IETF Logo Mail Archive

Re: [TLS] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 03 April 2020 12:19 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE5553A18DA; Fri, 3 Apr 2020 05:19:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=u35qFZSv; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=u35qFZSv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8R3hXxm9uuZM; Fri, 3 Apr 2020 05:19:39 -0700 (PDT)
Received: from FRA01-PR2-obe.outbound.protection.outlook.com (mail-eopbgr120059.outbound.protection.outlook.com [40.107.12.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 389AD3A18DD; Fri, 3 Apr 2020 05:19:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=16/Cje2iiAK95Tt3hj0SNP0uGvtyfcy8h+1RDjMTwwM=; b=u35qFZSvyXa+8uDdCMLnhmBIrqgH9z/V0RrqAlkQ4kAX7nXq6ohfd7SGw1Oybr4traVRki7SpbS0Au49HV/qLU3RrPG6r7cPXJe3rKBMAdm5XTEYoMwGmAQzE2kJsRAJdwbO25u5/GYiLOio/EfYQf0Eh/8k9l1OGRdP4ZFzjqM=
Received: from AM6P191CA0027.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:8b::40) by PR2PR08MB4700.eurprd08.prod.outlook.com (2603:10a6:101:1b::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.20; Fri, 3 Apr 2020 12:19:33 +0000
Received: from AM5EUR03FT044.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:8b:cafe::28) by AM6P191CA0027.outlook.office365.com (2603:10a6:209:8b::40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.16 via Frontend Transport; Fri, 3 Apr 2020 12:19:33 +0000
Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT044.mail.protection.outlook.com (10.152.17.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.17 via Frontend Transport; Fri, 3 Apr 2020 12:19:33 +0000
Received: ("Tessian outbound af37c2b81632:v50"); Fri, 03 Apr 2020 12:19:33 +0000
X-CR-MTA-TID: 64aa7808
Received: from 2202c02c40ec.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 17786EDC-F065-4318-B203-9633D4847A52.1; Fri, 03 Apr 2020 12:19:28 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 2202c02c40ec.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Fri, 03 Apr 2020 12:19:28 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TUqeZdeFht5f9HU30MLX9WYYhpXV4u09NA0lLwTrqxtHitYs44hrt+1/e7LP+3xOG6F5rH+UJAUsBf23JUwue2LKjOyXZzwaKDfsJaYwHUrw7kAtqp6nA50heORPSpMQviLQ3g1XpuF2KQYka0dEXKSnLWj59OOWfaPLIfCfe7adLgVe7BU9qKPplCyK+aWhFQNhsmNoSaSBk2rFVpapRFV86EoxbuBF3dklthwDbSvpl/0BxlbPBW92WtwJsMQi3FOGqCtWSpCe+1kZGxMAt7yqkMUum9lnSNK3BSWEYBvM/2+7eroNdC4f4FB1CafbX2dOWSwGQSCW+cTmJ2WeBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=16/Cje2iiAK95Tt3hj0SNP0uGvtyfcy8h+1RDjMTwwM=; b=UX2Pb8kuTo/vf/4kommwS/y2RN5B7+AOSuGzVC1iIOzrxfUQbRM1wcXUw26Lr1uBaWRh/r/4kj5BiIwby99cIhs6gIaD5UY2qYr1Q+jxxxcl3HvjcxxbBvG+hmekUBN4GSOeiUB2tAJx1DWYCKx/DSSebgzpPGcGqpmUoYeWv9CW5aw+O8Houm3PUAFVQAQ6+XKOlUtlGarbtlfHv1+icWiX+OIXz1Q/44Vuv5iGpau10AUvP0nE1QLj2uRHIsO20LY2yphvczJ7pwkA2xUVkzz8HinVo43mDsRmkSD8NDE3kNtiLlc8GhmMbAaeS57gAsXExKx2ujyeGvjBA+Ef4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=16/Cje2iiAK95Tt3hj0SNP0uGvtyfcy8h+1RDjMTwwM=; b=u35qFZSvyXa+8uDdCMLnhmBIrqgH9z/V0RrqAlkQ4kAX7nXq6ohfd7SGw1Oybr4traVRki7SpbS0Au49HV/qLU3RrPG6r7cPXJe3rKBMAdm5XTEYoMwGmAQzE2kJsRAJdwbO25u5/GYiLOio/EfYQf0Eh/8k9l1OGRdP4ZFzjqM=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (20.178.23.205) by AM0PR08MB3396.eurprd08.prod.outlook.com (20.177.109.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2856.19; Fri, 3 Apr 2020 12:18:12 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::2159:870b:25df:e612%5]) with mapi id 15.20.2878.018; Fri, 3 Apr 2020 12:18:09 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "TLS@ietf.org" <TLS@ietf.org>, "uta@ietf.org" <uta@ietf.org>
Thread-Topic: CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS
Thread-Index: AQHWCYXhsfDqn9t6CkOccV3/F4Ml86hnSa2g
Date: Fri, 03 Apr 2020 12:18:09 +0000
Message-ID: <AM0PR08MB3716814FD94620B616006807FAC70@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <4F3108DB-4D44-481C-807D-D2870ED719DA@ericsson.com>
In-Reply-To: <4F3108DB-4D44-481C-807D-D2870ED719DA@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: 0cfb56a3-d870-4479-86bd-7d29d817b6a4.0
x-checkrecipientchecked: true
Authentication-Results-Original: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.115.214]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 26f899d4-2381-4b44-79bd-08d7d7c944c4
x-ms-traffictypediagnostic: AM0PR08MB3396:|PR2PR08MB4700:
X-Microsoft-Antispam-PRVS: <PR2PR08MB4700C1856DD91A01CA9EFFDBFAC70@PR2PR08MB4700.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:10000;OLM:10000;
x-forefront-prvs: 0362BF9FDB
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(366004)(186003)(81156014)(55016002)(81166006)(86362001)(7696005)(66574012)(9686003)(33656002)(8936002)(71200400001)(76116006)(66946007)(64756008)(8676002)(53546011)(52536014)(2906002)(66446008)(966005)(66556008)(26005)(66476007)(498600001)(5660300002)(6506007)(110136005); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: ZzahnF/wop2LeLpfHZn3Inq3M9f0/VILW+4aipTA7m+NtMYJ4YWajNll91ncHaWgNCbMMldSclvTxkpaS28cumCtO0ep0Ydqbal+TgOVjq4Vy+Fgg+SUPP0IRToRzlk6htdc4UsSiczDB5i7gGvWj/FMLRaXI5tJJuwXUj26O6T6Xy9F4r+oVYjPRVYAxX4P4QoNX5mk9O9eQudI8Etn2XhHZcmm26/UwxHxxaac9otMrkDUd3p0bCznSS4l1P83kA2YKYGjSbnGExS5VN9XTh0K44z7z3HraPd5j0MockVP6IdT5CBgByuuN7zkRVVfFn4iEPF9i2qHZ8wBpD4b5ACz0bppBqLSvRZ+sZgQPySdWzGXX0JedhceUrEc6I2ERRu2GHpRa60X9//NrMAtkeI6xZ1/JdHkd790FNSzxyKR9/UqF37pOsBEGeOE3YEsvCpNJfbw58A4UgJVxvB0nHw+VATds57YwPuxVXjBhgZWjaKCNUtWNDAqG/4kkKJHOV9AjQx7f3UlxyFuzA6Vhg==
x-ms-exchange-antispam-messagedata: wxhe8IVFKFc2gYCpnLhRXn4dVNkenXcqp4USfCw1ugVD8O0PUUoCGRrLAz7WPtZhFfJcyoEifZ9obF0WIpid4Kj5BpKYpf9QhSuvx+utHXtefE+pXbt/mtmkP82s+EYFmPgXD+9EqJNVath9sOdXxw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB3396
Original-Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT044.eop-EUR03.prod.protection.outlook.com
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(376002)(346002)(39860400002)(396003)(46966005)(81166006)(86362001)(52536014)(81156014)(70586007)(70206006)(316002)(8936002)(356004)(2906002)(966005)(478600001)(9686003)(82740400003)(36906005)(6506007)(66574012)(33656002)(8676002)(55016002)(186003)(47076004)(336012)(450100002)(110136005)(53546011)(26826003)(7696005)(26005)(5660300002); DIR:OUT; SFP:1101;
X-MS-Office365-Filtering-Correlation-Id-Prvs: c18fc632-41b4-48c5-489e-08d7d7c9128a
X-Forefront-PRVS: 0362BF9FDB
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: VjlVxODHLIQb6fzNe9ablZzn/0CMkfulg5Z8Fj7Q3RgnCy/L/75ATPvvnFFlJFwH22byT6eaCx57Y2tol8bB0jbhQEyaP95SsY/UqKczLlERbj+ReSAi/Mw8OwGLEqcKLEmxOb4TlTR5td6jjBL/JMZZrecFL4Pn9ugoojhihOMCLdFEODosvjnzBwbdXJjjvi0m2A+HYweZTGQ+fOut2b2qXFu93o9blImjRY+eI2WO/4DPdzr62SOr+W26x1NTaB1ab07l6udL0mukqLtFiUuAQXYC8dUkQy6ZTp4hdFho7PqFk+nZv9j+E52slja+Q5XcEko3WayTAYTglX8yvKJVowMFb4zJmiTGoWJlIqjhm1jzsUF990DPbXd+Kx7++4AiMntKXbdJ+SM03coKKZfgRF7D3yPJtLLANZmcf9WtvjCsFr1vh9ewGRRcJDkwqlMwROW3mkE6ql5GOe+n8P6Hq41GwRYlJoXRQn4oDDDZWqf1gZ+wpqZxxGkCkR/UqCWKIa5BqAzDhFTddh80V9jNrmzlm3gfg69R2A4JwmvIuEarvIbiqC4YTI/F20+Ec/u0q/fISz/pGiBL4Fs7Rw==
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2020 12:19:33.7579 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 26f899d4-2381-4b44-79bd-08d7d7c944c4
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PR2PR08MB4700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/znDQBzx253YktrIMJrCPqkuwjPk>
Subject: Re: [TLS] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 12:19:44 -0000

Hi John,

Thanks for the heads-up.

Discussing this aspect in draft-tschofenig-uta-tls13-profile-01 makes sense.

I was wondering whether you have been working on an implementation of draft-mattsson-cose-cbor-cert-compress-00 / draft-raza-ace-cbor-certificates-04.

Ciao
Hannes

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of John Mattsson
Sent: Friday, April 3, 2020 9:03 AM
To: TLS@ietf.org; uta@ietf.org
Subject: [TLS] CBOR Certificate Compression of RFC 7925 certificates suitable for cTLS

Hi,

During the COSE virtual interim meeting yesterday, there was agreement that the COSE working group should work on CBOR compression of RFC 7925 profiled X.509 certificates. The work will be based on draft-raza-ace-cbor-certificates and draft-mattsson-cose-cbor-cert-compress and the two drafts will be merged. Doing this work in a security group focused on CBOR makes a lot of sense.

https://tools.ietf.org/html/draft-mattsson-cose-cbor-cert-compress-00
https://tools.ietf.org/html/draft-raza-ace-cbor-certificates-04

The COSE draft charter has already been updated to reflect this.

https://github.com/cose-wg/Charter/blob/master/Charter.md

As the algorithm is focused on compressing RFC 7925 profiled certificates, It seems like a very good match for cTLS. To keep the number of internet-drafts down, I plan to also include the TLS IANA registrations in the merged draft submitted to the COSE WG and let draft-mattsson-tls-cbor-cert-compress-00 expire.

