Re: [TLS] draft-ietf-tls-cert-abridge Update
Dennis Jackson <ietf@dennis-jackson.uk> Mon, 04 March 2024 15:47 UTC
Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A84DC151081 for <tls@ietfa.amsl.com>; Mon, 4 Mar 2024 07:47:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfufK1b75A-T for <tls@ietfa.amsl.com>; Mon, 4 Mar 2024 07:47:12 -0800 (PST)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [IPv6:2001:67c:2050:0:465::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64469C14CEED for <tls@ietf.org>; Mon, 4 Mar 2024 07:47:11 -0800 (PST)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [10.196.197.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4TpNNp3MJkz9sq8; Mon, 4 Mar 2024 16:47:06 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1709567226; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EyrvosJ6Hlc5nNiq/WWgp0PazQVu2kwdZqBrElGAJZw=; b=TuSXbx9wcxG91V/KMQCWRZQNcv8DtZwXwDFw2bsiafacePIuwg6WKf6wOnnaplB/kFOCHv 90Mk8MFhz5akDRjVmgwTbaf74ZaN0JjoFsNuC2Xfo5HLNHoIaRWOgWbvh5TNclR5kkXMET rRRXF6RAkR9vofcEgfco7LW3pAs4gQwQb+veK4r5Nszgqnr1dqZQq7z6FPA9cVrq2fwhjS UlSiIca9WKpKZLLROZPTii7Kt/wBZjaVm/7CBXJqlHbFb+KabCMrykkvy/gwqcwe60x9LO Ejn8cVCxk5mvrAcaVs1O+sSooG3/4rH+RbkZZ1VsaSNOF2Yz1IuX4XpqjV0fOw==
Content-Type: multipart/alternative; boundary="------------eePjQ9IAd030RBNvYCMTK2Qv"
Message-ID: <96ab0812-0777-4106-b031-234dacd4435c@dennis-jackson.uk>
Date: Mon, 04 Mar 2024 15:47:05 +0000
MIME-Version: 1.0
Content-Language: en-US
To: "Kampanakis, Panos" <kpanos=40amazon.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
References: <b022bf36-d26f-4d0d-8ebe-155382ba9dfd@dennis-jackson.uk> <933f2fdb3f8a4fd48b61c07652e189b5@amazon.com>
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <933f2fdb3f8a4fd48b61c07652e189b5@amazon.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/T7m-8pSFGGecVSAxci89oEkhJWo>
Subject: Re: [TLS] draft-ietf-tls-cert-abridge Update
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 15:47:17 -0000
Hi Panos, On 02/03/2024 04:09, Kampanakis, Panos wrote: > Hi Dennis, > > I created a git issue > https://github.com/tlswg/draft-ietf-tls-cert-abridge/issues/23 but I > am pasting it here for the sake of the discussion: > > What does the client do if the server only does Pass 1 and compresses > / omits the chain certs but does not compress the end-entity certs > (Pass 2)? > > The client should be fine with that. It should be able to reconstruct > the chain and used the uncompressed end-entity cert. It should not > fail the handshake. I suggest the Implementation Complexity Section to > say something like > I can see two different ways to handle it. Either as you suggest, we have it be a runtime decision and we just prefix the compressed form with a byte to indicate whether pass 2 has been used. Alternatively, we can define two codepoints, (pass 1 + pass 2, pass 1). I'd like to experiment with both operations and measure what the real world difference is first, then we can make a decision on how to proceed. There's also been more interest in the non-webpki use case than I expected, so that needs to factor in to whichever option we pick. Best, Dennis > /> Servers MAY chose to compress just the cert chain or the > end-certificate depending on their ability to perform Pass 1 or 2 > respectively. Client MUST be able to process a compressed chain or an > end-entity certificate independently./ > > Thanks, > > Panos > > *From:* TLS <tls-bounces@ietf.org> *On Behalf Of * Dennis Jackson > *Sent:* Friday, March 1, 2024 8:03 AM > *To:* TLS List <tls@ietf.org> > *Subject:* [EXTERNAL] [TLS] draft-ietf-tls-cert-abridge Update > > *CAUTION*: This email originated from outside of the organization. Do > not click links or open attachments unless you can confirm the sender > and know the content is safe. > > Hi all, > > I wanted to give a quick update on the draft. > > On the implementation side, we have now landed support for TLS > Certificate Compression in Firefox Nightly which was a prerequisite > for experimenting with this scheme (thank you to Anna Weine). We're > working on a rust crate implementing the current draft and expect to > start experimenting with abridged certs in Firefox (with a server-side > partner) ahead of IETF 120. > > On the editorial side, I've addressed the comments on presentation and > clarification made since IETF 117 which are now in the editors copy - > there's an overall diff here [1] and atomic changes here [2] . There > are two small PRs I've opened addressing minor comments by Ben Schwarz > on fingerprinting considerations [3] and Jared Crawford on the > ordering of certificates [4]. Feedback is welcome via mail or on the > PRs directly. > > Best, > Dennis > > [1] > https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-tls-cert-abridge&url_2=https://tlswg.github.io/draft-ietf-tls-cert-abridge/draft-ietf-tls-cert-abridge.txt > <https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-tls-cert-abridge&url_2=https://tlswg.github.io/draft-ietf-tls-cert-abridge/draft-ietf-tls-cert-abridge.txt> > > [2] https://github.com/tlswg/draft-ietf-tls-cert-abridge/commits/main/ > > [3] https://github.com/tlswg/draft-ietf-tls-cert-abridge/pull/21/files > > [4] https://github.com/tlswg/draft-ietf-tls-cert-abridge/pull/19/files >
- [TLS] draft-ietf-tls-cert-abridge Update Dennis Jackson
- Re: [TLS] draft-ietf-tls-cert-abridge Update Kampanakis, Panos
- Re: [TLS] draft-ietf-tls-cert-abridge Update Dennis Jackson
- Re: [TLS] draft-ietf-tls-cert-abridge Update Kampanakis, Panos
- Re: [TLS] draft-ietf-tls-cert-abridge Update Dennis Jackson
- Re: [TLS] draft-ietf-tls-cert-abridge Update Ackermann, Michael
- Re: [TLS] draft-ietf-tls-cert-abridge Update Kampanakis, Panos