Re: [TLS] New directions in certificate status
Rob Stradling <rob.stradling@comodo.com> Fri, 10 October 2014 14:32 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 814D31ACE14 for <tls@ietfa.amsl.com>; Fri, 10 Oct 2014 07:32:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.29
X-Spam-Level:
X-Spam-Status: No, score=-1.29 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4AW8iYGXoS_B for <tls@ietfa.amsl.com>; Fri, 10 Oct 2014 07:32:08 -0700 (PDT)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A8B41A1A18 for <tls@ietf.org>; Fri, 10 Oct 2014 07:32:07 -0700 (PDT)
Received: (qmail 17112 invoked by uid 1000); 10 Oct 2014 14:32:05 -0000
Received: from and0004.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES128-SHA encrypted) ESMTPSA; Fri, 10 Oct 2014 15:32:05 +0100
Message-ID: <5437EDE5.6020208@comodo.com>
Date: Fri, 10 Oct 2014 15:32:05 +0100
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, Phillip Hallam-Baker <phill@hallambaker.com>
References: <CAMm+LwgGmKU+R17zAf8V5XLUfsQ-pn81ujAazZN6K_mtBaxciw@mail.gmail.com> <CACsn0cmf5znHgQquSgxNbAhCzW-7BTMjPhMUj0xe0ZT0p0wENw@mail.gmail.com>
In-Reply-To: <CACsn0cmf5znHgQquSgxNbAhCzW-7BTMjPhMUj0xe0ZT0p0wENw@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/fpdCPb6S5953_KTdoh7_LtEVcVo
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New directions in certificate status
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Oct 2014 14:32:11 -0000
On 09/10/14 16:07, Watson Ladd wrote: > On Wed, Oct 8, 2014 at 6:07 PM, Phillip Hallam-Baker > <phill@hallambaker.com> wrote: >> Please note: >> >> http://datatracker.ietf.org/doc/draft-hallambaker-compressedcrlset/ >> Also note the pending IPR disclosure. >> >> In brief Rob Stradling and myself have come up with a radically new >> approach to certificate status that is vastly more efficient than any >> previous proposal that provides finer grain certificate status than >> the certificate validity interval. > > Good idea. Unfortunately the draft is incomprehensible: key details > are missing. If understand this correctly, the idea is to use a > crit-bit tree to encode the certificate serial numbers, by removing > common prefixes. There are a lot of finicky details to specify, but > this should help. > > What would be nice is some hard numbers on how much it helps. Hi Watson. I won't comment on the methods right now, but here are some hard numbers from my experimental code... Using a snapshot of Google's Pilot/Aviator CT logs from mid-June, I counted 2,616,669 unexpired-and-publicly-trusted certs useable for TLS Server Authentication. I grabbed all of the applicable CRLs that were available online and found that 286,875 of these certificates were revoked. Size of the resulting "Compressed CRLSet": ~182K That's ~6 bits per unexpired-and-revoked-and-publicly-trusted TLS Server Certificate. Or, to make it sound more impressive, ~0.6 bits per unexpired-and-publicly-trusted TLS Server certificate. <snip> -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [TLS] New directions in certificate status Phillip Hallam-Baker
- Re: [TLS] New directions in certificate status Watson Ladd
- Re: [TLS] New directions in certificate status Rob Stradling
- Re: [TLS] New directions in certificate status Viktor Dukhovni
- Re: [TLS] New directions in certificate status Phillip Hallam-Baker
- Re: [TLS] New directions in certificate status Phillip Hallam-Baker