On 12/07/2023 19:23, Kampanakis, Panos wrote:
One more argument for making pass 2 optional or allowing for just pass 1
dictionaries is that if we are not talking about WebPKI we don't have the
luxury of CT logs. But we would still want to option of compressing / omitting
the ICAs by using CCADB.
Using the CT logs to extract the end-entity extensions is a bit of a
stop-gap measure. I think in the long run we'd like to add a field to
the CCADB where CAs could provide their own compression data (up to some
budget).
Whilst I think pass 2 has a marked improvement for classical cert chains
- in some cases fitting the entirety of the server's response in one
packet - I agree we should measure carefully before deciding whether it
be mandatory for PQ certs.
Best,
Dennis
-----Original Message-----
From: Dennis Jackson <ietf=40dennis-jackson...@dmarc.ietf.org>
Sent: Wednesday, July 12, 2023 12:39 PM
To: Kampanakis, Panos <kpa...@amazon.com>; TLS List <tls@ietf.org>
Subject: RE: [EXTERNAL][TLS] Abridged Certificate Compression
CAUTION: This email originated from outside of the organization. Do not click
links or open attachments unless you can confirm the sender and know the
content is safe.
On 12/07/2023 04:34, Kampanakis, Panos wrote:
Thanks Dennis. Your answers make sense.
Digging a little deeper on the benefit of compressing (a la Abridged
Certs draft) the leaf cert or not. Definitely this draft improves vs
plain certificate compression, but I am trying to see if it is worth
the complexity of pass 2. So, section 4 shows a 2.5KB improvement over
plain compression which would be even more significant for Dilithium
certs, but I am trying to find if the diff between ICA
suppression/Compression vs ICA suppression/Compression+leaf
compression is significant. [/n]
I am arguing that the table 4 numbers would be much different when
talking about Dilithium certs because all of these numbers would be
inflated and any compression would have a small impact. Replacing a CA
cert (no SCTs) with a dictionary index would save us ~4KB (Dilithium2)
or 5.5KB (Dilithium3). That is significant. [/n]
Compressing the leaf (of size 8-9KB (Dilithium2) or 11-12 KB (Dilithium 3))
using any mechanism would trim down ~0.5-1KB compared to not compressing. That
is because the PK and Sig can't be compressed and these account for most of the
PQ leaf cert size. So, I am trying to see if pass 2 and compression of the leaf
cert benefit us much.
I think there's a fairly big difference between suppressing CA certs in SCA and
compressing CA certs with pass 1 of this draft. But I do agree its fair to ask
if pass 2 is worth the extra effort.
The performance benefit isn't purely in the ~1KB saved, its whether it brings the
chain under the QUIC amplification limit or shaves off an additional packet and so
avoids a loss+retry. There's essentially no difference in implementation
complexity, literally just a line of code, so the main tradeoff is the required
disk space on the client & server.
Best,
Dennis
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
