Re: [quicwg/base-drafts] A small certificate is good (#3825)

Marten Seemann <notifications@github.com> Mon, 06 July 2020 06:03 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D653A10F4 for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:03:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.101
X-Spam-Level:
X-Spam-Status: No, score=-3.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byx8obAq-agH for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:03:26 -0700 (PDT)
Received: from out-26.smtp.github.com (out-26.smtp.github.com [192.30.252.209]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00C863A10F5 for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:03:25 -0700 (PDT)
Received: from github-lowworker-ca5950c.va3-iad.github.net (github-lowworker-ca5950c.va3-iad.github.net [10.48.17.57]) by smtp.github.com (Postfix) with ESMTP id A6778282A54 for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:03:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1594015404; bh=NSQ1kJ+CxTYiuWSavLr41B78cjba7Q89W7pkWb8lyHQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=e9LXVz1DcJic+8efkj9fFnciO3Ra6DdNb9mmHLM1aMeHx+Aud6m+VnDS6v2Rk6EbY 6HQ5I8L8qlnoKMJ2GeSFenrffIx6hqrIEbCo86lQ8nh9GrS9pMgNHaAcbhqSnfrpti iZoDgcvSARAAl8E66lMEhC/tI64I/VaExOIVJzxs=
Date: Sun, 05 Jul 2020 23:03:24 -0700
From: Marten Seemann <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK5C7EPR7EWTBRC4QIF5B2P2ZEVBNHHCNUJAHU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3825/review/442792032@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3825@github.com>
References: <quicwg/base-drafts/pull/3825@github.com>
Subject: Re: [quicwg/base-drafts] A small certificate is good (#3825)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f02beac901c1_72163f88ac2cd96c82685d"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: marten-seemann
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/UiaMRXyCNV_yUcMjukywiz9BPF4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 06:03:28 -0000

@marten-seemann commented on this pull request.



> @@ -651,6 +651,17 @@ verification that the identity of the server is included in a certificate and
 that the certificate is issued by a trusted entity (see for example
 {{?RFC2818}}).
 
+Note:
+
+: Where servers provide certificates for authentication, the size of
+  the certificate chain can consume a large number of bytes.  Controlling the
+  size of certificate chains is critical to performance in QUIC as servers are
+  limited to sending 3 bytes for every byte received prior to validating the
+  client address; see Section 8.1 of {{QUIC-TRANSPORT}}.  The size of a
+  certificate chain can managed by limiting the number of names or extensions;

can be?

> @@ -651,6 +651,17 @@ verification that the identity of the server is included in a certificate and
 that the certificate is issued by a trusted entity (see for example
 {{?RFC2818}}).
 
+Note:
+
+: Where servers provide certificates for authentication, the size of
+  the certificate chain can consume a large number of bytes.  Controlling the
+  size of certificate chains is critical to performance in QUIC as servers are
+  limited to sending 3 bytes for every byte received prior to validating the
+  client address; see Section 8.1 of {{QUIC-TRANSPORT}}.  The size of a
+  certificate chain can managed by limiting the number of names or extensions;
+  using keys with small public key representations, like ECDSA; or, by using

s/or/and/?

> @@ -756,8 +767,8 @@ In TLS over TCP, the HelloRetryRequest feature (see Section 4.1.4 of
 well as for a stateless round-trip check. From the perspective of QUIC, this
 just looks like additional messages carried in Initial packets. Although it is
 in principle possible to use this feature for address verification in QUIC,
-QUIC implementations SHOULD instead use the Retry feature (see Section 8.1 of
-{{QUIC-TRANSPORT}}). HelloRetryRequest is still used to request key shares.
+QUIC implementations SHOULD instead use the Retry feature; see Section 8.1 of

This seems unrelated. Was this supposed to go in #3826?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3825#pullrequestreview-442792032