TLS/DTLS Content Provider Edge Server Split Use Case
draft-mglt-lurk-tls-use-cases-00

The information below is for an old version of the document
Document Type Active Internet-Draft (individual)
Last updated 2016-01-19
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                         D. Migault
Internet-Draft                                                     K. Ma
Intended status: Standards Track                                Ericsson
Expires: July 22, 2016                                  January 19, 2016

          TLS/DTLS Content Provider Edge Server Split Use Case
                    draft-mglt-lurk-tls-use-cases-00

Abstract

   TLS as been designed to setup and authenticate transport layer
   between endpoints.

   A lot of applications are using TLS in order to set communications
   between the applications end points.

   As long as applications end points and transport end points were
   combined into the same host, application authentication could be
   combined with the transport authentication.

   As the current internet is decoupling the transport and application
   layers, such model may not be applicable anymore.  In other words,
   TLS authentication cannot be handled on behalf of the application
   authentication.

   This document describes use cases where the authentication of the
   transport layer differs from the authentication performed at the
   application layer.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 22, 2016.

Migault & Ma              Expires July 22, 2016                 [Page 1]
Internet-Draft             TLS Split Use Cases              January 2016

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Cloud Use Case  . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Content Delivery Network Use Case . . . . . . . . . . . . . .   4
   5.  Authentication in Split Scenarios . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   TLS has been designed for end-to-end security between a TLS Server
   and a TLS Client.  As TLS is widely used to provide an authenticated
   channel between applications, the following models assumes that
   applications end points and connectivity end point are combined.  In
   that case, authentication of the connection end point and
   authentication of the application end point could be combined and
   assimilated as a single authentication.

   Such assumption for the TLS model may not be true especially in the
   current web architecture where application content is not anymore
   associated with the connection end point.  For example, Content
   Delivery Network are in charge of delivering content they are not
   necessarily owning.

   This document provides use case where authentication of of the TLS
   Server involves multiple parties or entities as opposed to a single

Migault & Ma              Expires July 22, 2016                 [Page 2]
Internet-Draft             TLS Split Use Cases              January 2016

   entity in the standard TLS model.  Such uses cases are designated a
   split use cases to point out that authentication is split between
   multiple entities.

2.  Terminology

   TLS Client:   The TLS Client designates the initiator of the TLS
         session.  The terminology is the one of [RFC5246].  The current
Show full document text