Re: [TLS] PR#28: Converting cTLS to QUIC-style varints

Eric Rescorla <> Sun, 15 November 2020 20:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EC34D3A09EB for <>; Sun, 15 Nov 2020 12:14:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id F_nTRxQEWt51 for <>; Sun, 15 Nov 2020 12:13:59 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AF15B3A09E7 for <>; Sun, 15 Nov 2020 12:13:58 -0800 (PST)
Received: by with SMTP id o24so17603656ljj.6 for <>; Sun, 15 Nov 2020 12:13:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+PvJk9LGoxW9L4bq8scO7CCZ1Tjb6SK6bLj6+dvNYYE=; b=BCoQLinptqAVys+rGDTLlnJzGaL0m++PrPvUyKius8LWCKXNgQr1ugRPdjU4o8FgS3 0Kjx6lXyRuXeLgahRV4sJMHmHO+DYWMMYBhx08FdLFxEakHEFOjBFivB0eyW2WnVIkTB +ktravuBGS6CHvHRsr0be9tJK535CqIZhCuQe4oQOREBa0ltu6wBs6OHEi69bFGXYO8K psmCQKKf1JJ9791Y8maHpm6s/UtCTOPQPSfd4pWeOMGYHBpwkaLa+5F3BUZXH0nSFkEb /vbUIiehu4jjK3dIPzCbqHJdGAEQWCYarAqP4asA0LUv937dKtlOthM0mvtRR4F7YBQg ZQ1Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+PvJk9LGoxW9L4bq8scO7CCZ1Tjb6SK6bLj6+dvNYYE=; b=YVwNJhWxgToFkEOT8JcjqrWwO+eukrAzLrwBxYloUoyuPsMPsa0EglBOVmDCwwITTV rr9jBLVez0s4FAcJ+iz4B7yCjsydtiHi1xki0FsKibPEu8OexaFpugF1iN5336x0vCrw EeEXTjfl9St6c6WlCZa7IWm8DcjSTG6Xi/qPqY9SBFYmgZ8inyvMY9FRmNQTFoSrYxnP mucecR9u1gVVxkxSceylk+xyROVxqK31OesoNoy4SPN4LBtsWEm8fluShz/DIAoghALC CIo97z9V4BzqnpkLRyyXAc6le1XvYVDP/2l/37X/VkyjEBM9GE1vjl1o3c5vC7Emn4/Y laWg==
X-Gm-Message-State: AOAM530TFnCFXbPfoc1MoL7WgyuxmYQPqOTW9Qd0MfuKFHmnrEyMFDjZ 9/+3jbnWA+eSVKkh2y1WrAt63Wy831c3ZqXs2Sbllw==
X-Google-Smtp-Source: ABdhPJyu3yqp+5U0M5nn9HK36UwSzE7nOyhRaTE/CmMm6Wq+Dt5dp0MCT1tzYDdLNQgDTX8/TeR9yLKTo1WdYMTSLlw=
X-Received: by 2002:a05:651c:1105:: with SMTP id d5mr5417144ljo.265.1605471236971; Sun, 15 Nov 2020 12:13:56 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <> <> <>
In-Reply-To: <>
From: Eric Rescorla <>
Date: Sun, 15 Nov 2020 12:13:20 -0800
Message-ID: <>
To: Nick Harper <>
Cc: Marten Seemann <>, "<>" <>
Content-Type: multipart/alternative; boundary="000000000000c6f05f05b42ae6f0"
Archived-At: <>
Subject: Re: [TLS] PR#28: Converting cTLS to QUIC-style varints
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 15 Nov 2020 20:14:01 -0000

Trying to close out this discussion, it seems to me like there are three
major options:

1. The current scheme
2. The current scheme with a deterministic minimal encoding (e.g., the two
byte version is offset by 127)
3. The QUIC scheme

I don't think that the QUIC scheme with deterministic encoding makes sense,
because the virtue of the QUIC scheme is commonality with something already
defined. I'm hearing that people are not as excited about moving to QUIC as
I had expected and to the best of my knowledge, there is no valid reason to
encode to > 2^32-1 in TLS. I also don't think using encoding (1) but
mandating minimal length makes sense, as it's just as easy to do a
deterministic minimal encoding.

As Christian observes it *is* significantly more painful to do (2): the
conventional way to encode vectors in TLS with minimal copying is:

- Mark your current place --> X
- Skip forward the length of the length field --> L
- Encode the value
- Encode (current position - (X + L)) at X

But this won't be possible in (2). As MT observes, if you think of this as
a two-pass system, there is not as much of a problem here [though not
necessarily no problem]. Also, if you use a separate buffer, there is no
problem. As noted above by MT and others, cTLS expands the transcript and
so having a deterministic compression scheme is perhaps not as important,
given that decompression is deterministic, but it still seems nice to have.

Given the above, I think my preference would be (1) or (2), with, I think,
a slight preference for (2).


On Tue, Oct 6, 2020 at 5:33 PM Nick Harper <> wrote:

> I have no strong opinion on how this is formatted. I'd base my decision on
> what the maximum value cTLS needs to encode: If 2^22-1 is sufficient, let's
> keep it as is, otherwise let's change it to the QUIC format (or some other
> change to increase the max value). I do like that the existing scheme,
> compared to QUIC varints, is more efficient for values 64-127 and just as
> efficient for the rest.
> On Mon, Oct 5, 2020 at 8:09 PM Eric Rescorla <> wrote:
>> I don't have a strong opinion on whether to require a minimal encoding,
>> but if we're not going to use QUIC's encoding as-is, then I would rather
>> stick with the existing scheme, which has twice as large a range for the 1
>> byte encoding and is thus more compact for a range of common cases.
>> -Ekr
>> On Mon, Oct 5, 2020 at 7:31 PM Marten Seemann <>
>> wrote:
>>> In that case, why use QUIC's encoding at all? It would just put the
>>> burden on the receiver to check that the minimal encoding was used.
>>> Would it instead make more sense to modify QUIC's encoding, such that
>>> the 2-byte encoding doesn't encode the numbers from 0 to 16383, but the
>>> numbers from 64 to (16383 + 64), and equivalently for 4 and 8-byte
>>> encodings?
>>> On Tue, Oct 6, 2020 at 9:22 AM Salz, Rich <> wrote:
>>>> Can you just say “QUIC rules but use the minimum possible length”?
>>> _______________________________________________
>> TLS mailing list