Re: [TLS] adopted: draft-ghedini-tls-certificate-compression
Dave Garrett <davemgarrett@gmail.com> Thu, 08 June 2017 00:43 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2313E1314B5; Wed, 7 Jun 2017 17:43:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RAsDjY9-t1_v; Wed, 7 Jun 2017 17:43:42 -0700 (PDT)
Received: from mail-qt0-x244.google.com (mail-qt0-x244.google.com [IPv6:2607:f8b0:400d:c0d::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C25AD1314AE; Wed, 7 Jun 2017 17:43:40 -0700 (PDT)
Received: by mail-qt0-x244.google.com with SMTP id w1so4937525qtg.0; Wed, 07 Jun 2017 17:43:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=hxZdujIf73KCCJGbTSG5pWu9uQ8Y+m/jULPmaObCyiQ=; b=r7FzKd/ZyJ4wUhqmJMoveXyZ178J8MOb2Y1glQHXPQKM1FL66MB+Af8Bt2uq7jepJo 1TF+0+bTk19vEsa6/PFP4QhUo/5PMSPP5kAI6jBOaZJx7r4QUIu0PqS6TzwwBRcqKnAP xdFDIWuQwrbB/0b3Tk8ruDO2sEWes2wWUg5+VoZ7fQ7vclpMzakg9VQ73QzpPYgmHTTu 0ur3jgwnxfAqK4cy5Qb/uc4NHAocxbWpOPgIje4rupYFftpjRDEAN+vOWH5Syhud1J8q igNmj1IofVOLYGk67atHzUTRz3v7pyNbtMglkd8Xvutl/qcZJM3I3gKyBNyhNniiG8Vl NvEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=hxZdujIf73KCCJGbTSG5pWu9uQ8Y+m/jULPmaObCyiQ=; b=GvYxsA7J9AxCvHUN5LwIdXUr7QojC9H0aPnxTKNublnTgwBRh/CQIORmzQddiHCsaX KbQ5bk0IzY0ehRYJE+1qKj87Z0Lo3Z+EdePSwr+7gwS4VIoFHbZcRmUAnUbL+fSAPsDs 8Vj4PlHCUDAKbyzZqzpOeAEfPvDLlTWCCedwCfmQydhvVY1gMwezEXrcbWhVK+W6STtC Kfe1f3SDtdZNCb2O9eIL4olksACpiqnmNB5nfbiEd/OT5InPMBfYkHbpw+5Z0+Rv1GLD eq0qcYfCx4y4+vOw040S2O1oul+pCb/MEjOc2aZXOh1dPpqS8YaPlaWOIqqzKQaPkpZm zQxg==
X-Gm-Message-State: AODbwcDGgTT3iblVaG1vUGhK3HQia/oNMUWExTR7cUEiWSiM/iMov0Ql luwxdSZ2qXBHkg==
X-Received: by 10.200.8.13 with SMTP id u13mr34898180qth.233.1496882619898; Wed, 07 Jun 2017 17:43:39 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-175-70-41.phlapa.fios.verizon.net. [71.175.70.41]) by smtp.gmail.com with ESMTPSA id h14sm2222169qkh.64.2017.06.07.17.43.38 (version=TLS1 cipher=AES128-SHA bits=128/128); Wed, 07 Jun 2017 17:43:39 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Piotr Sikora <piotrsikora@google.com>
Date: Wed, 07 Jun 2017 20:43:37 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
Cc: tls@ietf.org, "draft-ghedini-tls-certificate-compression@ietf.org" <draft-ghedini-tls-certificate-compression@ietf.org>, Alessandro Ghedini <alessandro@cloudflare.com>, Victor Vasiliev <vasilvv@google.com>
References: <B3FAE1B5-E608-489F-B3B9-BC966B673D94@sn3rd.com> <201706070223.19120.davemgarrett@gmail.com> <CAF-CG++JDse77x185Sb996P4ehWi=Ww_64Ks68-ZiYg_No+d0g@mail.gmail.com>
In-Reply-To: <CAF-CG++JDse77x185Sb996P4ehWi=Ww_64Ks68-ZiYg_No+d0g@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201706072043.38076.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mc7SHtOonPJuUwK5FXKT2JZGCnU>
Subject: Re: [TLS] adopted: draft-ghedini-tls-certificate-compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 00:43:53 -0000
On Wednesday, June 07, 2017 07:03:55 am Piotr Sikora wrote: > > Additionally, there's one bit of the spec which I question the need for: zlib support. Unless someone can show a legitimate case where zlib will consistently and notably outperform brotli, I don't see the point in defining it as an option. This is a bran new extension; we don't need backwards compatibility here. There's been a general consensus in this WG to avoid algorithm agility unless there's a real reason for it, so I propose we ditch zlib support and make brotli the default and only specified at the start (promoting it to id 0). Should some problem arise in the future where we actually need to use a decades old compression algorithm, it can be added later. Furthermore, we should probably define a pre-defined dictionary for brotli to use here which is based on common strings in certificates, rather than its default one for the general web (if such a thing is practical to do here). This could boost efficiency here and make it even more worth preferring (also likely reducing the size of said dictionary, as the default one is 120kB). > > To play devil's advocate, why do suggest we ditch zlib and not Brotli? > > I just did an experiment using certificate chains for facebook.com > (ECDSA) and google.com (RSA). > [...snip...] > > As you can see, at level 1, Brotli is easily outperformed by gzip with > and without dictionary, at level 6, both are basically the same, and > at level 9/Z, Brotli wins by a small margin in terms of file size. > > However, you need to keep in mind that Brotli has significantly higher > cost of compression, both in terms of CPU and memory allocations > (>40MB at higher levels), which might be unacceptable in some > environments. > > Don't get me wrong, I'm a big fan of Brotli, but unless we want to > squeeze every single byte out of the compression and/or use > pre-compressed certificates, then maybe Brotli isn't the best and only > choice here? This is a convincing argument to me. Thanks for the data. Given this information, I agree that supporting both algorithms can be helpful here, depending on server hardware constraints. I'm still curious to know if we can potentially create a lightweight cert-specific dictionary here that can boost things a bit. Or, is the QUIC one largely based on certs too? As to your devil's advocate suggestion: ... yeah, if Brotli doesn't give us any useful gains here over zlib, even with a new dict, I'd be ok with not specifying it for use. Your test does show it getting a small win at max compression, so that may not be the case. After fiddling with defining a new dict, test data against a larger set of certs could be useful. Dave
- [TLS] adopted: draft-ghedini-tls-certificate-comp… Sean Turner
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Hanno Böck
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Raja ashok
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Dave Garrett
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Piotr Sikora
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Salz, Rich
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Ilari Liusvaara
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… David Benjamin
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Martin Rex
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Dave Garrett
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Watson Ladd
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Piotr Sikora
- Re: [TLS] adopted: draft-ghedini-tls-certificate-… Martin Thomson