IETF Logo Mail Archive

Re: [TLS] draft-ietf-tls-cert-abridge Update

Dennis Jackson <ietf@dennis-jackson.uk> Wed, 06 March 2024 12:38 UTC

Return-Path: <ietf@dennis-jackson.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD779C14F609 for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 04:38:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dennis-jackson.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28ZzSrQyZenf for <tls@ietfa.amsl.com>; Wed, 6 Mar 2024 04:38:47 -0800 (PST)
Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [80.241.56.161]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AAD6C14F604 for <tls@ietf.org>; Wed, 6 Mar 2024 04:38:46 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4TqX6T3JwQz9smK for <tls@ietf.org>; Wed, 6 Mar 2024 13:38:41 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dennis-jackson.uk; s=MBO0001; t=1709728721; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=COmVduxcBUpexsXpKgUixtPZfJp6NPAx4c9U3wJgzwE=; b=r2xwl6rFDZ9V1hOBy/RSJV6vKYoFHDMhgzebE6ueCPDpA86FFtE7DlP+jqbPNDOQ0hlQ2i xiFMdgD9f35l2lvdI9wV4P4mP0muqcmuV43TJTYIpeZCYYm47LTBtQ/QPmsaw4Hr8C8gdC SAB9HF0DORgFpVmVAdAKcuMRumzYJBv1IXsBNEEdrDkSQ4OXs0LJ+VLntkhLCowc9mZbMP 8ziK8dPsolK3PyYmt1z66bgXSAPYaBkOQkna7w6tGJJP7QJG4QC9XGUmIyFPsiOpN2xJcu r60VveuEumvQMatxcjfV0H1iP04StkKIVis9bXKn7njJb1C6xzyZdPZuUmvP2w==
Content-Type: multipart/alternative; boundary="------------d0ufcMtSGVqGOfjeoT3T0byq"
Message-ID: <a325ebda-9eb8-443c-bd31-0c8f145f3b48@dennis-jackson.uk>
Date: Wed, 06 Mar 2024 12:38:40 +0000
MIME-Version: 1.0
Content-Language: en-US
To: tls@ietf.org
References: <b022bf36-d26f-4d0d-8ebe-155382ba9dfd@dennis-jackson.uk> <933f2fdb3f8a4fd48b61c07652e189b5@amazon.com> <96ab0812-0777-4106-b031-234dacd4435c@dennis-jackson.uk> <ca149a141fe341f69aa354efbf4394bb@amazon.com>
From: Dennis Jackson <ietf@dennis-jackson.uk>
In-Reply-To: <ca149a141fe341f69aa354efbf4394bb@amazon.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fHHxnfgg7MJep1SveR-qa-idMrc>
Subject: Re: [TLS] draft-ietf-tls-cert-abridge Update
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 12:38:52 -0000

Hi Panos,

On 05/03/2024 04:14, Kampanakis, Panos wrote:
>
> Hi Dennis,
>
> > I can see two different ways to handle it. Either as you suggest, we 
> have it be a runtime decision and we just prefix the compressed form 
> with a byte to indicate whether pass 2 has been used. Alternatively, 
> we can define two codepoints, (pass 1 + pass 2, pass 1).
>
> > I'd like to experiment with both operations and measure what the 
> real world difference is first, then we can make a decision on how to 
> proceed. There's also been more interest in the non-webpki use case 
> than I expected, so that needs to factor in to whichever option we pick.
>
> Maybe these will not matter for the scenario I am considering. Let’s 
> say the client advertised support for draft-ietf-tls-cert-abridge. And 
> the server sent back
> - CompressedCertificate which includes the 2 identifiers for the ICA 
> and RootCA from Pass 1.
>
> - uncompressed, traditional CertificateEnty of the end-entity certificate
>
> Or it sent back
>
> - uncompressed, traditional CertificateEnties for the  ICA and RootCA 
> certs
>
> - CompressedCertificate which includes the ZStandard compressed (based 
> on the Pass2 dictionary) end-entity cert
>
> My point is that nothing should prevent the client from being able to 
> handle these two scenarios and normative language should point that 
> out. Any software that can parse certs in compressed form, ought to be 
> able to parse them in regular form if the server did not support Pass1 
> (CA cers were not available for some reason) or Pass2 (eg. if CT Logs 
> were not available for some reason).
>
> Am I overseeing something?
>
Yes I think so. TLS1.3 Certificate Compression applies to the entire 
Certificate Message, not individual CertificateEntries in that message. 
Those individual entries don't currently carry identifiers about what 
type they are, their type is negotiated earlier in the 
EncryptedExtensions extension.

