Re: [TLS] I-D Action: draft-ietf-tls-certificate-compression-04.txt
"Sniffen, Brian" <bsniffen@akamai.com> Tue, 26 March 2019 16:07 UTC
Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4272F120530 for <tls@ietfa.amsl.com>; Tue, 26 Mar 2019 09:07:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.852
X-Spam-Level:
X-Spam-Status: No, score=-1.852 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=0.85, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKdbLawPzodT for <tls@ietfa.amsl.com>; Tue, 26 Mar 2019 09:07:40 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DF2112052F for <tls@ietf.org>; Tue, 26 Mar 2019 09:07:40 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2QG7Xwb029030; Tue, 26 Mar 2019 16:07:37 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=jan2016.eng; bh=jeW9hOLZIx+A9pqZUGg8hN9uzj+cy9Z1RlYYYp560CY=; b=o6VND/mw+oDaqJWjEfAghuqjGqFmQenpIoCsyVJmL2pGneqv0XWVSIKUtY57AkE7Nltg 369vxYGHXh6KxKJx7ePWIFC83vbFlgDAW/wtPzLtKgQwTvPMZy+JWf3BSUvsCM75t/Rg OVoJB9ApI+ONvHDema6qnwOjpxLeOd27LADY9cF9KZ8tsK3nNAaGQ25hvmT7o01sZPUO FTHzBPvDR9pgVQVdG54VKKbctpZvGhdu0DK7vtUacOKe6eOnD8URPLuhhAlUQjq7heIE +FFgXM00j6FPy5GNhGV199rGFAiKljF2+6+fqc8Pyvw3+lw3Eh7MPl+sH5ZPbdt0vWi5 zw==
Received: from prod-mail-ppoint4 (a96-6-114-87.deploy.static.akamaitechnologies.com [96.6.114.87] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2rfm1xrqa8-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Mar 2019 16:07:37 +0000
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x2QG2mmZ018621; Tue, 26 Mar 2019 12:07:36 -0400
Received: from email.msg.corp.akamai.com ([172.27.25.32]) by prod-mail-ppoint4.akamai.com with ESMTP id 2rdg4v854c-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 26 Mar 2019 12:07:36 -0400
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com (172.27.27.102) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 26 Mar 2019 11:07:36 -0500
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com ([172.27.6.132]) by ustx2ex-dag1mb2.msg.corp.akamai.com ([172.27.6.132]) with mapi id 15.00.1473.003; Tue, 26 Mar 2019 11:07:36 -0500
From: "Sniffen, Brian" <bsniffen@akamai.com>
To: Alessandro Ghedini <alessandro@ghedini.me>
CC: Sean Turner <sean@sn3rd.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] I-D Action: draft-ietf-tls-certificate-compression-04.txt
Thread-Index: AQHUWxTdgLqoGD5KRk2mXCj0gRBTQaUNuF+AgABN2gCAAY5uAIEPkTwj
Date: Tue, 26 Mar 2019 16:07:35 +0000
Message-ID: <63200ECA-5F92-44A1-970D-E96F90B89EE9@akamai.com>
References: <153856977342.9010.10521757586695280@ietfa.amsl.com> <20181003123643.GA5454@mandy.flat11.house> <EC87E55E-A342-40D7-9E09-DB790B04BB9F@sn3rd.com>, <20181004170124.GA13528@mandy.flat11.house>
In-Reply-To: <20181004170124.GA13528@mandy.flat11.house>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-26_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903260111
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-26_11:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903260112
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NUE4Tn26X0p_Q8-qpAqG0okNZp8>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-certificate-compression-04.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 16:07:42 -0000
>> WG - I’d like to echo Alessandro request for reviews. If this outstanding WG item is not resolved before IETF103 we will discuss the outstanding issue there, and barring any other major issues we are planning to WGLC the draft after IETF103. >> >> One question: There was some discussion earlier about dictionaries. Are dictionaries being used in the current deployments? > > No, neither Chrome nor Cloudflare are using dictionaries. Something I forgot > to mention in my previous email is that the numbers are for plain brotli > compression, so without dictionary. Just to check: is this still true for the excellent numbers we saw today? Surely it’s only the text-like parts of the certificate that are compressed. As EKR mentioned, presumably a bunch of the savings is from compressing the Subject of one cert against the Issuer of another. Perhaps there’s some ASN.1 framing too? If the Brotli dictionary were there, I’d expect to see compression of “Massachusetts” and “Czechia.” But versioning of that dictionary seems dangerous for the same reasons we talked about the hash table lookups being dangerous. Is there a space for a requirement that the decompression function contain no information flow from the algorithm, so that all bits in the output were present somewhere in the compressed input? -Brian
- [TLS] I-D Action: draft-ietf-tls-certificate-comp… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… Alessandro Ghedini
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… Sean Turner
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… Alessandro Ghedini
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… Sniffen, Brian
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… David Benjamin
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… Sniffen, Brian
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… David Benjamin
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… John Mattsson
- Re: [TLS] I-D Action: draft-ietf-tls-certificate-… Victor Vasiliev