IETF Logo Mail Archive

Re: [TLS] [Uta] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS

Sean Turner <sean@sn3rd.com> Sat, 11 April 2020 02:44 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 837673A15C7 for <tls@ietfa.amsl.com>; Fri, 10 Apr 2020 19:44:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hKcKodCZktsu for <tls@ietfa.amsl.com>; Fri, 10 Apr 2020 19:44:35 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD81D3A15C8 for <tls@ietf.org>; Fri, 10 Apr 2020 19:44:34 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id 71so2924739qtc.12 for <tls@ietf.org>; Fri, 10 Apr 2020 19:44:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GJWGbp0otXIfHlI1xJHBvRScCCPwzVH3w9mxxUC5DZU=; b=GVG6Io0P6J3OtE4q83OCLQJ/5QrsZYJbk8QKTdEhJk3ox64p4LDVvdZt1cCdIelRd4 NLmcYXdONyRxAeI/sToBtvu1XKOrcqfkff4EX7ioc3IbSdfR+wfsV7s9/tp+5o3F0ihb FfyMQC98i8XfGUqJ/mSh0aHPPULdVSHFoAowA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=GJWGbp0otXIfHlI1xJHBvRScCCPwzVH3w9mxxUC5DZU=; b=SyeBdj2atCvzH2l2raoZaUWWZUaVthMr7BIBWIMuyv/SlaDylWfHV6HTIgKS65tnhr zwG9/9iDIhopAdrOcyUTW8NE/kFTUYaxEWCQTUj4Rg9AtgbLb0y9j5fBc+DsLtq1FCf1 kij4XVLuyfgAN63gSA2eDPByOUSH7Fa9aKEChzwH2EX+YG++A1ko/t2c/mAxp42BdubT yRD8QfbCxCVQyK0ndCNoMMoPOk1dkOLZo+t/+bYHRTPmxn2QYxn3mPKWAKzqfAoc5XNx Lqku00EamzLDXdJrzqoKR37PcoDGixg/yhh/3ffmB1+ziSva6RbXwqbxzZwGBqdwZdrQ SVsg==
X-Gm-Message-State: AGi0PubfyghaPbSwkM8B9FtYoaoAFC/+OYk7xxB/xmcen439RGD5jjXf bBDNFDqU3m7M3kDaaOj5QYPL+g==
X-Google-Smtp-Source: APiQypLqU8T3HENhkRF7RKb07J9prushXriA++8mHRoUuwuoGiajwgMHSUCDrJoFWlnAPVuCC7IzTg==
X-Received: by 2002:ac8:31ac:: with SMTP id h41mr2004589qte.139.1586573073638; Fri, 10 Apr 2020 19:44:33 -0700 (PDT)
Received: from sn3rd.lan ([75.102.131.34]) by smtp.gmail.com with ESMTPSA id c207sm3056015qkb.7.2020.04.10.19.44.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Apr 2020 19:44:32 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <AM0PR08MB3716CD4DA4854230B57AB6AEFAC00@AM0PR08MB3716.eurprd08.prod.outlook.com>
Date: Fri, 10 Apr 2020 22:44:30 -0400
Cc: TLS List <tls@ietf.org>, "uta@ietf.org" <uta@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <641927D7-CC49-4417-874E-12D44F6D6023@sn3rd.com>
References: <CD58C8B5-BBB4-4D59-B2BF-4DE53A2725F1@ericsson.com> <AM0PR08MB3716CD4DA4854230B57AB6AEFAC00@AM0PR08MB3716.eurprd08.prod.outlook.com>
To: John Mattsson <john.mattsson@ericsson.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QlElrvYC7m6ijM06Kw-_KAKHgdw>
Subject: Re: [TLS] [Uta] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2020 02:44:40 -0000

-hat

John,

There is already a certificate compression mechanism defined in draft-ietf-tls-certificate-compression, which is currently in the RFC editor’s queue. How do these documents relate to that one?

