On Tue, Mar 26, 2019 at 5:07 PM Sniffen, Brian <bsnif...@akamai.com> wrote:
> >> WG - I’d like to echo Alessandro request for reviews. If this
> outstanding WG item is not resolved before IETF103 we will discuss the
> outstanding issue there, and barring any other major issues we are planning
> to WGLC the draft after IETF103.
> >>
> >> One question: There was some discussion earlier about dictionaries.
> Are dictionaries being used in the current deployments?
> >
> > No, neither Chrome nor Cloudflare are using dictionaries. Something I
> forgot
> > to mention in my previous email is that the numbers are for plain brotli
> > compression, so without dictionary.
>
> Just to check: is this still true for the excellent numbers we saw today?
> Surely it’s only the text-like parts of the certificate that are
> compressed. As EKR mentioned, presumably a bunch of the savings is from
> compressing the Subject of one cert against the Issuer of another. Perhaps
> there’s some ASN.1 framing too?
>
> If the Brotli dictionary were there, I’d expect to see compression of
> “Massachusetts” and “Czechia.” But versioning of that dictionary seems
> dangerous for the same reasons we talked about the hash table lookups being
> dangerous. Is there a space for a requirement that the decompression
> function contain no information flow from the algorithm, so that all bits
> in the output were present somewhere in the compressed input?
>
Brotli has a dictionary built into the algorithm. I believe that is indeed
being used, as it's a part of Brotli. I think the earlier email was saying
no external certificate-specific dictionary used.
I don't think "no information flow from the algorithm" is particularly
well-defined. The output of course takes information flow from the
algorithm as the algorithm is being run. One could replace Brotli's
dictionary from an array lookups to a series of ifs, etc., without changing
the function.
The transcript encoding must be injective, but we inherently have that
requirement: the receiver needs to decompress it! The transcript includes
all inputs to the receiver, notably the compression algorithm code point.
Were Brotli's static dictionary changed, it would no longer be Brotli. It
would perhaps be Brotli2 and would want a separate codepoint. To that end,
I think the discussion on hash table lookups similarly forgot this
decompressibility requirement. Let's define my_fancy_algorithm to be:
func compress(input) {
if input == some_particular_cert {
return "0x00"
}
return "0x01" + input
}
This is silly, but still fine because the codepoint for my_fancy_algorithm
is in the transcript. It would even be fine if my_fancy_algorithm relied on
a separately-negotiated dictionary extension. The sender inherently must
unambiguously communicate the dictionary name. That ends up in the
transcript. (This is the same logic behind other uses of the handshake
transcript. Blindly stuffing the handshake bytes into the transcript lets
us align functional and security requirements.)
David
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
