IETF Logo Mail Archive

Re: [TLS] adopted: draft-ghedini-tls-certificate-compression

Piotr Sikora <piotrsikora@google.com> Thu, 08 June 2017 23:45 UTC

Return-Path: <piotrsikora@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F0B8129B59 for <tls@ietfa.amsl.com>; Thu, 8 Jun 2017 16:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kxGZhSdoSaYO for <tls@ietfa.amsl.com>; Thu, 8 Jun 2017 16:45:52 -0700 (PDT)
Received: from mail-ua0-x232.google.com (mail-ua0-x232.google.com [IPv6:2607:f8b0:400c:c08::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8CDB129B57 for <tls@ietf.org>; Thu, 8 Jun 2017 16:45:52 -0700 (PDT)
Received: by mail-ua0-x232.google.com with SMTP id q15so26685903uaa.2 for <tls@ietf.org>; Thu, 08 Jun 2017 16:45:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=v5HKU0aMKv0R3sphS2ioVEBoWq9qjaqDBcxKorScbwE=; b=f2mWi4t2EA5CZyqCfM2lHlKJQDXOrCsB35Hk4/KZSRsTQnOjD8K1yuu2gBbUMQdK7+ L0d8Cb7Ua6A60foeiQltKX7Iw/AJLSHKkaNAcWqsfSs/47VNlkQMtEsrlzehkXq/WeLc g3qISMo1RLwPIqZMCFdoQQ2D7OkGvMx0xQvjazX1Ss/o6fET88A5nz1vITATEG66nOSb rqeaacdY435eUhrj8g2bAPgkcGrZQvKUd7dIL2VyoJ4f4wVFr7og8WFEvRtr62k2scEt tXBRqx0rH18EwxBq5HLf0167HcnP3t7KOlOintjvmImu434oTYbCWCjcChcv5eTQpyDd NffQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=v5HKU0aMKv0R3sphS2ioVEBoWq9qjaqDBcxKorScbwE=; b=pOLRSCZ2y9QEHgwfwMpY2oZD5osxUQ2ViBjHn9BzxhVcUckNnAyPPbNz9MIPKahLtP JW7eCwjsgUuCAR2y33jVjGXxLmYLHjigXG/jjJHNruHXl4Ii5pEA4bBHt8eLuGJ6JQqP qzFv93946ID/eCcmJ/EGgsecxch2TAJRLaqBcAI/T58W7Lj8SATbCEJnVOTqcno+wuUh xdW6lcROCc4R89gcTcJh2LDmEJ7nxn2XIajQbwQHLaWH9g0bWo51ju6GakrMhr6vlQUG ZUeOUFeN2goa9QgHpR7eALItBHlYh4hCaRZLo17Z25BvZ2iC8sF/E7MB2oy+X2sJC4G3 sW3Q==
X-Gm-Message-State: AODbwcCqw/Sv2OjXI2pLT3rZmlL1kXnJHnS6fxY2WoTb8/65Un8F2a+D IAKSDw1HAu9Xu30Gc+GZ2GxYyvpRtBfv
X-Received: by 10.176.4.67 with SMTP id 61mr19592709uav.47.1496965551751; Thu, 08 Jun 2017 16:45:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.153.131 with HTTP; Thu, 8 Jun 2017 16:45:51 -0700 (PDT)
In-Reply-To: <201706072043.38076.davemgarrett@gmail.com>
References: <B3FAE1B5-E608-489F-B3B9-BC966B673D94@sn3rd.com> <201706070223.19120.davemgarrett@gmail.com> <CAF-CG++JDse77x185Sb996P4ehWi=Ww_64Ks68-ZiYg_No+d0g@mail.gmail.com> <201706072043.38076.davemgarrett@gmail.com>
From: Piotr Sikora <piotrsikora@google.com>
Date: Thu, 08 Jun 2017 16:45:51 -0700
Message-ID: <CAF-CG+KeQ7twv05kkGHdeHKbKRo9GjH4KXGSTbLBnbife1Vfcg@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Cc: tls@ietf.org, "draft-ghedini-tls-certificate-compression@ietf.org" <draft-ghedini-tls-certificate-compression@ietf.org>, Alessandro Ghedini <alessandro@cloudflare.com>, Victor Vasiliev <vasilvv@google.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tt5slgjfHS6QeIHx0Y91-YFDv4Y>
Subject: Re: [TLS] adopted: draft-ghedini-tls-certificate-compression
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 23:45:55 -0000

Hi,

> I'm still curious to know if we can potentially create a lightweight cert-specific dictionary here that can boost things a bit. Or, is the QUIC one largely based on certs too?

It's based on certificates, from Chromium's QUIC code:

// kCommonCertSubstrings contains ~1500 bytes of common certificate substrings
// in order to help zlib. This was generated via a fairly dumb algorithm from
// the Alexa Top 5000 set - we could probably do better.

You can see the dictionary here:
https://chromium.googlesource.com/chromium/src/+/19c30774eedcef459c776bde1c06e75bd48bf71e/net/quic/core/crypto/cert_compressor.cc#19

I've opened https://github.com/tlswg/certificate-compression/issues/1
to track this.

> As to your devil's advocate suggestion: ... yeah, if Brotli doesn't give us any useful gains here over zlib, even with a new dict, I'd be ok with not specifying it for use. Your test does show it getting a small win at max compression, so that may not be the case. After fiddling with defining a new dict, test data against a larger set of certs could be useful.

FWIW, Brotli encryption at top compression levels (10 & 11) is quite
expensive, so it probably only makes sense for pre-compressed
certificates and possibly for one-time compression when loading
certificates.

Best regards,
Piotr Sikora

v2.23.0 | Report a Bug | By Email