spt

> On Apr 8, 2020, at 09:29, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> 
> Thanks for the info, John. I will have a look at this publication.
> 
> -----Original Message-----
> From: John Mattsson <john.mattsson@ericsson.com>
> Sent: Wednesday, April 8, 2020 3:14 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; tls@ietf.org; uta@ietf.org
> Subject: Re: [TLS] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS
> 
> Hi Hannes,
> 
> I have requested and been assigned time for draft-mattsson-tls-cbor-cert-compress-00 and draft-raza-ace-cbor-certificates-04 at the UTA virtual interim on March 23.
> 
> We have an implementation of https://link.springer.com/chapter/10.1007%2F978-3-319-93797-7_14 / draft-raza-ace-cbor-certificates-03, but the code is not written in a way so that the compression mechanism DER-> CBOR can be extracted. The example in draft-raza-ace-cbor-certificates-04 was created by hand with cbor.me. We are planning to implement a updated standalone version of the DER->CBOR compression and hopefully have interop testing in the COSE WG.
> 
> Cheers,
> John
> 
> -----Original Message-----
> From: TLS <tls-bounces@ietf.org> on behalf of Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Date: Friday, 3 April 2020 at 14:20
> To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>, "uta@ietf.org" <uta@ietf.org>
> Subject: Re: [TLS] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS
> 
>    Hi John,
> 
>    Thanks for the heads-up.
> 
>    Discussing this aspect in draft-tschofenig-uta-tls13-profile-01 makes sense.
> 
>    I was wondering whether you have been working on an implementation of draft-mattsson-cose-cbor-cert-compress-00 / draft-raza-ace-cbor-certificates-04.
> 
>    Ciao
>    Hannes
> 
>    -----Original Message-----
>    From: TLS <tls-bounces@ietf.org> On Behalf Of John Mattsson
>    Sent: Friday, April 3, 2020 9:03 AM
>    To: TLS@ietf.org; uta@ietf.org
>    Subject: [TLS] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS
> 
>    Hi,
> 
>    During the COSE virtual interim meeting yesterday, there was agreement that the COSE working group should work on CBOR compression of RFC 7925 profiled X.509 certificates. The work will be based on draft-raza-ace-cbor-certificates and draft-mattsson-cose-cbor-cert-compress and the two drafts will be merged. Doing this work in a security group focused on CBOR makes a lot of sense.
> 
>    https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress-00
>    https://tools.ietf.org/html/draft-raza-ace-cbor-certificates-04
> 
>    The COSE draft charter has already been updated to reflect this.
> 
>    https://github.com/cose-wg/Charter/blob/master/Charter.md
> 
>    As the algorithm is focused on compressing RFC 7925 profiled certificates, It seems like a very good match for cTLS. To keep the number of internet-drafts down, I plan to also include the TLS IANA registrations in the merged draft submitted to the COSE WG and let draft-mattsson-tls-cbor-cert-compress-00 expire.
> 
>    Any comments from the TLS WG are very welcome, but otherwise these is not so much to discuss, this is just another certificate compression algorithm. Any TLS related discussions would likely be regarding the certificate profile in RFC 7925 and if any clarifications or updates are needed. This is likely best discussed in UTA which may take up work on a TLS/DTLS 1.3 update of RFC 7925.
> 
>    https://tools.ietf.org/html/draft-tschofenig-uta-tls13-profile-01
> 
>    Cheers,
>    John
> 
>    -----Original Message-----
>    From: John Mattsson <john.mattsson@ericsson.com>
>    Date: Thursday, 12 March 2020 at 08:58
>    To: "TLS@ietf.org" <TLS@ietf.org>
>    Cc: "uta@ietf.org" <uta@ietf.org>
>    Subject: FW: New Version Notification for draft-mattsson-tls-cbor-cert-compress-00.txt
> 
>        Hi,
> 
>        We have submitted a new draft to TLS https://tools.ietf.org/html/draft-mattsson-tls-cbor-cert-compress-00 The draft register a new compression algorithms for use with TLS Certificate Compression in TLS 1.3 and DTLS 1.3 (draft-ietf-tls-certificate-compression).
