IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated Certificate Transparency + Extended Validation plan)

Ben Laurie <benl@google.com> Tue, 18 February 2014 15:30 UTC

Return-Path: <benl@google.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 610A21A04D0 for <therightkey@ietfa.amsl.com>; Tue, 18 Feb 2014 07:30:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.327
X-Spam-Level:
X-Spam-Status: No, score=-1.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_22=0.6, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wI0V-OvNhuOF for <therightkey@ietfa.amsl.com>; Tue, 18 Feb 2014 07:29:56 -0800 (PST)
Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 37B431A0693 for <therightkey@ietf.org>; Tue, 18 Feb 2014 07:29:56 -0800 (PST)
Received: by mail-vc0-f182.google.com with SMTP id id10so13013317vcb.41 for <therightkey@ietf.org>; Tue, 18 Feb 2014 07:29:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4iyM2P7BGM7s7mmMu9cqJy4aZK1KHYKHAjVSaqbOPGI=; b=Xxl3UFIu5aLeGLZPKUzmXq2SE69wldn1Au6BZKU1InN17RM3XdzST3vZ1S95fh0iWk Vn21B+LF+POVZhC50M2m6AoQUHWf/vv7LMBAjX2+O8oqFEHBUODwGDXsVkKGKWAETyID 8Y5Ipj7izdNn583gjqcRc7tFY9xVhvLJ39Oh8AOwv0Lue8Zg8JuZLqjNJIRe3rbEbEm9 swsdu/Oe6ex7HQg9gShGyZhXymn1xVYtQP37JQHidkbB/OTfLbdg+IZab7Tt5ImmgCSs Vde35DZQg2YhmZtC07AREWRlOluNXupFY7/QsUPgSt/2HvFOzQjtmnfP220IzCreotbP VFmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=4iyM2P7BGM7s7mmMu9cqJy4aZK1KHYKHAjVSaqbOPGI=; b=cZxrqJxT7ryAT4ME8acG3+NiUfFDrk2qGevqQe6PGqh0xlRcUXm3WcYgwCem0z1uf4 SfWegg/ZrvMTQozSgh5KAsIITnZK3sdsY9oPKVfmONbYSH11KHX2rvpZOfAF6i6fKrkS boKh60pxype6e9Y/nusGDZQ8VoLNidyVKhlwnJ6yXEVV8OENUL/ZPfPPjB0cWnr4OhK3 GWCU1sBBikeqb1OMG+KAnnSy5DkV+4JZrIIbk8rHPybV3MWVWv6LSqLJP4RigxcqR3jp n8pkSSoyuTkxOH2jOWzRwbJSaaoJ+PQpj++BD3VKrMdKJ2QoI+56WWhsu1Toj7sixn8/ EPOg==
X-Gm-Message-State: ALoCoQkEF/fnGXv/wXACtRpdtnBVWVSwFCcmlHTZSaC+EoTReEbFREuSdu6QenieyqrfwCh9rYKbCUThwQfYAa8BO20fYeeBK9NQAhXIudUnQcPhbBetidPLpPnkbEWpqefqyajQ/I6lkYtnT6wYdWIpPheOrR7wjjs5zB77Kuyg+IsecF36Mhr00HV/hPtaLbXdDTxXh8ss
MIME-Version: 1.0
X-Received: by 10.220.247.68 with SMTP id mb4mr5852798vcb.37.1392737393003; Tue, 18 Feb 2014 07:29:53 -0800 (PST)
Received: by 10.52.230.105 with HTTP; Tue, 18 Feb 2014 07:29:52 -0800 (PST)
In-Reply-To: <0b3f01cf228d$fef92e30$fceb8a90$@digicert.com>
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com> <52F2305C.5040107@comodo.com> <0b3f01cf228d$fef92e30$fceb8a90$@digicert.com>
Date: Tue, 18 Feb 2014 15:29:52 +0000
Message-ID: <CABrd9SR3+ByEMeXRpbMiwUatqNcoyjv=vHxgr1tdfE8p=oWH-g@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: "certificate-transparency@googlegroups.com" <certificate-transparency@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/therightkey/L81al36CLVQpkixhPPYjJfSoaBE
Cc: "therightkey@ietf.org" <therightkey@ietf.org>, Rob Stradling <rob.stradling@comodo.com>, CABFPub <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated Certificate Transparency + Extended Validation plan)
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2014 15:30:00 -0000

Sorry for long delay.

