Thanks David, understood. It sounds that it would be easier to switch away from RSA to avoid the extra complications of batching, but I understand that is not always possible. Given that this is an Experimental draft, I am ok with the WG adopting it, given that it has merit for some vendors’ usecases.
From: David Benjamin <[email protected]> Sent: Thursday, November 21, 2019 7:27 PM To: Panos Kampanakis (pkampana) <[email protected]> Cc: Sean Turner <[email protected]>; TLS List <[email protected]> Subject: Re: [TLS] Adoption call for draft-davidben-tls-batch-signing Deployments whose long-term private key is an ECDSA or EdDSA key stored in memory probably have no particular need for this, no. Such deployments probably see a signature cost comparable to the ECDH cost this document does not amortise. The existing signature algorithms are sufficient and no one's proposing removing them. However, there are many deployments where that is not the case. Hosting providers often get their certificates and keys from customers, who may just upload an RSA key. RSA keys are expensive enough to be the target of DoS attacks. Beyond that, long-term credentials are very sensitive and, yes, there are deployments that RPC to a remote location or even use hardware modules. Due to performance, I doubt the hardware module is common for server keys, but this draft can apply in both directions. We've seen client certificate deployments that do this and hit performance problems when the hardware cannot even keep up with client connection loads. Batch signing is aimed at these kinds of scenarios. You're right that peers need to be updated, but unupgraded peers do not block results. Load decreases as peers adopt this and DoS mitigations often involve selectively serving and dropping requests based on factors such as cost. This decreases the cost of a class of requests, which allows signers under load to serve more of them. For my part in the client space, we are interested in implementing this in BoringSSL and Chrome. On Fri, Nov 22, 2019 at 12:40 AM Panos Kampanakis (pkampana) <[email protected]<mailto:[email protected]>> wrote: I am not in favor of adoption, but I could be convinced otherwise. Sorry as this may have been discussed in IETF-106, but are we that worried about the CPU cost of ECDSA or EdDSA that we are willing to have the server buffer/slow down client connections, generate the Merkle tree and the batch signature? Do we really pull the private key from a hardware module or remote location with every signature instead of keeping it in volatile memory in our application? I find it hard to buy the problem statement based on the usecases I know of, and such a draft would require a lot of client upgrades and participation in order to have fruitful results. I am ready to buy the argument, if there is concrete data on actual usecases. Rgs, Panos -----Original Message----- From: TLS <[email protected]<mailto:[email protected]>> On Behalf Of Sean Turner Sent: Thursday, November 21, 2019 1:57 AM To: TLS List <[email protected]<mailto:[email protected]>> Subject: [TLS] Adoption call for draft-davidben-tls-batch-signing At IETF 106 there was support for adoption of "Batch Signing for TLS" [0] as a WG item. To confirm this on the list: if you believe that the TLS WG should not adopt this as a WG item, then please let the chairs know by posting a message to the TLS list by 2359 UTC 13 December 2019 (and say why). NOTE: : If the consensus is that this draft should be adopted as a WG item, then this will necessarily result in a WG rechartering discussions. We would have gotten to this rechartering discussion anyway now that DTLS 1.3 is progressing out of the WG. Thanks, Chris, Joe, and Sean [0] https://datatracker.ietf.org/doc/draft-davidben-tls-batch-signing/ _______________________________________________ TLS mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
