IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-certificate-compression-02.txt

Sean Turner <sean@sn3rd.com> Fri, 02 February 2018 14:25 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52C9212D863 for <tls@ietfa.amsl.com>; Fri, 2 Feb 2018 06:25:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-K5cmDMmHP7 for <tls@ietfa.amsl.com>; Fri, 2 Feb 2018 06:25:17 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 584DA12AF6E for <tls@ietf.org>; Fri, 2 Feb 2018 06:25:17 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id m11so3544295qtn.10 for <tls@ietf.org>; Fri, 02 Feb 2018 06:25:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YRbbsIU5DTSvZefCmNYSXg2wKj9dvwPjP+BKNFwMhPE=; b=hbEoaU5yPFoKn1ap6o3/wm+DvO/MAgQFkzukYqyIBfhlE9i8CobSs4iSscaf5vuZFx Oy8OigaaQre9dG3zt6nriu3R6IwtyfjtFjJH98GUuWyRuXwzdofU88IWy8AQZQd0ERT/ eDb69KP5GDJzvuyDud64YzIy/SOAdg0ihc0ZM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YRbbsIU5DTSvZefCmNYSXg2wKj9dvwPjP+BKNFwMhPE=; b=uRJ3k93181RlZJYKsqaQleSDgvB/fAU2a63ezjAEzwWOyak5dqnf9EdSXan0DJs+Pt RgM3gjndxOCkQGMZkh5LYbJ/vlVlOilhBJU+28JFX5lm4uV0+BK4wrzhiCLgHQv9YKdp RoOdGnNA9XNEg4uDPtJbbYRxRA4kFaAqygqXXh1+0n1QEaANO0Ffnj34lPwVBaMoM9gP j+W+4A2FL2NiDwjssqsYVSlTwG8eXO0Ur9Cf7NMgLdldIzRIOu3wDSVOvMNl5MLxg9IZ sh32zHkLeHuIzaCOX336bhtoYP2p+MmRoEzDVdUJ3y0mNFAlGOoDtYFOszP9uTgMhdRf Vtpg==
X-Gm-Message-State: APf1xPBHeW7eqaalwaGjbZU/ND25UaiBgLe2C5AUXEQJdCqRgbMj9HFx nkuW/DT3eev9sslOeYtRzR0Hxg==
X-Google-Smtp-Source: AH8x226jGslLEL8+iOoKjVKeRL7CRR3gNeQxiKrh51wIIWYOfqLIXsjoj9u1nWVBoyYtyNS+uvmTSw==
X-Received: by 10.200.57.3 with SMTP id s3mr4285544qtb.328.1517581516482; Fri, 02 Feb 2018 06:25:16 -0800 (PST)
Received: from [172.16.0.18] ([96.231.218.194]) by smtp.gmail.com with ESMTPSA id f2sm1438724qkb.19.2018.02.02.06.25.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Feb 2018 06:25:12 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <20180126102659.GA5204@pinky>
Date: Fri, 02 Feb 2018 09:25:11 -0500
Cc: tls@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B6209C27-BBAD-472E-9732-054588E84766@sn3rd.com>
References: <151696190108.24397.6150515497869897080@ietfa.amsl.com> <20180126102659.GA5204@pinky>
To: Alessandro Ghedini <alessandro@ghedini.me>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ggn7935BZzCbIrj8QLVMbGmVAEM>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-certificate-compression-02.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 14:25:19 -0000


> On Jan 26, 2018, at 05:26, Alessandro Ghedini <alessandro@ghedini.me> wrote:
> 
> Me and Victor would like to ask for early codepoints assignment again, if you
> think we are ready now.

This now on the chair’s list of things to do.  It’s been a week and nobody has complained so I’m thinking the draft is on the right track.   Got one question before we start the RFC7120-dictated early code point assignment dance:

Q. What’s the plan for the dictionary?  Is a field going to be included later to indicate which one is in use, or is the dictionary going to be linked to the extension number and a new one will be minted when the dictionary is updated?



I got some other minor nits (I’ll submit them in GH but thought I’d include them here as well):

0) s4: includes the following:

   If the format of the Certificate message is altered using the
   server_certificate_type extension [RFC7250], the resulting altered
   message is compressed instead.

Shouldn’t it also mention client_certificate_type?

1) Is it worth expanding a bit on the text quoted above to note that it’s more than just altering the message it’s also about changing how the authentication messages are computed?  E.g., CertificateVerify is now Transcript-Hash(Handshake Context, CompressedCertificate).

2) Likewise, is it worth noting that in TLS 1.3 currently using compression on CertificateType.RawPublicKey is not going yield much in the way of compression?  Is it worth saying that future values of CertificateType should indicate whether compression is a good idea or not?

3) s7.3: to match the table:

OLD:

   The values in this registry shall be allocated under "IETF Review"
   policy for values strictly smaller than 64, and under "Specification
   Required" policy otherwise (see [RFC8126] for the definition of
   relevant policies).

NEW:

   The values in this registry shall be allocated under "IETF Review"
   policy for values strictly smaller than 64, under "Specification
   Required" policy for values 64-223, and under “Private Use”
   otherwise (see [RFC8126] for the definition of relevant policies).

4) s7.3: probably worth adding how to get one under the spec required:

   The procedures for requesting values in the Specification Required
   space are specified in [ID.tls-iana-registry-updates].

Our AD/IANA will ask later who is the expert (experts are implied as part of Spec Required), so how about we use the existing expert pool.

Note that the above 4 nits I don’t think really affect whether the early code point assignment starts.

spt

v2.23.0 | Report a Bug | By Email