Re: [TLS] Abridged Certificate Compression

2023-08-01 Thread Ilari Liusvaara 
On Tue, Jul 11, 2023 at 09:37:19PM +0100, Dennis Jackson wrote:
> Hi Ilari,
> 
> On 10/07/2023 20:19, Ilari Liusvaara wrote:
> >
> > And an alternative idea:
> > 
> > [...]
> > 
> > 1) Where if next certificate in chain is also not found, zstd uses
> > empty dictionary. Otherwise it uses dictionary associated with the
> > next certificate in chain.
> > 
> > [...]
> > 
> > This allows dictionaries to be specific to CA, avoiding tradeoffs
> > between CAs.
> 
> Interesting idea! Can you share more about the motivation for using many
> small dictionaries rather than a single combined one? Is it purely for
> supporting memory constrained devices? We can already ensure that each CA
> contributes an equal number of bytes to the pass 2 dictionary.
> 
> One drawback is that some of the data isn't unique to a particular issuer
> (e.g. the CT log ids) and so would either have to be handled in its own pass
> or be included as redundant data in each individual dictionary.

Actually, I don't think this idea would work well: Clients would still
need at least all the dictionaries for end-entity certificates, for the
case where server certificate is from unknown CA and certificate
validation is overridden.

Because to comply with TLS 1.3 requirements (CV validation is required),
the client needs the server signature key, which is embedded in server
certificate, which in turn needs dictionary to decompress.

Altough I think it is technically possible to just skip CV validation,
allowing the decompression to be skipped. However, this breaks the
TLS 1.3 specification.




-Ilari

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Martin Thomson 
I support adoption.  There are enough short-term performance gains to justify 
this, even without the possibility that it helps with PQ certs.

On Wed, Aug 2, 2023, at 07:17, Stephen Farrell wrote:
> Hiya,
>
> I saw the presentation and scanned the draft and support
> adoption on the basis that this could be useful before
> any certificates using PQC algorithms are in play so the
> target of an experimental RFC is fine, even moreso as I
> could imagine details/codepoints changing over time as
> new better compressions are found.
>
> I could see this also being a valuable input to work that
> aims to evolve PKI in the face of a potential CRQC but I
> think it'd be premature to adopt on that basis alone as
> that overall topic needs broader consideration (best done
> IMO in a year or two and not now). In any case, I guess
> the CCADB doesn't and won't have entries using PQC algs
> for some time, and they might decide to handle things in
> some other way themselves so I'm not sure adopting this
> as a PQ scheme now actually makes sense.
>
> IIUC it's also a bit of a pity that this'd be formally
> limited to the WebPKI, being based on the CCADB. I guess
> handling the pretense that nobody uses letsencrypt for
> smtp/tls is probably better handled as part of another
> discussion elsewhere. (One worth having though.)
>
> Cheers,
> S.
>
>
> On 01/08/2023 20:35, Christopher Wood wrote:
>> Hi all,
>> 
>> Based on positive feedback received during IETF 117, this email begins an 
>> adoption call for "Abridged Compression for WebPKI Certificates" 
>> (draft-jackson-tls-cert-abridge).
>> 
>> The datatracker page for this document can be found here:
>> https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/
>> 
>> And the GitHub repository can be found here:
>> https://github.com/dennisjackson/draft-jackson-tls-cert-abridge
>> 
>> Please indicate whether or not your support adoption of this document in its 
>> current state. Procedure questions raised during the WG meeting last week 
>> can be ironed out in the event of this item being adopted.
>> 
>> This call for adoption will conclude on August 16.
>> 
>> Thanks,
>> Chris, for the chairs
>> ___
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> Attachments:
> * OpenPGP_0xE4D8E9F997A833DD.asc
> * OpenPGP_signature

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Draft minutes for IETF 117

2023-08-01 Thread Rob Sayre 
On Tue, Aug 1, 2023 at 8:12 AM Christopher Wood  wrote:

> Draft minutes from our meeting last week are now available:
>
>https://datatracker.ietf.org/doc/minutes-117-tls-202307262000/
>
> Please send corrections here or to the chairs directly.
>

It would be nice if the Mozilla telemetry link for ECH could be a little
more specific. I clicked through, and found a vast array of analytics tools
(good!). But I guessed where to look and got a password prompt.

thanks,
Rob
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Stephen Farrell 


Hiya,

I saw the presentation and scanned the draft and support
adoption on the basis that this could be useful before
any certificates using PQC algorithms are in play so the
target of an experimental RFC is fine, even moreso as I
could imagine details/codepoints changing over time as
new better compressions are found.

