Peace, On Thu, Jul 30, 2020 at 3:33 PM Salz, Rich <rs...@akamai.com> wrote: >> It is (in all but a couple of implementations I think) > a *proxy* that the origin has contracted with. Could > you please elaborate on your point? > > It has a TLS cert that identifies itself as the origin.
It depends! In the majority of cases (i.e. delivering preseeded static content), no. It identifies as some-1337-garbage.static.example.com, which it basically *is*. The manner in which the content (hopefully uploaded by the origin via an end-to-end encrypted connection) propagates to edge nodes is then up to the implementation, and it is contained within the area of responsibility of the CDN operator. However, there's a minority of cases where a CDN is also used to deliver *dynamically generated* content which could not be cached, e.g. because it is only available to authenticated users. In this case, the CDN in fact impersonates the origin, processes all the authentication data, and the only way to implement that is proxying across different areas of responsibility. How's that different from what middleboxes are doing is not clear to me. Proxy is a proxy. There are various kind of proxies probably also doing something which is deemed useful to their owners and users, which doesn't relax the statement that such proxying is not endorsed by the IETF. The intent and purpose behind proxying are IMO in scope of model-t and are, accordingly, out of scope here. > How is it different from an origin that uses load-balancing to send you > somewhere? Is www.facebook.com a CDN or intermediary, or is it the origin? Is www.facebook.com a Facebook-owned middlebox, or is it the endpoint server? (And this is *one* of the reasons I won't trust Facebook for anything sensitive!) Again, I think this is more of a topic for model-t. The main difference though is that the data crosses the boundary between the areas of responsibility in a way which is not transparent to me. It is a common approach to allow insecure connections over the Internet from the edge nodes to the origin, and I have no way of knowing if this is the case for the resource I'm currently using. There are also more subtle differences but I think I've long crossed the boundary of the off-topic area here myself! -- Töma _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