> 
>        The draft uses https://tools.ietf.org/html/draft-raza-ace-cbor-certificates-04 to compress RFC 7925 profiles certificates by encoding them from DER to CBOR. The aim is to be compatible with all RFC 7925 profiled certificates. With the included example DER encoded RFC 7925 certificate to certificate is compressed from 314 to 136 bytes, a compression rate of 57%.
> 
>        The general purpose compression algorithms defined in draft-ietf-tls-certificate-compression do not seem able to compress profiled RFC 7925 X.509 certificates much at all. zlib compressed the example cert 9%, but for other certificates we tested, zlib did in many cases not provide any compression at all.
> 
>        We have submitted a similar draft to the COSE WG registering a new algorithms for the TLS 1.3 certificate compression extension.
> 
>        https://tools.ietf.org/html/draft-mattsson-tls-cbor-cert-compress-00
> 
>        Cheers,
>        John
> 
>        -----Original Message-----
>        From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
>        Date: Monday, 9 March 2020 at 21:19
>        To: John Mattsson <john.mattsson@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>, Joel Höglund <joel.hoglund@ri.se>, Joel Hoglund <joel.hoglund@ri.se>, Göran Selander <goran.selander@ericsson.com>, Martin Furuhed <martin.furuhed@nexusgroup.com>, Göran Selander <goran.selander@ericsson.com>, Shahid Raza <shahid.raza@ri.se>
>        Subject: New Version Notification for draft-mattsson-tls-cbor-cert-compress-00.txt
> 
> 
>            A new version of I-D, draft-mattsson-tls-cbor-cert-compress-00.txt
>            has been successfully submitted by John Preuss Mattsson and posted to the
>            IETF repository.
> 
>            Name:draft-mattsson-tls-cbor-cert-compress
>            Revision:00
>            Title:CBOR Certificate Algorithm for TLS Certificate Compression
>            Document date:2020-03-09
>            Group:Individual Submission
>            Pages:6
>            URL:            https://www.ietf.org/internet-drafts/draft-mattsson-tls-cbor-cert-compress-00.txt
>            Status:         https://datatracker.ietf.org/doc/draft-mattsson-tls-cbor-cert-compress/
>            Htmlized:       https://tools.ietf.org/html/draft-mattsson-tls-cbor-cert-compress-00
>            Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-tls-cbor-cert-compress
> 
> 
>            Abstract:
>               Certificate chains often take up the majority of the bytes
>               transmitted in TLS handshakes.  Large handshakes can cause problems,
>               particularly in constrained IoT environments.  RFC 7925 defines a TLS
>               certificate profile for constrained IoT.  General purpose compression
>               algorithms can in many cases not compress RFC 7925 profiled
>               certificates at all.  By using the fact that the certificates are
>               profiled, the CBOR certificate compression algorithms can in many
>               cases compress RFC 7925 profiled certificates with over 50%. This
>               document specifies the CBOR certificate compression algorithm for use
>               with TLS Certificate Compression in TLS 1.3 and DTLS 1.3.
> 
> 
> 
> 
>            Please note that it may take a couple of minutes from the time of submission
>            until the htmlized version and diff are available at tools.ietf.org.
> 
>            The IETF Secretariat
> 
> 
> 
> 
> 
> 
>    _______________________________________________
>    TLS mailing list
>    TLS@ietf.org
>    https://www.ietf.org/mailman/listinfo/tls
>    IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>    _______________________________________________
>    TLS mailing list
>    TLS@ietf.org
>    https://www.ietf.org/mailman/listinfo/tls
> 
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta

v2.23.0 | Report a Bug | By Email