Re: Requesting reviews of draft-vanrein-httpauth-sasl

Michiel Leenaars <> Thu, 14 May 2020 17:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5C2373A0D81 for <>; Thu, 14 May 2020 10:04:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.747
X-Spam-Status: No, score=-2.747 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id op8iAx45EfVa for <>; Thu, 14 May 2020 10:04:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CB3ED3A0D17 for <>; Thu, 14 May 2020 10:04:07 -0700 (PDT)
Received: from lists by with local (Exim 4.92) (envelope-from <>) id 1jZHE6-0001VP-9T for; Thu, 14 May 2020 17:00:54 +0000
Resent-Date: Thu, 14 May 2020 17:00:54 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jZHE4-0001Ue-O6 for; Thu, 14 May 2020 17:00:52 +0000
Received: from ([2a04:b900::1:0:0:12]) by with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <>) id 1jZHE2-00045L-NY for; Thu, 14 May 2020 17:00:52 +0000
Received: from (localhost []) by (Postfix) with ESMTP id BB81E67B9D for <>; Thu, 14 May 2020 19:00:37 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:content-type:user-agent :references:in-reply-to:message-id:mime-version:date:date :subject:subject:from:from:received:received; s=gerrit; t= 1589475637; x=1591290038; bh=VCnzXAKUtpUQZsgJY18FWhKgEqQFNBtYYnG SVBhlecc=; b=MbQsnXRWrCiBV/5QZ/+t31EZNUpodG2XAKGQ0reDWdiSv+m8zs+ ayTJqr+oNNHThlUeMq+X+b+cdCMKc5XGwyBFeiMsPFlUM1WE1kxUWeLGKjc+ZwKj V+bjtgmCCu9B1xPUmEmnDMmaLNVCs9bczvD1gGwcvGygnRe++RL9Kw7w=
X-Virus-Scanned: amavisd-new at
Received: from ([]) by ( []) (amavisd-new, port 10026) with ESMTP id bpmejddTqH6s for <>; Thu, 14 May 2020 19:00:37 +0200 (CEST)
Received: from localhost (unknown [IPv6:2001:984:2ab3:1:15d6:8754:8216:7431]) by (Postfix) with ESMTPSA id 60EE367B95 for <>; Thu, 14 May 2020 19:00:37 +0200 (CEST)
From: Michiel Leenaars <>
To: <>
Date: Thu, 14 May 2020 19:00:37 +0200
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <>
User-Agent: Trojita
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2a04:b900::1:0:0:12;;
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1jZHE2-00045L-NY 132c78417eea91d2014ceefc34882386
Subject: Re: Requesting reviews of draft-vanrein-httpauth-sasl
Archived-At: <>
X-Mailing-List: <> archive/latest/37620
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Hi Eric,

> "Arguably" is doing a lot of work here, as CDNs have already 
> evolved well beyond this (cf. edge compute).

that would be companies providing CDN also (or actually) providing cloud 
services on their distributed infastructure, rather than an actual delivery 
network: an intermediate (but passive) cache layer with high availability, 
for static assets. As you rightly point out, in the case of outsourced 
cloud services any such infrastructure would in fact be the origin for all 
intents and purposes - even if some data is fetched once in a while from 
some back end.

>> which of course can be used in an authenticated 
>> session but are not part of it.

> I'm not sure how to formalize this as a security property. 
> Certainly from the perspective of the origin
> model and the browser the CDN *is* the origin. And for that 
> reason, as a practical matter it is in
> part responsible for anything that the browser generates, 
> including authenticated traffic. (For instance,
> it can cause the browser to make authenticated HTTPS requests 
> just as the origin server can).
> Can you elaborate on what you mean here?

What I mean is that here SASL in my opinion is meant to facilitate 
unforgeable authentication and confidentiality between the end points at 
hand. If the edge point is an 'edge compute' node run by a company that 
also delivers CDN services, that would I believe work fine with the 
proposed technology - and there is no problem. 

My considerations revolve around a CDN in the classical sense of the word, 
which as a passive relay has no right to look into an authentication 
protocol exchange between end points. Essentially, I do not think end users 
should want to expose a confidential session to an intermediate cache layer 
intended for static assets only. There is no value add in terms of security 
or functionality.

> TLS can be provided for integrity, but not for confidentiality.
> This seems wrong to me. It's certainly important to users to 
> have the information they exchange
> with the CDN be confidential from other actors on the network. 

Agreed. I should have stated that there cannot be full end-to-end 

> Consider, for instance, a photo
> sharing site; I don't want random people to know which photos I view.

If random people includes the employees of CDN's (which could be anyone), 
then arguably the images should be stored in the CDN encrypted and be 
decrypted client-side with a key exchanged via another channel than the 
CDN. There is nothing that would prevent this from happening, although I am 
not aware of any browser implementing something like that.

But that is another topic. I hope I've answered your questions.