On 5 February 2014 16:19, Jeremy Rowley <jeremy.rowley@digicert.com> wrote:
> Table 1 of the plan document said both 3 SCTs and 4 SCTs for 27 months.
> Until there is clarification on which is required, 3-4 is the best
> representation of the requirement. I'm hoping Ben meant 15-27 months = 3 and
> 27 = 4, but it's not clear from the document.

Yes, that's exactly what I meant.

>
> Jeremy
>
> -----Original Message-----
> From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On
> Behalf Of Rob Stradling
> Sent: Wednesday, February 05, 2014 5:37 AM
> To: certificate-transparency@googlegroups.com
> Cc: therightkey@ietf.org; CABFPub
> Subject: [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated
> Certificate Transparency + Extended Validation plan)
>
> On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley wrote:
>> Three or four proofs for a 27 month certificate is way too many.
> <snip>
>> Adding 400 bytes per certificate will make EV certificates unusable by
> entities concerned with performance.
>
> The updated CT+EV plan requires three SCTs for a (maximum length) 27-month
> EV certificate, not four.  400 bytes for three SCTs is about right though.
>
> Assuming RFC6962-compliant v1 SCTs that contain no SCT extensions and are
> signed using ECDSA and a P-256 private key, then, including all of the ASN.1
> fluff for the SCT List certificate extension, I calculate that it'll be...
>
> 140 or 141 bytes to embed 1 SCT
>
> 261 to 263 bytes to embed 2 SCTs
>
> 380 to 383 bytes to embed 3 SCTs
>
> For (non-EV) validity periods between 27 and 39 months:
> 499 to 503 bytes to embed 4 SCTs
>
> On 04/02/14 17:52, Adam Langley wrote:
> <snip>
>> We should make the SCTs as small as possible
>
> Agreed.  Time for some back-of-an-envelope sums.  For SCT v2, if we were to
> pack in the data as tightly as possible I reckon we could cut it down to as
> little as...
>
> 84 bytes to embed 1 SCT
>
> 159 bytes to embed 2 SCTs
>
> 231 bytes to embed 3 SCTs
>
> 303 bytes to embed 4 SCTs
>
> Here's how...
>
> 1. Use a shorter OID for the SCT List extension.  Perhaps CABForum could
> define 2.23.140.n (with n < 128).  Save 6 bytes.
>
> 2. The first 2 bytes of the SignedCertificateTimestampList structure are its
> total length.  Since this can be calculated from the OCTET STRING length,
> these 2 bytes could be omitted.  Save 2 bytes.
>
> 3. Pack the SCT fields into as few bytes as possible for the common case,
> whilst retaining options for future expansion.  Save 37 bytes per SCT.
> Replace...
>    (1 byte)    Version sct_version;
>    (32 bytes)  LogID id;
>    (8 bytes)   uint64 timestamp;
>    (2+? bytes) CtExtensions extensions;
> ...with...
>    (2 bits)    sct_version    (00=v1; 01=v2; 10,11=unassigned)
>    (2 bits)    log_id_type    (00=SHA-256(log_public_key);
>                                01=1-byte Registered Log ID;
>                                10=2-byte Registered Log ID;
>                                11=4-byte Registered Log ID)
>    (2 bits)    timestamp_size (00=8-bytes;
>                                01=6-bytes;
>                                10=5-bytes;
>                                11=4-bytes)
>    (1 bit)     extensions     (0=CtExtensions is present;
>                                1=CtExtensions is absent)
>    (1 bit)     signature_type (0=digitally-signed struct;
>                                1=raw Ed25519 signature)
>    For the common case:
>    (1 byte)    Registered Log ID
>    (4 bytes)   Timestamp (seconds, not milliseconds)
>
> 4. Use the Ed25519 signature scheme instead of ECDSA.  ECDSA signatures
> using a P-256 key seem to be 72 or 73 bytes, whereas Ed25519 signatures are
> 64 bytes.  Save 8 or 9 bytes per SCT.
> Also, for Ed25519, omit the 2 bytes containing the hash algorithm and
> signature algorithm from the "digitally-signed struct" header.  Save 2 bytes
> per SCT.
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> COMODO - Creating Trust Online
> _______________________________________________
> Public mailing list
> Public@cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
> --
> You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

v2.23.0 | Report a Bug | By Email