Re: [pkix] Compressed CRLs
Phillip Hallam-Baker <phill@hallambaker.com> Mon, 20 October 2014 12:26 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0485B1A8700 for <pkix@ietfa.amsl.com>; Mon, 20 Oct 2014 05:26:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrSBbFzv7n1M for <pkix@ietfa.amsl.com>; Mon, 20 Oct 2014 05:26:52 -0700 (PDT)
Received: from mail-la0-x232.google.com (mail-la0-x232.google.com [IPv6:2a00:1450:4010:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DC031A86FF for <pkix@ietf.org>; Mon, 20 Oct 2014 05:26:52 -0700 (PDT)
Received: by mail-la0-f50.google.com with SMTP id s18so3831488lam.37 for <pkix@ietf.org>; Mon, 20 Oct 2014 05:26:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ab5cPI3x4cK6dpTdVt4q1p4eO2AfMs7AdVHCHXVNGwM=; b=HJ33uCAVpa02rhnITJtlRrf4s2Nod3wBt1n8Q4fnG5jj2mOsa/gX/BPOnGqH4O1hg4 H6o6IaMzl5ZL4h3zPn4c+w1EQnSKqvFsg+nBjCMrUzjzxg7gxE+YvQpYEUWeYklNWCjg WukBYItg7JR7RhFPwE19GSaB6cO3xdJsO/VTUwPG68lm+9ySBY3sRMrRdJUfBabaPYI5 GXn345OhNllRGxtIQ87M+s1tYxK+p7U8XBWjda6q5SR4aEHVW9FlxyTJV6W/qSq22ehO y/WNSnZO5Y/ZH8q0YkUETDO8gmNknuasDtpir8wMoK7Jj38AvyVpPsyz/q7Nbhgcu5CK sygw==
MIME-Version: 1.0
X-Received: by 10.152.243.8 with SMTP id wu8mr26959978lac.21.1413808010482; Mon, 20 Oct 2014 05:26:50 -0700 (PDT)
Sender: hallam@gmail.com
Received: by 10.112.66.196 with HTTP; Mon, 20 Oct 2014 05:26:50 -0700 (PDT)
In-Reply-To: <CA+i=0E6Rqo=7Nr3XL+ZXASbD3S5pe_+R2-cvDxcqGVOKWQuzLw@mail.gmail.com>
References: <CAMm+Lwj7VAz9_ASfLKHzMVnxK6PWmJRonRTLG_4DEDneRDXoTg@mail.gmail.com> <CA+i=0E6Rqo=7Nr3XL+ZXASbD3S5pe_+R2-cvDxcqGVOKWQuzLw@mail.gmail.com>
Date: Mon, 20 Oct 2014 08:26:50 -0400
X-Google-Sender-Auth: GqqwAHfm1fjdRd22m6Mekm3ZeVY
Message-ID: <CAMm+LwjHvtMn80H2+mGEn4f3O0o0+zpKKipbMGUQFN7Z46uuag@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Erwann Abalea <eabalea@gmail.com>
Content-Type: multipart/alternative; boundary="001a1133f7043edd9e0505d9d448"
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/LOBBG3zk6zvVVnsSrL_NJQ8pN60
Cc: "pkix@ietf.org" <pkix@ietf.org>
Subject: Re: [pkix] Compressed CRLs
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 12:26:54 -0000
On Thu, Oct 16, 2014 at 1:17 PM, Erwann Abalea <eabalea@gmail.com> wrote: > Interesting draft. Can be implemented by a third party if and only if it > has access to all the unexpired certificates (insert GoogleCT here), or by > the CA itself. > Will there be more details on the additional optimizations by Rob? Does > this additional optimization apply to a complete CRLSet or only to deltas? > I want to get folk to focus on the specific way they want to use it before we drill down into exactly how to represent it. If we are doing one big CRL per day then extra compression makes a lot of sense. If we are doing deltas we need to look at the total complexity of the scheme. > Regarding the encoding, my preference goes to ASN.1 over JSON. ASN.1 has a > native BITSTRING type and several already standardized encoding rules, one > of them being optimized for space (PER and unaligned PER, X.691). But this > is only a serialization issue and doesn't conflict with the general idea; > some don't like ASN.1 (for bad reasons), some don't like PER (for not so > bad reasons). A good compact and easy encoding may be the recently approved > OER (X.696). > We don't use ASN.1, never have. We use tools that happen to take ASN.1 syntax. And that is a huge difference. Unless the authors of OpenSSL and NSSAPI etc. tell me their compilers work just fine with PER than it doesn't exist as far as I am concerned. We have already broken with ASN.1 in TRANS which does not use ASN.1 for internal structures. It uses the TLS schema. As far as my personal code set goes, I can switch from generating ASN.1 to TLS or JSON at will. (I don't use ASN.1 schema which simplifies a lot.) So I am not protecting my code here. But in general discussions over encoding don't have a lot of weight for me unless they begin 'I am the maintainer of X. widely used code library).
- [pkix] Compressed CRLs Phillip Hallam-Baker
- Re: [pkix] Compressed CRLs Erwann Abalea
- Re: [pkix] Compressed CRLs Phillip Hallam-Baker
- Re: [pkix] Compressed CRLs Dr. Massimiliano Pala