Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
Töma Gavrichenkov <ximaera@gmail.com> Thu, 30 July 2020 13:14 UTC
Return-Path: <ximaera@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 519153A1110; Thu, 30 Jul 2020 06:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0XqV5uWAPL2; Thu, 30 Jul 2020 06:14:47 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CC723A0AD3; Thu, 30 Jul 2020 06:14:23 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id e14so547141ybf.4; Thu, 30 Jul 2020 06:14:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=28jY7w84lj7SN26GrM75tOBbV0QwHRjxyiBxNfnAu98=; b=bAOObChKKt1px5WvUa/PzpThnamUyL+K5p9qd/mMa69MB3173COQw6oQHsIO+sYuUG 1IF9f/IKvJWKr8nKja+1ZppQWWIEifypscIjhKkpv3kY0tCwB5A2vHoN41CfOIrqT3HH UMCScN3PVV8HiYuUlUkhQb4L0tHH1Wa669y8+ihqSUUV5zM7mtXC6zQVi+rTQ+d86AXC YrX2/uVSMRV0O3AK2c3H3DlYzfFEBVm4j8gLzvfM4YQw7g+KTCTsf8BDfaF9KLAKfLz/ A5uaO1n0UcObVj1MYSL1W0EI71CO9pD9RGKveVn1capA0ZE4V3UbFAka3Og2XEN/f+pt 7Olg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=28jY7w84lj7SN26GrM75tOBbV0QwHRjxyiBxNfnAu98=; b=gIixfMPRvZX9xTfjCVShDoqQC2wkaVHF9my3h/GP16PtZq2Z7LBwCXRysEh7woVuqc kCymuKyUNm0bdhkLeGCgp2RP3BVlHSk0JHaV89TpqADtxsmiTR+DL2o7Vl790eTjoPhM voemdAhX/qe1GJy2X+dkpmmrx6DItt75lyI/XZdGss46eSJdnVrt1y+BjmBcpICCBtmM LgZ4PRqB5a5A+ssrW2y6/LCvnbYURN0dfhLFafD4fmFOGXHhZ5a1U1EVmlouoI1RqpaV T62Vhle9jM3sYkmK77vX4IBBn2iBVpA1iwUsvupPuKtivS0XFciTkbs4EmYjG0HNB6zd lJ0g==
X-Gm-Message-State: AOAM530q1l0AXk0x26CfWnck84/Jevx/jnzTgw6fFrrCUhAoH30+Qi+X L5+AhER1Vwa8MG/2GF3yHA80txBOjVabDW7diFA=
X-Google-Smtp-Source: ABdhPJwwf7qmfeUXJR/zqGG373EVykhsz/kEokfGgRIoaRbzHWGaMhg03+ZoH4HMy4x8F72fdu0ZvmDq/zjqsspc5oc=
X-Received: by 2002:a25:5557:: with SMTP id j84mr32942423ybb.461.1596114861854; Thu, 30 Jul 2020 06:14:21 -0700 (PDT)
MIME-Version: 1.0
References: <DM6PR05MB634890A51C4AF3CB1A03DA0BAE7A0@DM6PR05MB6348.namprd05.prod.outlook.com> <CAFU7BAS=ymUPTAGB_fOSrHTG0OajV1n5M1-yOBWxvGam-a89AA@mail.gmail.com> <d9d6d8c2-3916-be28-d01f-f040a28ce361@cs.tcd.ie> <4937FCE4-23EF-4585-8675-C07F3B347AC6@cisco.com> <CACsn0cmC=MX8p3HA4cZHnmQwoiE8BLiB1Vo__QEjzVBksvQbrw@mail.gmail.com> <E39579F4-B561-4B12-A9BF-8625B05ACA34@akamai.com> <CALZ3u+brCV_qR9Q6EhaCMSsnohwk2FnjVG=NxOnA9CaBYtW2ug@mail.gmail.com> <D4AEF5C1-7AAE-44EE-B52B-ED0FC6A47642@akamai.com>
In-Reply-To: <D4AEF5C1-7AAE-44EE-B52B-ED0FC6A47642@akamai.com>
From: Töma Gavrichenkov <ximaera@gmail.com>
Date: Thu, 30 Jul 2020 16:13:09 +0300
Message-ID: <CALZ3u+ZWdH5sfuu2KssweZLsqsUeYRCq2cae=7REszubBF5pyw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Watson Ladd <watsonbladd@gmail.com>, "Eric Wang (ejwang)" <ejwang@cisco.com>, Jen Linkova <furry13@gmail.com>, OPSEC <opsec@ietf.org>, OpSec Chairs <opsec-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pUcU1CuE_LEgqKu2n1n5HaEpzNk>
Subject: Re: [TLS] [OPSEC] Call For Adoption: draft-wang-opsec-tls-proxy-bp
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 13:14:49 -0000
Peace, On Thu, Jul 30, 2020 at 3:33 PM Salz, Rich <rsalz@akamai.com> wrote: >> It is (in all but a couple of implementations I think) > a *proxy* that the origin has contracted with. Could > you please elaborate on your point? > > It has a TLS cert that identifies itself as the origin. It depends! In the majority of cases (i.e. delivering preseeded static content), no. It identifies as some-1337-garbage.static.example.com, which it basically *is*. The manner in which the content (hopefully uploaded by the origin via an end-to-end encrypted connection) propagates to edge nodes is then up to the implementation, and it is contained within the area of responsibility of the CDN operator. However, there's a minority of cases where a CDN is also used to deliver *dynamically generated* content which could not be cached, e.g. because it is only available to authenticated users. In this case, the CDN in fact impersonates the origin, processes all the authentication data, and the only way to implement that is proxying across different areas of responsibility. How's that different from what middleboxes are doing is not clear to me. Proxy is a proxy. There are various kind of proxies probably also doing something which is deemed useful to their owners and users, which doesn't relax the statement that such proxying is not endorsed by the IETF. The intent and purpose behind proxying are IMO in scope of model-t and are, accordingly, out of scope here. > How is it different from an origin that uses load-balancing to send you somewhere? Is www.facebook.com a CDN or intermediary, or is it the origin? Is www.facebook.com a Facebook-owned middlebox, or is it the endpoint server? (And this is *one* of the reasons I won't trust Facebook for anything sensitive!) Again, I think this is more of a topic for model-t. The main difference though is that the data crosses the boundary between the areas of responsibility in a way which is not transparent to me. It is a common approach to allow insecure connections over the Internet from the edge nodes to the origin, and I have no way of knowing if this is the case for the resource I'm currently using. There are also more subtle differences but I think I've long crossed the boundary of the off-topic area here myself! -- Töma
- [TLS] Call For Adoption: draft-wang-opsec-tls-pro… Ron Bonica
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Jen Linkova
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Tobias Mayer (tmayer)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ira McDonald
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nancy Cam-Winget (ncamwing)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Schwartz
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] [EXTERNAL] Re: [OPSEC] Call For Adoptio… Andrei Popov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] [EXTERNAL] Re: Call For Adoptio… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Roelof duToit
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ashutosh Singh
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Arnaud.Taddei.IETF
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… tom petch
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Watson Ladd
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] Call For Adoption: draft-wang-opsec-tls… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Martin Thomson
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Stephen Farrell
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Carrick Bartle
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Rescorla
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Paul Brears
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Salz, Rich
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Töma Gavrichenkov
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Nick Harper
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Ben Smyth
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Eric Wang (ejwang)
- Re: [TLS] [OPSEC] Call For Adoption: draft-wang-o… Rob Sayre