Re: [TLS] Certificate compression draft

Viktor Dukhovni <> Tue, 07 March 2017 02:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 027C8129525 for <>; Mon, 6 Mar 2017 18:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EAf6nZ4PU0Jm for <>; Mon, 6 Mar 2017 18:32:19 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8C594129418 for <>; Mon, 6 Mar 2017 18:32:19 -0800 (PST)
Received: from vpro.lan ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id BC7BF7A32D8 for <>; Tue, 7 Mar 2017 02:32:18 +0000 (UTC) (envelope-from
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Viktor Dukhovni <>
In-Reply-To: <>
Date: Mon, 6 Mar 2017 21:32:16 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <>
To: "<>" <>
X-Mailer: Apple Mail (2.3259)
Archived-At: <>
Subject: Re: [TLS] Certificate compression draft
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: "<>" <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Mar 2017 02:32:21 -0000

> On Mar 6, 2017, at 9:13 PM, Ryan Sleevi <> wrote:
> I can appreciate that sentiment, but you do realize the natural consequence of that - it creates an incentive structure for the larger CAs to get larger, by virtue of the compression benefits afforded to them by such a dictionary making such certificates more desirable. That, in turn, results in more instability and insecurity for the PKI ecosystem and penalizes non-participants of the WebPKI within TLS.

Fewer WebPKI CAs (which are all trusted) seems like an improvement to me.
Though I doubt that compression efficiency would be a major factor in such
an outcome.  If we're ultimately going to use post-quantum certificates with
post-quantum keys and signature algorithms, and those keys and signatures
are noticeably larger than current RSA keys/signatures, then compression of
the rest of the certificate will not matter very much at all.

If scalable quantum computing never happens, then EdDSA certs have sufficiently
small keys and signatures for reasonably effective compression.

One might also note that 10Gbps+ networks tend to use 9Kbyte ethernet frames
these days, perhaps over time these will become the norm rather than the