So to handle this as you propose, we'd need to define a type field for 
each entry to specify whether that particular entry had undergone a 
particular pass (or both). In my message, I was suggesting either have 
it be a single label for the entire message or putting the label into 
the TLS1.3 Cert Compression codepoint.

Best,
Dennis

> *From:* Dennis Jackson <ietf=40dennis-jackson.uk@dmarc.ietf.org>
> *Sent:* Monday, March 4, 2024 10:47 AM
> *To:* Kampanakis, Panos <kpanos@amazon.com>; TLS List <tls@ietf.org>
> *Subject:* RE: [EXTERNAL] [TLS] draft-ietf-tls-cert-abridge Update
>
> *CAUTION*: This email originated from outside of the organization. Do 
> not click links or open attachments unless you can confirm the sender 
> and know the content is safe.
>
> Hi Panos,
>
> On 02/03/2024 04:09, Kampanakis, Panos wrote:
>
>     Hi Dennis,
>
>     I created a git issue
>     https://github.com/tlswg/draft-ietf-tls-cert-abridge/issues/23 but
>     I am pasting it here for the sake of the discussion:
>
>     What does the client do if the server only does Pass 1 and
>     compresses / omits the chain certs but does not compress the
>     end-entity certs (Pass 2)?
>
>     The client should be fine with that. It should be able to
>     reconstruct the chain and used the uncompressed end-entity cert.
>     It should not fail the handshake. I suggest the Implementation
>     Complexity Section to say something like
>
> I can see two different ways to handle it. Either as you suggest, we 
> have it be a runtime decision and we just prefix the compressed form 
> with a byte to indicate whether pass 2 has been used. Alternatively, 
> we can define two codepoints, (pass 1 + pass 2, pass 1).
>
> I'd like to experiment with both operations and measure what the real 
> world difference is first, then we can make a decision on how to 
> proceed. There's also been more interest in the non-webpki use case 
> than I expected, so that needs to factor in to whichever option we pick.
>
> Best,
> Dennis
>
>     /> Servers MAY chose to compress just the cert chain or the
>     end-certificate depending on their ability to perform Pass 1 or 2
>     respectively. Client MUST be able to process a compressed chain or
>     an end-entity certificate independently./
>
>     Thanks,
>
>     Panos
>
>     *From:* TLS <tls-bounces@ietf.org> <mailto:tls-bounces@ietf.org>
>     *On Behalf Of *Dennis Jackson
>     *Sent:* Friday, March 1, 2024 8:03 AM
>     *To:* TLS List <tls@ietf.org> <mailto:tls@ietf.org>
>     *Subject:* [EXTERNAL] [TLS] draft-ietf-tls-cert-abridge Update
>
>     *CAUTION*: This email originated from outside of the organization.
>     Do not click links or open attachments unless you can confirm the
>     sender and know the content is safe.
>
>     Hi all,
>
>     I wanted to give a quick update on the draft.
>
>     On the implementation side, we have now landed support for TLS
>     Certificate Compression in Firefox Nightly which was a
>     prerequisite for experimenting with this scheme (thank you to Anna
>     Weine). We're working on a rust crate implementing the current
>     draft and expect to start experimenting with abridged certs in
>     Firefox (with a server-side partner) ahead of IETF 120.
>
>     On the editorial side, I've addressed the comments on presentation
>     and clarification made since IETF 117 which are now in the editors
>     copy - there's an overall diff here [1] and atomic changes here
>     [2] . There are two small PRs I've opened addressing minor
>     comments by Ben Schwarz on fingerprinting considerations [3] and
>     Jared Crawford on the ordering of certificates [4]. Feedback is
>     welcome via mail or on the PRs directly.
>
>     Best,
>     Dennis
>
>     [1]
>     https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-tls-cert-abridge&url_2=https://tlswg.github.io/draft-ietf-tls-cert-abridge/draft-ietf-tls-cert-abridge.txt
>     <https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-tls-cert-abridge&url_2=https://tlswg.github.io/draft-ietf-tls-cert-abridge/draft-ietf-tls-cert-abridge.txt>
>
>     [2] https://github.com/tlswg/draft-ietf-tls-cert-abridge/commits/main/
>
>     [3] https://github.com/tlswg/draft-ietf-tls-cert-abridge/pull/21/files
>
>     [4] https://github.com/tlswg/draft-ietf-tls-cert-abridge/pull/19/files
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email