IETF Logo Mail Archive

Re: [therightkey] [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated Certificate Transparency + Extended Validation plan)

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 05 February 2014 16:19 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 711431A010A for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:19:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.237
X-Spam-Level:
X-Spam-Status: No, score=-4.237 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8laNX3Co85CW for <therightkey@ietfa.amsl.com>; Wed, 5 Feb 2014 08:19:03 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id A5D1C1A00E2 for <therightkey@ietf.org>; Wed, 5 Feb 2014 08:19:03 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id C69438FA03E; Wed, 5 Feb 2014 09:19:02 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1391617143; bh=iFYBri7tp+ITMTibPkk7J5A+7SNPXguGQhsn+ZKXwGQ=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=sbx07fTxB0dTqFZsZWO6xbzgQpTs2y3TXT1i1fo/p57xGcj7pt0HoVkUNPI+/tgvB giKqfm9zSIjL5thz/7XkX9xFCKvu0Dd4B3jo4B3IFtaMIkTpr9N0ot+TZMlRX4o72b kX1DeeMe00at5J5KXi3LzjEIast/HITgIiMGonkE=
From: Jeremy Rowley <jeremy.rowley@digicert.com>
To: 'Rob Stradling' <rob.stradling@comodo.com>, certificate-transparency@googlegroups.com
References: <CABrd9STwBDxwB1vtmS9Ozb5e_7D=zfOqkOBeAaT2HG7X-cw5gw@mail.gmail.com> <04a001cf21cf$3a649190$af2db4b0$@digicert.com> <CAL9PXLyWFSfHz_230SkWLvr7sUROPv_k0rfKgmkMRRttk-EjGQ@mail.gmail.com> <52F2305C.5040107@comodo.com>
In-Reply-To: <52F2305C.5040107@comodo.com>
Date: Wed, 05 Feb 2014 09:19:07 -0700
Message-ID: <0b3f01cf228d$fef92e30$fceb8a90$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGGS/IGH2GP3iOZeF9RA+GsPjuqQQF9nIx2AUxrmLEBqP6rfZsU6tPA
Content-Language: en-us
Cc: therightkey@ietf.org, 'CABFPub' <public@cabforum.org>
Subject: Re: [therightkey] [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated Certificate Transparency + Extended Validation plan)
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2014 16:19:05 -0000

Table 1 of the plan document said both 3 SCTs and 4 SCTs for 27 months.
Until there is clarification on which is required, 3-4 is the best
representation of the requirement. I'm hoping Ben meant 15-27 months = 3 and
>27 = 4, but it's not clear from the document.

Jeremy

-----Original Message-----
From: public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] On
Behalf Of Rob Stradling
Sent: Wednesday, February 05, 2014 5:37 AM
To: certificate-transparency@googlegroups.com
Cc: therightkey@ietf.org; CABFPub
Subject: [cabfpub] Thoughts on reducing SCT sizes (was Re: Updated
Certificate Transparency + Extended Validation plan)

On Tue, Feb 4, 2014 at 12:33 PM, Jeremy Rowley wrote:
> Three or four proofs for a 27 month certificate is way too many.
<snip>
> Adding 400 bytes per certificate will make EV certificates unusable by
entities concerned with performance.

The updated CT+EV plan requires three SCTs for a (maximum length) 27-month
EV certificate, not four.  400 bytes for three SCTs is about right though.

Assuming RFC6962-compliant v1 SCTs that contain no SCT extensions and are
signed using ECDSA and a P-256 private key, then, including all of the ASN.1
fluff for the SCT List certificate extension, I calculate that it'll be...

140 or 141 bytes to embed 1 SCT

261 to 263 bytes to embed 2 SCTs

380 to 383 bytes to embed 3 SCTs

For (non-EV) validity periods between 27 and 39 months:
499 to 503 bytes to embed 4 SCTs

On 04/02/14 17:52, Adam Langley wrote:
<snip>
> We should make the SCTs as small as possible

Agreed.  Time for some back-of-an-envelope sums.  For SCT v2, if we were to
pack in the data as tightly as possible I reckon we could cut it down to as
little as...

84 bytes to embed 1 SCT

159 bytes to embed 2 SCTs

231 bytes to embed 3 SCTs

303 bytes to embed 4 SCTs

Here's how...

1. Use a shorter OID for the SCT List extension.  Perhaps CABForum could
define 2.23.140.n (with n < 128).  Save 6 bytes.

2. The first 2 bytes of the SignedCertificateTimestampList structure are its
total length.  Since this can be calculated from the OCTET STRING length,
these 2 bytes could be omitted.  Save 2 bytes.

3. Pack the SCT fields into as few bytes as possible for the common case,
whilst retaining options for future expansion.  Save 37 bytes per SCT.
Replace...
   (1 byte)    Version sct_version;
   (32 bytes)  LogID id;
   (8 bytes)   uint64 timestamp;
   (2+? bytes) CtExtensions extensions;
...with...
   (2 bits)    sct_version    (00=v1; 01=v2; 10,11=unassigned)
   (2 bits)    log_id_type    (00=SHA-256(log_public_key);
                               01=1-byte Registered Log ID;
                               10=2-byte Registered Log ID;
                               11=4-byte Registered Log ID)
   (2 bits)    timestamp_size (00=8-bytes;
                               01=6-bytes;
                               10=5-bytes;
                               11=4-bytes)
   (1 bit)     extensions     (0=CtExtensions is present;
                               1=CtExtensions is absent)
   (1 bit)     signature_type (0=digitally-signed struct;
                               1=raw Ed25519 signature)
   For the common case:
   (1 byte)    Registered Log ID
   (4 bytes)   Timestamp (seconds, not milliseconds)

4. Use the Ed25519 signature scheme instead of ECDSA.  ECDSA signatures
using a P-256 key seem to be 72 or 73 bytes, whereas Ed25519 signatures are
64 bytes.  Save 8 or 9 bytes per SCT.
Also, for Ed25519, omit the 2 bytes containing the hash algorithm and
signature algorithm from the "digitally-signed struct" header.  Save 2 bytes
per SCT.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public

v2.23.0 | Report a Bug | By Email