Use Case: Least Authority CDN Serving

WICG · Apr 25, 2019 · 2e76b5e · 2e76b5e
1 parent 487734b
commit 2e76b5e
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/draft-yasskin-webpackage-use-cases.md b/draft-yasskin-webpackage-use-cases.md
@@ -372,6 +372,45 @@ Associated requirements:
   origin.
 * {{transfer-compression}}{:format="title"}
 
+### Least Authority CDN Serving {#least-authority-cdn-serving}
+
+Currently, a CDN trusted via TLS to serve content for an FQDN may also serve
+arbitrary content for that FQDN. Given the distributed deployment of points of
+presence (POPs) -- often spanning many datacenters and jurisdictions -- this
+creates a security risk for the manipulation of content delivered from those
+POPs. Yet, in many CDN deployments, POPs merely distribute content generated by
+the origin without alteration. For these deployments, it would be useful to
+remove the authority of the CDN to serve arbitrary content.
+
+SXG offers a means to reducing CDN authority via HTTP clients configured to
+expect SXG for all responses, regardless of other trust. Applicable clients
+might include package managers, native mobile applications, desktop
+applications, and server applications.
+
+SXG would also offer a foundation for dynamically imposing such client
+behavior using a mechanism similar to HSTS. This would allow supporting clients
+to be hardened against POP compromise without any effect on non-supporting
+clients.
+
+A related IETF proposal is Delegated Credentials for TLS
+(draft-ietf-tls-subcerts-03), but that proposal solves a different use case
+where a CDN or server needs the authority to serve abitrary or altered content.
+Given that need, the proposal merely limits the intervals and ciphers used by
+the deputized CDN/servers. In contrast, SXG allows content distribution without
+fully deputizing the servers performing distribution (at the cost of not
+supporting the same extent of use cases).
+
+SXG can provide stronger integrity guarantees -- compared to today or a future
+with Delegated Credential for TLS -- for popular content distribution patterns.
+
+Associated requirements:
+
+* {{streamed-loading}}{:format="title"}: To get optimal performance, the browser
+  should be able to start loading early parts of a resource before the
+  distributor finishes sending the whole resource.
+* {{signing}}{:format="title"}: To prove the content came from the original
+  origin.
+
 ### Installation from a self-extracting executable {#self-extracting}
 
 The Node and Electron communities would like to install packages using