I could see this also being a valuable input to work that
aims to evolve PKI in the face of a potential CRQC but I
think it'd be premature to adopt on that basis alone as
that overall topic needs broader consideration (best done
IMO in a year or two and not now). In any case, I guess
the CCADB doesn't and won't have entries using PQC algs
for some time, and they might decide to handle things in
some other way themselves so I'm not sure adopting this
as a PQ scheme now actually makes sense.

IIUC it's also a bit of a pity that this'd be formally
limited to the WebPKI, being based on the CCADB. I guess
handling the pretense that nobody uses letsencrypt for
smtp/tls is probably better handled as part of another
discussion elsewhere. (One worth having though.)

Cheers,
S.


On 01/08/2023 20:35, Christopher Wood wrote:

Hi all,

Based on positive feedback received during IETF 117, this email begins an adoption call 
for "Abridged Compression for WebPKI Certificates" 
(draft-jackson-tls-cert-abridge).

The datatracker page for this document can be found here:
https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/

And the GitHub repository can be found here:
https://github.com/dennisjackson/draft-jackson-tls-cert-abridge

Please indicate whether or not your support adoption of this document in its 
current state. Procedure questions raised during the WG meeting last week can 
be ironed out in the event of this item being adopted.

This call for adoption will conclude on August 16.

Thanks,
Chris, for the chairs
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls


OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Russ Housley 
I support adoption and am willing to review.


-Original Message-
From: TLS mailto:tls-boun...@ietf.org>> On Behalf Of 
Christopher Wood
Sent: Tuesday, August 1, 2023 12:36 PM
To: TLS@ietf.org 
Subject: [EXTERNAL] [TLS] Adoption call for draft-jackson-tls-cert-abridge

Hi all,

Based on positive feedback received during IETF 117, this email begins an 
adoption call for "Abridged Compression for WebPKI Certificates" 
(draft-jackson-tls-cert-abridge).

The datatracker page for this document can be found here:
https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/

And the GitHub repository can be found here:
https://github.com/dennisjackson/draft-jackson-tls-cert-abridge

Please indicate whether or not your support adoption of this document in its 
current state. Procedure questions raised during the WG meeting last week can 
be ironed out in the event of this item being adopted.

This call for adoption will conclude on August 16.

Thanks,
Chris, for the chairs

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Christopher Patton 
I support adoption and am willing to review. I can also lend a hand to
prototyping.

Chris P.

On Tue, Aug 1, 2023 at 1:13 PM Salz, Rich 
wrote:

> > Based on positive feedback received during IETF 117, this email begins
> an adoption call for "Abridged Compression for WebPKI Certificates"
> (draft-jackson-tls-cert-abridge).
>
> > The datatracker page for this document can be found here:
> https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/
>
> I support adoption and am willing to contribute.
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Salz, Rich 
> Based on positive feedback received during IETF 117, this email begins an 
> adoption call for "Abridged Compression for WebPKI Certificates" 
> (draft-jackson-tls-cert-abridge).

> The datatracker page for this document can be found here:  
> https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/

I support adoption and am willing to contribute.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] The TLS WG has placed draft-jackson-tls-cert-abridge in state "Call For Adoption By WG Issued"

2023-08-01 Thread Kampanakis, Panos 
I support adoption as well. 
There are some technical objections/ suggestions to address which I have shared 
earlier, but the details can be figured out later.

-Original Message-
From: TLS  On Behalf Of IETF Secretariat
Sent: Tuesday, August 1, 2023 3:38 PM
To: draft-jackson-tls-cert-abri...@ietf.org; tls-cha...@ietf.org; tls@ietf.org
Subject: [EXTERNAL] [TLS] The TLS WG has placed draft-jackson-tls-cert-abridge 
in state "Call For Adoption By WG Issued"

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you can confirm the sender and know the 
content is safe.



The TLS WG has placed draft-jackson-tls-cert-abridge in state Call For Adoption 
By WG Issued (entered by Christopher Wood)

The document is available at
https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Bas Westerbaan 
I support adoption and am willing to review.

