Re: [TLS] New directions in certificate status
Watson Ladd <watsonbladd@gmail.com> Thu, 09 October 2014 15:07 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 895F11A1B13 for <tls@ietfa.amsl.com>; Thu, 9 Oct 2014 08:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2jTV-_GbylbB for <tls@ietfa.amsl.com>; Thu, 9 Oct 2014 08:07:06 -0700 (PDT)
Received: from mail-yh0-x230.google.com (mail-yh0-x230.google.com [IPv6:2607:f8b0:4002:c01::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E02D1A1AFE for <tls@ietf.org>; Thu, 9 Oct 2014 08:07:03 -0700 (PDT)
Received: by mail-yh0-f48.google.com with SMTP id v1so794971yhn.21 for <tls@ietf.org>; Thu, 09 Oct 2014 08:07:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kGkjMSBa3hXz+oyE3SyUQscB7ARzLbFIP4SGbxKyz6g=; b=nblXpNSvNatJD1Bic8jfPJQ/GwiPhPe8yVfSzwW6qFqmu+of5vmB08LoXM/G1qpmD5 eo6TlbmUJvd75p2SzkAx1wAEeTR1/UvnkgyG0NKphxzsnZ79HAqcWnw7ERgW1037gcxu VV7PwcA8Brng9LQqiRZspUmz5cMk9zISpQT2gsIAIy4Muc7x3w+taPpE6jRsI3X1uWMi yUH0QOJTESnWBVMyrjZCmP2Gbjm1/XvsRUS1suPSgxJvmASLa5iD37HPCud+HG/Tw7g+ QIzoSrQY/tfY+CVvanzhLdX0MWmwUlNu+L6t5mlTaVqnQoB/QxjbXgAxoId5bxtH8wpp JOLQ==
MIME-Version: 1.0
X-Received: by 10.236.51.201 with SMTP id b49mr26483027yhc.33.1412867222245; Thu, 09 Oct 2014 08:07:02 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Thu, 9 Oct 2014 08:07:02 -0700 (PDT)
In-Reply-To: <CAMm+LwgGmKU+R17zAf8V5XLUfsQ-pn81ujAazZN6K_mtBaxciw@mail.gmail.com>
References: <CAMm+LwgGmKU+R17zAf8V5XLUfsQ-pn81ujAazZN6K_mtBaxciw@mail.gmail.com>
Date: Thu, 09 Oct 2014 08:07:02 -0700
Message-ID: <CACsn0cmf5znHgQquSgxNbAhCzW-7BTMjPhMUj0xe0ZT0p0wENw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/nw3ZryEcXqFMAFiYHw055vADSaI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New directions in certificate status
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Oct 2014 15:07:08 -0000
On Wed, Oct 8, 2014 at 6:07 PM, Phillip Hallam-Baker <phill@hallambaker.com> wrote: > Please note: > > http://datatracker.ietf.org/doc/draft-hallambaker-compressedcrlset/ > Also note the pending IPR disclosure. > > In brief Rob Stradling and myself have come up with a radically new > approach to certificate status that is vastly more efficient than any > previous proposal that provides finer grain certificate status than > the certificate validity interval. Good idea. Unfortunately the draft is incomprehensible: key details are missing. If understand this correctly, the idea is to use a crit-bit tree to encode the certificate serial numbers, by removing common prefixes. There are a lot of finicky details to specify, but this should help. What would be nice is some hard numbers on how much it helps. > > While compressing hash tables might appear to be a fools errand, it > turns out that if the problem is correctly understood, CRLs actually > compress astonishingly well. It is actually possible to represent the > status of every one of the half million revoked certificates in the > WebPKI using fewer bytes than the heavily edited Google CRLSet. > > There is still a powerful case for short lived certificates. But the > minimum feasible expiry interval for short lived certs is 48 hours. > Using a compressed CRL in combination with short lived certs would > allow the vulnerability window to be reduced to minutes. > > > We are of course aware that deployment will require a licensing regime > that meets the need of all parties including competing CAs, open > source software providers, etc. However lacking an existing licensing > regime for the rights holder (if indeed any are granted), I thought it > best to bring this to people's attention first. Are you saying FRAND or something else? > > The nature of the invention is such that not applying for a patent > would open the possibility that someone else might make a claim as has > happened to me on numerous other occasions. In the past five years > over $50 million has been spent on defending against such patent > claims. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] New directions in certificate status Phillip Hallam-Baker
- Re: [TLS] New directions in certificate status Watson Ladd
- Re: [TLS] New directions in certificate status Rob Stradling
- Re: [TLS] New directions in certificate status Viktor Dukhovni
- Re: [TLS] New directions in certificate status Phillip Hallam-Baker
- Re: [TLS] New directions in certificate status Phillip Hallam-Baker