Re: [TLS] PR#28: Converting cTLS to QUIC-style varints

Christian Huitema <> Wed, 07 October 2020 00:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B37033A1590 for <>; Tue, 6 Oct 2020 17:59:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.712
X-Spam-Status: No, score=-2.712 tagged_above=-999 required=5 tests=[BAD_CREDIT=0.1, BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.213, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SEp9BvJrEkGM for <>; Tue, 6 Oct 2020 17:59:04 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 21BAE3A1428 for <>; Tue, 6 Oct 2020 17:59:03 -0700 (PDT)
Received: from ([] by with esmtp (Exim 4.92) (envelope-from <>) id 1kPxnE-000MM9-Fn for; Wed, 07 Oct 2020 02:59:02 +0200
Received: from (unknown []) by (Postfix) with ESMTPS id 4C5bHg0fHqz4gDG for <>; Tue, 6 Oct 2020 17:46:23 -0700 (PDT)
Received: from [] ( by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <>) id 1kPxb4-0001KJ-VD for; Tue, 06 Oct 2020 17:46:22 -0700
Received: (qmail 16581 invoked from network); 7 Oct 2020 00:46:22 -0000
Received: from unknown (HELO []) ([]) (envelope-sender <>) by (qmail-ldap-1.03) with ESMTPA for <>; 7 Oct 2020 00:46:22 -0000
To: Martin Thomson <>,
References: <> <> <> <> <> <> <> <> <> <>
From: Christian Huitema <>
Autocrypt:; prefer-encrypt=mutual; keydata= mDMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1Rmu0 J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PoiWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAuDgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB4h+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
Message-ID: <>
Date: Tue, 6 Oct 2020 17:46:22 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------6E58F3EBFBA1D2DC4F362972"
Content-Language: en-US
Authentication-Results:; auth=pass smtp.auth=
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0Z1apovzGPsYhEeBL1aoZmqpSDasLI4SayDByyq9LIhVUZbR67CQ7/vm /hHDJU4RXkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4ZpfhSxT1ZkWVx6vnl9ysRPgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+cAdwcW/8Ox85Le8wqlbs5XX2XX9bIsGDSYq5OAASmskY6jSvfpO+1kZkomjtjB6X5Q5Q9f RUeIpTIC2ySfqvnqLwoxlgatmaBb0rBiK9xbkDrUqzcKIief90MVLZY9LbIZh9+IQ1oS9LBn3VIP 95Jz7ujRlJ9wSMlhvaudJXZ9EIBG/qaR+8r9SKFMmPJLf850OvZYsmoVQuOIhwKLK6IKBNB4LZ0v UHHKTzJX7b1JhLSQQ4vSj0QEim26t/Moy0UPX5E73H1QfrH/5kkrV/Cr0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAm65NdfLN8K9b ke08A4pcSPt80MNNHH1/DoFvdAmK1rSvHhCbhUIcQHXe8fL0JDeGnJzr3jDdNh0sd8x3mL5+BAN8 g2fGU86cSswil+kDetUfttbLHdNhiUq2jBEvMVLlZ4GThCScvU0cCIiHSQbmcVIWDcfBfBCTJ130 fnOVpiJKlioSJ70+pnzmGIXaCrDBl/E2+CIWVHfGh6efO1IfZjQUSg39QVoXH67+z2nJxxsOXPWl FdaGOH191uXjgjQN/bk/tOvsMDZmQNfeGxdXg4G3kWmecw3RlBbdjdisBFiW83g9ueTJOU6a76yp yxjdeg8YhWenlMfuvb1mNY5/IPiuedK/Z3MvnAyDmuOaA5CGZRWsGw8ac2InzcAP/gmxwNpms+rB 6wJM+NNhN3aT35NSU/fjw6KbqLw80r1gDO3m6U0LjBzYuQztdAThgtWSU3qCINKqlAdh+ePAcEwD s/8=
Archived-At: <>
Subject: Re: [TLS] PR#28: Converting cTLS to QUIC-style varints
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Oct 2020 00:59:06 -0000

On 10/6/2020 5:23 PM, Martin Thomson wrote:
> On Wed, Oct 7, 2020, at 04:12, Christian Huitema wrote:
>> * Receiver side: receive the message, save it, parse and process, and
>> when it is time to verify the signature go back to the original message
>> and check the signature.
> I think that you mean:
> receive the message, check the signature, then parse and process if that passes
You would think that, but the X.509 design meant that the application
would received all its data in parsed form, and then re-serialize the
parts that it needed to check, such as for example certificates. And if
you do that, you must absolutely guarantee that parse and serialize are
bijections between the application representation and the byte
sequences. Which leads to requiring "distinguished encoding rules",
including not just the coding of integers but also ordering of elements
in sets or representations of character strings. And yes, this turned
out to be a really bad idea.
>> If we do that, then there is no reason to mandate minimal length
>> encoding. And TLS already does that. For example, we do not reorder
>> extensions according to some canonical rules before placing them in the
>> transcript.
> This I agree with.  But cTLS doesn't work that way because the signature - such as it is - applies at the next layer, which appears after the encoding is erased.  And that is important here.  The encoding we're talking about is a compression function only.  Not having a canonical form means adding an inefficiency, but it has little bearing on the process you describe, which would be modified to:
> receive the message, decompress the message, check the signature, then parse and process if that passes
> In TLS we don't follow that ordering either because we all routinely process tons of stuff before we get to the Finished/CertificateVerify.  Having those at the end makes a ton of sense, for a variety of reasons, but it does mean that we build a protocol on credit.  And we have plenty of experience, I hope, in dealing with bad credit in TLS.

Yes. And I do also agree with your statement that *not* requiring
minimal length encoding makes some of the code paths much simpler. I use
that for example to encode the length field of Quic packets.

-- Christian Huitema