Re: [TLS] How to reduce number of verifications
Ben Laurie <benl@google.com> Tue, 03 March 2015 14:07 UTC
Return-Path: <benl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 247121A7D83 for <tls@ietfa.amsl.com>; Tue, 3 Mar 2015 06:07:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHHQh2uqsTIH for <tls@ietfa.amsl.com>; Tue, 3 Mar 2015 06:07:52 -0800 (PST)
Received: from mail-qg0-x231.google.com (mail-qg0-x231.google.com [IPv6:2607:f8b0:400d:c04::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F23C11A1A4C for <tls@ietf.org>; Tue, 3 Mar 2015 06:07:51 -0800 (PST)
Received: by mail-qg0-f49.google.com with SMTP id a108so22911114qge.8 for <tls@ietf.org>; Tue, 03 Mar 2015 06:07:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AnBVn28P33pCh9dHt3aqB44+tUl2HlLp1Ql6S/2Q+OQ=; b=QkY6iA0sBzUk+qJItGZnFqZBjFHKsAE/8yVzDJyFIcAG/k3D47F2jLzuI6qNRutHAi 8ihlI3pHZfLzXDQS6klP0G1PcitgDMQqSfCIEg9gHlaYQpKldq37I7DNA8fEDCRzw9uD HddSZwmVPOpEuL1C/KVSMyzH5HkLf49B9O8NSPAfNbt9R8kXaUK3weaij/4JIQrHtpsL klMwVgns+fvcAfjntbMb4S4LNsnTom/ltihd1idQKqdGjLILwVd3yl8ZvXabmdyMVZSp F+4TTcNAURUVC+PYe8QEnHUX2C9prnJQlhHAiTiR9A3X1pfpji2xXl7dg26Wf6wx+EA5 R/7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=AnBVn28P33pCh9dHt3aqB44+tUl2HlLp1Ql6S/2Q+OQ=; b=BaysbsoqvlQiYPM2U2FvyeSKWNXk7S4ekseZCrTPHeNn46uDtpdguJEvbGe3oJQZyM lhknojOFgXJk/dvY+lxHjkQbsqlm9+oiv/LsJiEkUzOhyvtFlI54q0JwIZ/IwLE+ZtLH +PKgJZp3WCaTdgahM0m7iF/7ElXXOCf/UjH67j5M3WA4xdBmIWI0w1tj2epmxwDag/7L jnLlY12MkRg6VLBgL5HWH755zugtGW9QE0bCr3wn74bHwgTNifTmnQzAGpYFymWHV5j3 ydGxrMcvz6WE4Gszd2pacaK9jGlHpkUDG4z/sQdBzN6pvZwV27Kwx/oMS3xFICzTHmJ1 UgUw==
X-Gm-Message-State: ALoCoQklFj3T+ro1yWgrnzYhF5v41W4NsMZh5yXYfZMUthY/4GpZobOMlqV8IiC2Xw/pq3MdwlL3
MIME-Version: 1.0
X-Received: by 10.140.38.100 with SMTP id s91mr54828475qgs.37.1425391671075; Tue, 03 Mar 2015 06:07:51 -0800 (PST)
Received: by 10.229.184.66 with HTTP; Tue, 3 Mar 2015 06:07:51 -0800 (PST)
In-Reply-To: <CACsn0ckUSeN2r=bZpXc-CQYBW1NpoRe9bEAtOJCkJQy6K8+UsQ@mail.gmail.com>
References: <CACsn0ckUSeN2r=bZpXc-CQYBW1NpoRe9bEAtOJCkJQy6K8+UsQ@mail.gmail.com>
Date: Tue, 03 Mar 2015 14:07:51 +0000
Message-ID: <CABrd9SR2sXoYLr7Eg7m0wZxShrz4Wixv461D37GAOF_x+oF2bw@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c13334388f15051062dcf3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YERa5u1IpBFTBt1BxQFuZZQYdlI>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] How to reduce number of verifications
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2015 14:07:53 -0000
On 3 March 2015 at 06:03, Watson Ladd <watsonbladd@gmail.com> wrote: > Dear all, > > Right now it looks like browsers will need to conduct a lot of > signature verifications. First, they will need to verify the > certificate chain. Second, they will need to validate OCSP. Thirdly, > they will need to validate CT records, when Certificate Transparency > is deployed. > FYI, CT is already deployed for EV certificates. > Most of these signatures are not online. All of them can safely be > done with currently deployed RSA 2048, or a 255 bit elliptic curve. > None of them require more security, as future cryptanalysis cannot > affect today's authentication. > Insofar as CT is also a record of history, it is possible that one might want to re-sign existing trees at some point (or, rather, re-publish them with different algorithms).
- [TLS] How to reduce number of verifications Watson Ladd
- Re: [TLS] How to reduce number of verifications Ben Laurie