Deployments whose long-term private key is an ECDSA or EdDSA key stored in memory probably have no particular need for this, no. Such deployments probably see a signature cost comparable to the ECDH cost this document does not amortise. The existing signature algorithms are sufficient and no one's proposing removing them.
However, there are many deployments where that is not the case. Hosting providers often get their certificates and keys from customers, who may just upload an RSA key. RSA keys are expensive enough to be the target of DoS attacks. Beyond that, long-term credentials are very sensitive and, yes, there are deployments that RPC to a remote location or even use hardware modules. Due to performance, I doubt the hardware module is common for server keys, but this draft can apply in both directions. We've seen client certificate deployments that do this and hit performance problems when the hardware cannot even keep up with *client* connection loads. Batch signing is aimed at these kinds of scenarios. You're right that peers need to be updated, but unupgraded peers do not block results. Load decreases as peers adopt this and DoS mitigations often involve selectively serving and dropping requests based on factors such as cost. This decreases the cost of a class of requests, which allows signers under load to serve more of them. For my part in the client space, we are interested in implementing this in BoringSSL and Chrome. On Fri, Nov 22, 2019 at 12:40 AM Panos Kampanakis (pkampana) < [email protected]> wrote: > I am not in favor of adoption, but I could be convinced otherwise. > > Sorry as this may have been discussed in IETF-106, but are we that worried > about the CPU cost of ECDSA or EdDSA that we are willing to have the server > buffer/slow down client connections, generate the Merkle tree and the batch > signature? Do we really pull the private key from a hardware module or > remote location with every signature instead of keeping it in volatile > memory in our application? > > I find it hard to buy the problem statement based on the usecases I know > of, and such a draft would require a lot of client upgrades and > participation in order to have fruitful results. I am ready to buy the > argument, if there is concrete data on actual usecases. > > Rgs, > Panos > > > > -----Original Message----- > From: TLS <[email protected]> On Behalf Of Sean Turner > Sent: Thursday, November 21, 2019 1:57 AM > To: TLS List <[email protected]> > Subject: [TLS] Adoption call for draft-davidben-tls-batch-signing > > At IETF 106 there was support for adoption of "Batch Signing for TLS" [0] > as a WG item. To confirm this on the list: if you believe that the TLS WG > should not adopt this as a WG item, then please let the chairs know by > posting a message to the TLS list by 2359 UTC 13 December 2019 (and say > why). > > NOTE: > : If the consensus is that this draft should be adopted as a WG item, then > this will necessarily result in a WG rechartering discussions. We would > have gotten to this rechartering discussion anyway now that DTLS 1.3 is > progressing out of the WG. > > Thanks, > Chris, Joe, and Sean > > [0] https://datatracker.ietf.org/doc/draft-davidben-tls-batch-signing/ > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls > > _______________________________________________ > TLS mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
