Re: [quicwg/base-drafts] A small certificate is good (#3825)

Martin Thomson <notifications@github.com> Mon, 06 July 2020 06:23 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0541D3A1117 for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.483
X-Spam-Level:
X-Spam-Status: No, score=-1.483 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L6co8I80mZxW for <quic-issues@ietfa.amsl.com>; Sun, 5 Jul 2020 23:23:13 -0700 (PDT)
Received: from out-25.smtp.github.com (out-25.smtp.github.com [192.30.252.208]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 950653A0F4D for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:23:13 -0700 (PDT)
Received: from github-lowworker-39b4a70.va3-iad.github.net (github-lowworker-39b4a70.va3-iad.github.net [10.48.16.66]) by smtp.github.com (Postfix) with ESMTP id E0B5C28217A for <quic-issues@ietf.org>; Sun, 5 Jul 2020 23:23:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1594016592; bh=aVqejgZrw4+aitBbYn7a7+Eqc+XZxUgfvrzj2yGkNjE=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=F+fpmrP9wQwu9aCx29ZvEiZdwx+fLpj4PokYChLaseA1pq6xItgE7Iy4gzrUDGYb+ 0482xdIMTqdyIN7NzI5SHtBu/Hcty2MNWMjbeuYvfaxDX1rfdU/194DbbYsFJM9tRp bnHqOEBjO4qdWU75dhFhZNpnolGQKzoRO2JnY0fs=
Date: Sun, 05 Jul 2020 23:23:12 -0700
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK6GIXCAUCBKVSZUNXV5B2SFBEVBNHHCNUJAHU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3825/review/442800482@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3825@github.com>
References: <quicwg/base-drafts/pull/3825@github.com>
Subject: Re: [quicwg/base-drafts] A small certificate is good (#3825)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f02c350d1260_4a533fe986ecd95c651980"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/cDBYTCqR6ogQ8qJGbmzTt1qGIM4>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 06:23:15 -0000

@martinthomson commented on this pull request.



> @@ -651,6 +651,17 @@ verification that the identity of the server is included in a certificate and
 that the certificate is issued by a trusted entity (see for example
 {{?RFC2818}}).
 
+Note:
+
+: Where servers provide certificates for authentication, the size of
+  the certificate chain can consume a large number of bytes.  Controlling the
+  size of certificate chains is critical to performance in QUIC as servers are
+  limited to sending 3 bytes for every byte received prior to validating the
+  client address; see Section 8.1 of {{QUIC-TRANSPORT}}.  The size of a
+  certificate chain can managed by limiting the number of names or extensions;
+  using keys with small public key representations, like ECDSA; or, by using

I think that a logical OR is sufficient here.  Though nothing stops someone from doing more than one, and maybe there are things that mean you need to (like being unwilling to reduce the number of cnames on certificates for $reasons.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3825#discussion_r450005983