IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-certificate-compression-02.txt

Benjamin Kaduk <bkaduk@akamai.com> Wed, 31 January 2018 21:41 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D75D12ECB9 for <tls@ietfa.amsl.com>; Wed, 31 Jan 2018 13:41:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGTrZgU2pJeB for <tls@ietfa.amsl.com>; Wed, 31 Jan 2018 13:41:43 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113F012FAAD for <tls@ietf.org>; Wed, 31 Jan 2018 13:41:42 -0800 (PST)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0VLfeQt004063; Wed, 31 Jan 2018 21:41:40 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=jan2016.eng; bh=9kBzCjCakZUWRRx5l3aszfWaHjMMvrBABNDCXWXcchk=; b=YZNLPkB8L09fpd4l/t1AhQT3hbCCMOhj58gXtA/buy2TktzO138BstPRritLo6WecA1s uqfW8/Ie2mlLRQxivprK0F/iMxwB9MAMQqknGZs0ix+WcZxqjZmRWyxOflJELxUduBsl 7DNHhEpYKSGvMxnHvbULdWuQpZ4UgQhfEaKgr1YPVd84LtCVR3qMMUwolFIsUEeFydW4 6OPw+3HEXIWeUido2vMm5TDZ25cM3hv2PQhyR7aKfH9fNO75XZgnKDFXon7g75GeoR8r XhO2PRX7ycNbzPQg2+EOx6/CLPpC0I9k/clz7UVj1bwUA4tJmtGQb5A5IqYGeVhEcoWf tQ==
Received: from prod-mail-ppoint2 (prod-mail-ppoint2.akamai.com [184.51.33.19]) by m0050096.ppops.net-00190b01. with ESMTP id 2funqe818e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 31 Jan 2018 21:41:38 +0000
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w0VLf05e007655; Wed, 31 Jan 2018 16:41:35 -0500
Received: from prod-mail-relay10.akamai.com ([172.27.118.251]) by prod-mail-ppoint2.akamai.com with ESMTP id 2frnmyqpkb-1; Wed, 31 Jan 2018 16:41:35 -0500
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id DC0DF2714F; Wed, 31 Jan 2018 21:41:34 +0000 (GMT)
To: Victor Vasiliev <vasilvv@google.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <151696190108.24397.6150515497869897080@ietfa.amsl.com> <20180126102659.GA5204@pinky> <4ef441ff-6075-626e-b208-a0e5da3d18f0@akamai.com> <CAAZdMaczieoBKBo21Hpm36V6k=SY_UORqwguma0QGh3JJW4wPA@mail.gmail.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <9126f0e6-e135-5421-f9b9-1ff880fd19e8@akamai.com>
Date: Wed, 31 Jan 2018 15:41:34 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <CAAZdMaczieoBKBo21Hpm36V6k=SY_UORqwguma0QGh3JJW4wPA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5A9359ADE016D2EF3BB2393B"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-31_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=897 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801310271
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-31_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=878 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1801310271
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/16xM5GFq-elISJTkU0ZbimMocjE>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-certificate-compression-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Jan 2018 21:41:45 -0000

On 01/30/2018 04:02 PM, Victor Vasiliev wrote:
> On Mon, Jan 29, 2018 at 10:22 AM, Benjamin Kaduk <bkaduk@akamai.com
> <mailto:bkaduk@akamai.com>> wrote:
>
>     The new note about "no ServerHello extension to echo back" makes me
>     wonder if (not) echoing back in Certificate should also be mentioned,
>     since the TLS 1.3 paradigm is that CertificateRequest extensions are
>     also "requests" that can get "responses" in the Certificate message.
>
>
> True, though I guess this depends on your definition of "response"?
>  

I'm thinking of the text in section 4.2:

   Extensions are generally structured in a request/response fashion,
   though some extensions are just indications with no corresponding
   response.  The client sends its extension requests in the ClientHello
   message and the server sends its extension responses in the
   ServerHello, EncryptedExtensions, HelloRetryRequest and Certificate
   messages.  The server sends extension requests in the
   CertificateRequest message which a client MAY respond to with a
   Certificate message.  The server MAY also send unsolicited extensions
   in the NewSessionTicket, though the client does not respond directly
   to these.

   Implementations MUST NOT send extension responses if the remote
   endpoint did not send the corresponding extension requests, with the
   exception of the "cookie" extension in HelloRetryRequest.  Upon
   receiving such an extension, an endpoint MUST abort the handshake
   with an "unsupported_extension" alert.


-Ben

>     I also wondered whether there was any sense in reserving codepoint
>     0 (of
>     CertificateCompressionAlgorithm) for "uncompressed".  I guess not,
>     since
>     support for uncompressed certificates is implicit by means of not
>     using
>     the extension.  But sometimes keeping value 0 (basically) reserved is
>     still useful.
>
>
> I've considered that, but decided that this would just introduce two
> ways to do
> the same thing (send certificate uncompressed), so I decided against it.

Sure.  I don't see a reason to add a code point for uncompressed, but
maybe there is an aesthetic argument for leaving 0 reserved entirely. 
But I definitely do not insist on anything.

v2.23.0 | Report a Bug | By Email