> In the majority of cases (i.e. delivering preseeded static content), no. It identifies as some-1337-garbage.static.example.com, which it basically *is*.
No. That might be the DNS name, but it is not the TLS certificate that the server presents. That certificate MUST have a name that matches the original name that the client (browser, often) present. That's fundamental. > However, there's a minority of cases where a CDN is also used to deliver *dynamically generated* content which could not be cached, e.g. because it is only available to authenticated users. In this case, the CDN in fact impersonates the origin, processes all the authentication data, and the only way to implement that is proxying across different areas of responsibility. How's that different from what middleboxes are doing is not clear to me. CDN's also do things like API gateways, BOT detection, etc. In some cases, the dynamic traffic manipulation is more in either bytes or connections. Consider this configuration in a fake language <match cond="using-weak-cipher()"> <redirect>/get/better/browser.html</redirect> </match> Where does this fall? I agree that if example.com hires a CDN or deploys a middlebox to do those things, there is no difference. > Proxy is a proxy. That's too simplistic. We have a product, site shield, that customers can use to limit the IP addresses of who can reach their origin server. Everyone else is blocked. Some use that to make sure that *only* Akamai servers will talk to them, and that everything else goes through us. Is that a proxy? How is it different from terminating TLS in the DMZ and sending it inside? How does the client know? >is ... a Facebook-owned middlebox, or is it the endpoint server? What is the endpoint server, if facebook sends you there? > The main difference though is that the data crosses the boundary between the areas of responsibility in a way which is not transparent to me. And my point is that there is no such boundary. Or perhaps more accurately, it is a barrier that they don't want you to see. Just like they might not want you to know about the DMZ and interior network, which are often run by different organizations inside the corporation. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls