IETF Logo Mail Archive

Re: [TLS] Certificate compression (a la QUIC) for TLS 1.3

Bill Frantz <frantz@pwpconsult.com> Wed, 30 November 2016 22:16 UTC

Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D70C12959F for <tls@ietfa.amsl.com>; Wed, 30 Nov 2016 14:16:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yu6y28GtZW-a for <tls@ietfa.amsl.com>; Wed, 30 Nov 2016 14:16:21 -0800 (PST)
Received: from elasmtp-masked.atl.sa.earthlink.net (elasmtp-masked.atl.sa.earthlink.net [209.86.89.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D91C812952B for <tls@ietf.org>; Wed, 30 Nov 2016 14:16:21 -0800 (PST)
Received: from [47.143.125.162] (helo=Williams-MacBook-Pro.local) by elasmtp-masked.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1cCDAl-0002r1-Iv for tls@ietf.org; Wed, 30 Nov 2016 17:16:15 -0500
Date: Wed, 30 Nov 2016 14:16:15 -0800
From: Bill Frantz <frantz@pwpconsult.com>
To: tls@ietf.org
X-Priority: 3
Message-ID: <r470Ps-10121i-F7C8D795C700491EBC9E37E51B163923@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.4 (470)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec797acca4f4cc53882463862fea539ceefd350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 47.143.125.162
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nmCBpc4wqvwvLTTAcZnXHe6TehM>
Subject: Re: [TLS] Certificate compression (a la QUIC) for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2016 22:16:24 -0000

On 11/29/16 at 5:28 AM, rsalz@akamai.com (Salz, Rich) wrote:

>Sure, here's my compressed cert. Ignore the fact that it's named "42.zip" -- see https://en.wikipedia.org/wiki/Zip_bomb
>
>The risks of uncompressing data sent from a counterparty who has not yet been authenticated, do not outweigh the gains.

There is a long history of successful attacks on systems through 
zip decompressors.

In general, adding complexity to a security system makes it 
harder to understand, easier to compromise and less secure.

If the problem is that certificates are too big, fix that 
problem at the source.

Cheers - Bill

-----------------------------------------------------------------------
Bill Frantz        | Privacy is dead, get over    | Periwinkle
(408)356-8506      | it.                          | 16345 
Englewood Ave
www.pwpconsult.com |              - Scott McNealy | Los Gatos, 
CA 95032

v2.23.0 | Report a Bug | By Email