein-httpauth-sasl

Eric Rescorla <ekr@rtfm.com> Thu, 14 May 2020 19:16 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F0B83A0B73 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 12:16:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.647
X-Spam-Level:
X-Spam-Status: No, score=-2.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W6C_JzFFEMs8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 12:16:32 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F9353A0970 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 May 2020 12:16:32 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jZJHs-0006jR-95 for ietf-http-wg-dist@listhub.w3.org; Thu, 14 May 2020 19:12:56 +0000
Resent-Date: Thu, 14 May 2020 19:12:56 +0000
Resent-Message-Id: <E1jZJHs-0006jR-95@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ekr@rtfm.com>) id 1jZJHq-0006ig-LS for ietf-http-wg@listhub.w3.org; Thu, 14 May 2020 19:12:54 +0000
Received: from mail-lj1-x230.google.com ([2a00:1450:4864:20::230]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <ekr@rtfm.com>) id 1jZJHn-0000aH-Py for ietf-http-wg@w3.org; Thu, 14 May 2020 19:12:53 +0000
Received: by mail-lj1-x230.google.com with SMTP id u15so4794122ljd.3 for <ietf-http-wg@w3.org>; Thu, 14 May 2020 12:12:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8OjPZn839GM9QqYZ+jSxzw6uV1zwcyZQgRovpLKUK8s=; b=A/jETOMqRCf64tHbrdCLh9TqyJH1lh81kqJR6Sl44y9oAjUHWY4ZN3sl80DCtHf2wP srrIfSNNQ/Ono1Ii8NeJziSRF5YZA+m1dKp2dFfLLZfRk1zPRzhtip6owcVumcKkPR1a x2urihJrouesoGf+ytEX+w8YlRk1xpX7ODhQkKV4JQCMeTxilTL89EIH6XD6o7jWdxXl hGc1HqtUYqxMr4lDREUHBgqs3ydgokl8I7NEbxrlKiSNT38hwFoL6+mvqC5t/TyQyc6/ KZSytkcDl79jVyonTcBzAiA3WYah4SWUbRfMmdFLQ4guiwg79kgB7taqo73iYltrDGZM QvZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8OjPZn839GM9QqYZ+jSxzw6uV1zwcyZQgRovpLKUK8s=; b=KIA1/RMkLpkZfBIeob7vLqFT8deqrQJu5gn2n3NMEcdyX7hBJKtTlAfzWU7MQ0+9X6 7XOuKrmvtrHSll3CjhjhCaSmfHz4u7ElPx0u/r7gBn9sFEKWjH40H4BhXbVyHVoRS6pf dvyZDxXhR6BDFr9XCD8YeOZ0wg/LeR7DwtjlirSoAeqVu8+aULcWTSWLd+e5fE89ktDK KXG0WGClHXEXrX9SRZCffEFPhac4PSBoXVBVwRU+hdS6xfcBSwE3zzkr3Gdo3qs4H2NZ CB74RBMxDKPEE63I9dKIr3/BK3U/9bXqREpAzjDo8Zvo/nt5pYhfiDA4ySXv/fxLdz/1 7Cyw==
X-Gm-Message-State: AOAM531/VizO+7XMjGhq/KKYQIXHZkyRUCizvsTaKLHx2cM74CKTkk40 NzPHCxQVemXLUKNhu2VBXqPfoJkqtIgO2jy8JOWo2jUeOPU=
X-Google-Smtp-Source: ABdhPJwO/eLnWirs1sDP7o+vgwIyBTROkfpfLUonqaSK3/QsPJayTIEDOWhBUCWnRILU+1oXwit2BpXmck0AQC+y0WA=
X-Received: by 2002:a2e:99ca:: with SMTP id l10mr3749199ljj.274.1589483560259; Thu, 14 May 2020 12:12:40 -0700 (PDT)
MIME-Version: 1.0
References: <B9974B38-6CC7-4979-B08C-ADA6EB22A66A@apple.com> <3b29ffdf-54dc-4e36-f3c9-d224423b357b@gmail.com> <7fd383fb-1953-4f17-94ba-fb0995a6714d@nlnet.nl> <CABcZeBMD8++_dRtSD704Ymchi2hBxw74Xs+fLSXWj_6WS5d97g@mail.gmail.com> <217a4fc6-4805-4ee2-bd04-6fbe1d99c35c@nlnet.nl>
In-Reply-To: <217a4fc6-4805-4ee2-bd04-6fbe1d99c35c@nlnet.nl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 14 May 2020 12:12:04 -0700
Message-ID: <CABcZeBOsxt4UwVB_DBWAZmeM==6saFSKn=KZW9pKjKbiFZzuzg@mail.gmail.com>
To: Michiel Leenaars <michiel.ml@nlnet.nl>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="000000000000fc6c7705a5a07a34"
Received-SPF: none client-ip=2a00:1450:4864:20::230; envelope-from=ekr@rtfm.com; helo=mail-lj1-x230.google.com
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jZJHn-0000aH-Py aeeb57dddc3b2d493558c51e3f64f67e
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Requesting reviews of draft-vanrein-httpauth-sasl
Archived-At: <https://www.w3.org/mid/CABcZeBOsxt4UwVB_DBWAZmeM==6saFSKn=KZW9pKjKbiFZzuzg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37621
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, May 14, 2020 at 10:04 AM Michiel Leenaars <michiel.ml@nlnet.nl>
wrote:

> > I'm not sure how to formalize this as a security property.
> > Certainly from the perspective of the origin
> > model and the browser the CDN *is* the origin. And for that
> > reason, as a practical matter it is in
> > part responsible for anything that the browser generates,
> > including authenticated traffic. (For instance,
> > it can cause the browser to make authenticated HTTPS requests
> > just as the origin server can).
> > Can you elaborate on what you mean here?
>
> What I mean is that here SASL in my opinion is meant to facilitate
> unforgeable authentication and confidentiality between the end points at
> hand. If the edge point is an 'edge compute' node run by a company that
> also delivers CDN services, that would I believe work fine with the
> proposed technology - and there is no problem.
>
> My considerations revolve around a CDN in the classical sense of the word,
> which as a passive relay has no right to look into an authentication
> protocol exchange between end points. Essentially, I do not think end
> users
> should want to expose a confidential session to an intermediate cache
> layer
> intended for static assets only. There is no value add in terms of
> security
> or functionality.
>

I think you're drawing a distinction which is not present in the technology.

Consider a Web application which has an origin server at www.example.com
and also hosts static assets including JS hosted ad example.cdn.example.net.
Even if the SASL exchange only goes between the browser and www.example.com,
because the JS gets loaded into www.example.com's origin, the CDN has
the ability to initiate its own requests to www.example.com's origin.




> > Consider, for instance, a photo
> > sharing site; I don't want random people to know which photos I view.
>
> If random people includes the employees of CDN's (which could be anyone),
>

Well, this could just as well apply to the employees of the origin site or
of the hosting
provider the origin site resides on. I appreciate that it's not very
satisfying but
the state of the Web ecosystem now is that many sites just rely on a pile of
different third parties that have potential access to your data and you have
to trust those as well. CDNs are just one such entity.

-Ekr