Any comments from the TLS WG are very welcome, but otherwise these is not so much to discuss, this is just another certificate compression algorithm. Any TLS related discussions would likely be regarding the certificate profile in RFC 7925 and if any clarifications or updates are needed. This is likely best discussed in UTA which may take up work on a TLS/DTLS 1.3 update of RFC 7925.

https://tools.ietf.org/html/draft-tschofenig-uta-tls13-profile-01

Cheers,
John

-----Original Message-----
From: John Mattsson <john.mattsson@ericsson.com>
Date: Thursday, 12 March 2020 at 08:58
To: "TLS@ietf.org" <TLS@ietf.org>
Cc: "uta@ietf.org" <uta@ietf.org>
Subject: FW: New Version Notification for draft-mattsson-tls-cbor-cert-compress-00.txt

    Hi,

    We have submitted a new draft to TLS https://tools.ietf.org/html/draft-mattsson-tls-cbor-cert-compress-00 The draft register a new compression algorithms for use with TLS Certificate Compression in TLS 1.3 and DTLS 1.3 (draft-ietf-tls-certificate-compression).

    The draft uses https://tools.ietf.org/html/draft-raza-ace-cbor-certificates-04 to compress RFC 7925 profiles certificates by encoding them from DER to CBOR. The aim is to be compatible with all RFC 7925 profiled certificates. With the included example DER encoded RFC 7925 certificate to certificate is compressed from 314 to 136 bytes, a compression rate of 57%.

    The general purpose compression algorithms defined in draft-ietf-tls-certificate-compression do not seem able to compress profiled RFC 7925 X.509 certificates much at all. zlib compressed the example cert 9%, but for other certificates we tested, zlib did in many cases not provide any compression at all.

    We have submitted a similar draft to the COSE WG registering a new algorithms for the TLS 1.3 certificate compression extension.

    https://tools.ietf.org/html/draft-mattsson-tls-cbor-cert-compress-00

    Cheers,
    John

    -----Original Message-----
    From: "internet-drafts@ietf.org" <internet-drafts@ietf.org>
    Date: Monday, 9 March 2020 at 21:19
    To: John Mattsson <john.mattsson@ericsson.com>, John Mattsson <john.mattsson@ericsson.com>, Joel Höglund <joel.hoglund@ri.se>, Joel Hoglund <joel.hoglund@ri.se>, Göran Selander <goran.selander@ericsson.com>, Martin Furuhed <martin.furuhed@nexusgroup.com>, Göran Selander <goran.selander@ericsson.com>, Shahid Raza <shahid.raza@ri.se>
    Subject: New Version Notification for draft-mattsson-tls-cbor-cert-compress-00.txt


        A new version of I-D, draft-mattsson-tls-cbor-cert-compress-00.txt
        has been successfully submitted by John Preuss Mattsson and posted to the
        IETF repository.

        Name:draft-mattsson-tls-cbor-cert-compress
        Revision:00
        Title:CBOR Certificate Algorithm for TLS Certificate Compression
        Document date:2020-03-09
        Group:Individual Submission
        Pages:6
        URL:            https://www.ietf.org/internet-drafts/draft-mattsson-tls-cbor-cert-compress-00.txt
        Status:         https://datatracker.ietf.org/doc/draft-mattsson-tls-cbor-cert-compress/
        Htmlized:       https://tools.ietf.org/html/draft-mattsson-tls-cbor-cert-compress-00
        Htmlized:       https://datatracker.ietf.org/doc/html/draft-mattsson-tls-cbor-cert-compress


        Abstract:
           Certificate chains often take up the majority of the bytes
           transmitted in TLS handshakes.  Large handshakes can cause problems,
           particularly in constrained IoT environments.  RFC 7925 defines a TLS
           certificate profile for constrained IoT.  General purpose compression
           algorithms can in many cases not compress RFC 7925 profiled
           certificates at all.  By using the fact that the certificates are
           profiled, the CBOR certificate compression algorithms can in many
           cases compress RFC 7925 profiled certificates with over 50%. This
           document specifies the CBOR certificate compression algorithm for use
           with TLS Certificate Compression in TLS 1.3 and DTLS 1.3.




        Please note that it may take a couple of minutes from the time of submission
        until the htmlized version and diff are available at tools.ietf.org.

        The IETF Secretariat






_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email