Re: Requesting reviews of draft-vanrein-httpauth-sasl

Eric Rescorla <ekr@rtfm.com> Thu, 14 May 2020 16:11 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8CCA3A0BDD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 09:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.647
X-Spam-Level:
X-Spam-Status: No, score=-2.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePNObpLNRM2i for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 14 May 2020 09:11:40 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46E7D3A0C2D for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 14 May 2020 09:11:37 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1jZGPY-0000Xh-GP for ietf-http-wg-dist@listhub.w3.org; Thu, 14 May 2020 16:08:40 +0000
Resent-Date: Thu, 14 May 2020 16:08:40 +0000
Resent-Message-Id: <E1jZGPY-0000Xh-GP@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <ekr@rtfm.com>) id 1jZGPW-0000Su-SE for ietf-http-wg@listhub.w3.org; Thu, 14 May 2020 16:08:38 +0000
Received: from mail-lj1-x22c.google.com ([2a00:1450:4864:20::22c]) by mimas.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from <ekr@rtfm.com>) id 1jZGPV-0001uA-6Z for ietf-http-wg@w3.org; Thu, 14 May 2020 16:08:38 +0000
Received: by mail-lj1-x22c.google.com with SMTP id w10so4180082ljo.0 for <ietf-http-wg@w3.org>; Thu, 14 May 2020 09:08:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=go5yheklJrmXscrqsu2kbWfzLqZYhc4zr09j3RFyjuY=; b=Lv5uXkMH87Wl+ANh0r1TIqNR+kxT0OnjT3RGbqU4zKcqQwjhvm2Mnv1+LVv5+wZb44 iIuvky8KA0IJFkoz2CMfSmXOJJF4YRm0UJgsTWDBTvqChTL5bfjR7aj7fBLoZ5QHDQmR ydgB597h3qozqc6FFPCdv6jQE0Izfl0Jvt/zde+AiZyaF2Z1QahGnDB88JeauQW8z6bG 5AKALFgCp+FWJO9vBprKhAEjwwqUSt+vyTaXABArMm0Qn1yg+2is30fDoWgCUVCgps61 sO9jFMISXR8HnEgZApoRwwHmrgE47BlYxHfJOiNyeTXtukteMcA2UHRHqJlUg2F370q4 d0uw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=go5yheklJrmXscrqsu2kbWfzLqZYhc4zr09j3RFyjuY=; b=HrTBqaxehlOM2I7Ivi2mrLO+uwlzXG/QUYgy3UgbwpBtjdPGgB15GPNgespGbLrTOf GZHkch7Oz9zkl56wS7b9QZeDqY/sx5++Mda8OgoVdbSYXMupuaiz+CmUR0052/Tm6+wo HQ3yw1K3E0AhGsoQQ49uam3PzKRu7OxJ6fQPz4bOzQs+vLBXlFmpHfVFF8ftFDvgrmaN 660p1cJ1Ek8YH6rr3EZJmbRTAzEV/3XQsyBytHZgRk8idn6aIy0uFe0rDcWI9zIQUj/k 3kdeAuxvxms2314uUGVZHwvZtrJ2IMgjOQb+xZ+MPMSbV3lBJnRQeGOH7U9Kmg44eC2o at4A==
X-Gm-Message-State: AOAM532fKseozSYNPNpom77fMQgcUr0qxlO5ff0/tlM45r7E44o/jrsr 6YOx955bjO/Ve06wX3MacQOngfVEEMwuMWPa17sHEQ==
X-Google-Smtp-Source: ABdhPJyv/fbnnwO/wn3qaxZRL4AHI8HrSFy/zQZhYt2rNet/zVQS2ICAPVxyiDLGTZ9fndQi7GCrEXfKBbo11Lta3jE=
X-Received: by 2002:a2e:9dcd:: with SMTP id x13mr3082217ljj.120.1589472505489; Thu, 14 May 2020 09:08:25 -0700 (PDT)
MIME-Version: 1.0
References: <B9974B38-6CC7-4979-B08C-ADA6EB22A66A@apple.com> <3b29ffdf-54dc-4e36-f3c9-d224423b357b@gmail.com> <7fd383fb-1953-4f17-94ba-fb0995a6714d@nlnet.nl>
In-Reply-To: <7fd383fb-1953-4f17-94ba-fb0995a6714d@nlnet.nl>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 14 May 2020 09:07:49 -0700
Message-ID: <CABcZeBMD8++_dRtSD704Ymchi2hBxw74Xs+fLSXWj_6WS5d97g@mail.gmail.com>
To: Michiel Leenaars <michiel.ml@nlnet.nl>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="00000000000012009205a59de866"
Received-SPF: none client-ip=2a00:1450:4864:20::22c; envelope-from=ekr@rtfm.com; helo=mail-lj1-x22c.google.com
X-W3C-Hub-Spam-Status: No, score=-5.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1jZGPV-0001uA-6Z 92870fec26bd9a3db97efccf04b90921
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Requesting reviews of draft-vanrein-httpauth-sasl
Archived-At: <https://www.w3.org/mid/CABcZeBMD8++_dRtSD704Ymchi2hBxw74Xs+fLSXWj_6WS5d97g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/37619
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Thu, May 14, 2020 at 9:01 AM Michiel Leenaars <michiel.ml@nlnet.nl>
wrote:

> Hi James,
>
> >> This means that a secure transport layer must be used, like
> >> TLS.  The termination of such a secure layer MUST also
> >> terminate any ongoing SASL handshakes.
> >
> > Isn't this incompatible with use cases where TLS termination is
> > separated from the processing of the HTTP request such is common
> > in CDNs, or where a trusted proxy is involved?
>
> arguably, resources fetched from a public CDN are (or should be)
> exclusively static assets,


"Arguably" is doing a lot of work here, as CDNs have already evolved well
beyond this (cf. edge compute).



> which of course can be used in an authenticated
> session but are not part of it.


I'm not sure how to formalize this as a security property. Certainly from
the perspective of the origin
model and the browser the CDN *is* the origin. And for that reason, as a
practical matter it is in
part responsible for anything that the browser generates, including
authenticated traffic. (For instance,
it can cause the browser to make authenticated HTTPS requests just as the
origin server can).
Can you elaborate on what you mean here?


TLS can be provided for integrity, but not
> for confidentiality.
>

This seems wrong to me. It's certainly important to users to have the
information they exchange
with the CDN be confidential from other actors on the network. Consider,
for instance, a photo
sharing site; I don't want random people to know which photos I view.

-Ekr


> Since a CDN is essentially a cache with man-in-the-middle capabilities
> allowing to observe all the traffic that passes by, it cannot be
> end-to-end
> secure in the actual sense of the word and should not be used as such. So
> I
> do not see an incompatibility...
>
> Best,
> Michiel Leenaars
> NLnet Foundation
>
>
>