On Tue, 1 Aug 2023 at 21:36, Christopher Wood  wrote:

> Hi all,
>
> Based on positive feedback received during IETF 117, this email begins an
> adoption call for "Abridged Compression for WebPKI Certificates"
> (draft-jackson-tls-cert-abridge).
>
> The datatracker page for this document can be found here:
> https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/
>
> And the GitHub repository can be found here:
> https://github.com/dennisjackson/draft-jackson-tls-cert-abridge
>
> Please indicate whether or not your support adoption of this document in
> its current state. Procedure questions raised during the WG meeting last
> week can be ironed out in the event of this item being adopted.
>
> This call for adoption will conclude on August 16.
>
> Thanks,
> Chris, for the chairs
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] [EXTERNAL] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Eric Rescorla 
I support adoption and am willing to review.

On Tue, Aug 1, 2023 at 12:38 PM Andrei Popov  wrote:

> I support adoption.
>
> Cheers,
>
> Andrei Popov
>
> -Original Message-
> From: TLS  On Behalf Of Christopher Wood
> Sent: Tuesday, August 1, 2023 12:36 PM
> To: TLS@ietf.org
> Subject: [EXTERNAL] [TLS] Adoption call for draft-jackson-tls-cert-abridge
>
> Hi all,
>
> Based on positive feedback received during IETF 117, this email begins an
> adoption call for "Abridged Compression for WebPKI Certificates"
> (draft-jackson-tls-cert-abridge).
>
> The datatracker page for this document can be found here:
> https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/
>
> And the GitHub repository can be found here:
> https://github.com/dennisjackson/draft-jackson-tls-cert-abridge
>
> Please indicate whether or not your support adoption of this document in
> its current state. Procedure questions raised during the WG meeting last
> week can be ironed out in the event of this item being adopted.
>
> This call for adoption will conclude on August 16.
>
> Thanks,
> Chris, for the chairs
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] The TLS WG has placed draft-jackson-tls-cert-abridge in state "Call For Adoption By WG Issued"

2023-08-01 Thread IETF Secretariat 


The TLS WG has placed draft-jackson-tls-cert-abridge in state
Call For Adoption By WG Issued (entered by Christopher Wood)

The document is available at
https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] [EXTERNAL] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Andrei Popov 
I support adoption.

Cheers,

Andrei Popov

-Original Message-
From: TLS  On Behalf Of Christopher Wood
Sent: Tuesday, August 1, 2023 12:36 PM
To: TLS@ietf.org
Subject: [EXTERNAL] [TLS] Adoption call for draft-jackson-tls-cert-abridge

Hi all,

Based on positive feedback received during IETF 117, this email begins an 
adoption call for "Abridged Compression for WebPKI Certificates" 
(draft-jackson-tls-cert-abridge).

The datatracker page for this document can be found here:
https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/

And the GitHub repository can be found here:
https://github.com/dennisjackson/draft-jackson-tls-cert-abridge

Please indicate whether or not your support adoption of this document in its 
current state. Procedure questions raised during the WG meeting last week can 
be ironed out in the event of this item being adopted.

This call for adoption will conclude on August 16.

Thanks,
Chris, for the chairs
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Adoption call for draft-jackson-tls-cert-abridge

2023-08-01 Thread Christopher Wood 
Hi all,

Based on positive feedback received during IETF 117, this email begins an 
adoption call for "Abridged Compression for WebPKI Certificates" 
(draft-jackson-tls-cert-abridge).

The datatracker page for this document can be found here: 
https://datatracker.ietf.org/doc/draft-jackson-tls-cert-abridge/

And the GitHub repository can be found here:
https://github.com/dennisjackson/draft-jackson-tls-cert-abridge

Please indicate whether or not your support adoption of this document in its 
current state. Procedure questions raised during the WG meeting last week can 
be ironed out in the event of this item being adopted.

This call for adoption will conclude on August 16.

Thanks, 
Chris, for the chairs
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Draft minutes for IETF 117

2023-08-01 Thread Christopher Wood 
Draft minutes from our meeting last week are now available:

   https://datatracker.ietf.org/doc/minutes-117-tls-202307262000/

Please send corrections here or to the chairs directly.

Best,
Chris, for the chairs

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls