| < draft-ietf-tls-certificate-compression-07.txt | draft-ietf-tls-certificate-compression-10.txt > | |||
|---|---|---|---|---|
| TLS A. Ghedini | TLS A. Ghedini | |||
| Internet-Draft Cloudflare, Inc. | Internet-Draft Cloudflare, Inc. | |||
| Intended status: Standards Track V. Vasiliev | Intended status: Standards Track V. Vasiliev | |||
| Expires: May 24, 2020 Google | Expires: July 9, 2020 Google | |||
| November 21, 2019 | January 06, 2020 | |||
| TLS Certificate Compression | TLS Certificate Compression | |||
| draft-ietf-tls-certificate-compression-07 | draft-ietf-tls-certificate-compression-10 | |||
| Abstract | Abstract | |||
| In TLS handshakes, certificate chains often take up the majority of | In TLS handshakes, certificate chains often take up the majority of | |||
| the bytes transmitted. | the bytes transmitted. | |||
| This document describes how certificate chains can be compressed to | This document describes how certificate chains can be compressed to | |||
| reduce the amount of data transmitted and avoid some round trips. | reduce the amount of data transmitted and avoid some round trips. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 24, 2020. | This Internet-Draft will expire on July 9, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 17 ¶ | skipping to change at page 2, line 17 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 2 | 2. Notational Conventions . . . . . . . . . . . . . . . . . . . 2 | |||
| 3. Negotiating Certificate Compression . . . . . . . . . . . . . 2 | 3. Negotiating Certificate Compression . . . . . . . . . . . . . 2 | |||
| 4. Compressed Certificate Message . . . . . . . . . . . . . . . 3 | 4. Compressed Certificate Message . . . . . . . . . . . . . . . 3 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 6. Middlebox Compatibility . . . . . . . . . . . . . . . . . . . 5 | 6. Middlebox Compatibility . . . . . . . . . . . . . . . . . . . 5 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 7.1. Update of the TLS ExtensionType Registry . . . . . . . . 5 | 7.1. Update of the TLS ExtensionType Registry . . . . . . . . 5 | |||
| 7.2. Update of the TLS HandshakeType Registry . . . . . . . . 5 | 7.2. Update of the TLS HandshakeType Registry . . . . . . . . 6 | |||
| 7.3. Registry for Compression Algorithms . . . . . . . . . . . 5 | 7.3. Registry for Compression Algorithms . . . . . . . . . . . 6 | |||
| 8. Normative References . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 7 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | 8.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 8 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||
| 1. Introduction | 1. Introduction | |||
| In order to reduce latency and improve performance it can be useful | In order to reduce latency and improve performance it can be useful | |||
| to reduce the amount of data exchanged during a TLS handshake. | to reduce the amount of data exchanged during a TLS handshake. | |||
| [RFC7924] describes a mechanism that allows a client and a server to | [RFC7924] describes a mechanism that allows a client and a server to | |||
| avoid transmitting certificates already shared in an earlier | avoid transmitting certificates already shared in an earlier | |||
| handshake, but it doesn't help when the client connects to a server | handshake, but it doesn't help when the client connects to a server | |||
| for the first time and doesn't already have knowledge of the server's | for the first time and doesn't already have knowledge of the server's | |||
| skipping to change at page 2, line 47 ¶ | skipping to change at page 2, line 49 ¶ | |||
| 2. Notational Conventions | 2. Notational Conventions | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Negotiating Certificate Compression | 3. Negotiating Certificate Compression | |||
| This extension is only supported with TLS 1.3 and newer; if TLS 1.2 | This extension is only supported with TLS 1.3 [RFC8446] and newer; if | |||
| or earlier is negotiated, the peers MUST ignore this extension. | TLS 1.2 [RFC5246] or earlier is negotiated, the peers MUST ignore | |||
| this extension. | ||||
| This document defines a new extension type | This document defines a new extension type | |||
| (compress_certificate(27)), which can be used to signal the supported | (compress_certificate(27)), which can be used to signal the supported | |||
| compression formats for the Certificate message to the peer. | compression formats for the Certificate message to the peer. | |||
| Whenever it is sent by the client as a ClientHello message extension | Whenever it is sent by the client as a ClientHello message extension | |||
| ([RFC8446], Section 4.1.2), it indicates the support for compressed | ([RFC8446], Section 4.1.2), it indicates the support for compressed | |||
| server certificates. Whenever it is sent by the server as a | server certificates. Whenever it is sent by the server as a | |||
| CertificateRequest extension ([RFC8446], Section 4.3.2), it indicates | CertificateRequest extension ([RFC8446], Section 4.3.2), it indicates | |||
| the support for compressed client certificates. | the support for compressed client certificates. | |||
| skipping to change at page 3, line 33 ¶ | skipping to change at page 3, line 36 ¶ | |||
| struct { | struct { | |||
| CertificateCompressionAlgorithm algorithms<2..2^8-2>; | CertificateCompressionAlgorithm algorithms<2..2^8-2>; | |||
| } CertificateCompressionAlgorithms; | } CertificateCompressionAlgorithms; | |||
| The compress_certificate extension is a unidirectional indication; no | The compress_certificate extension is a unidirectional indication; no | |||
| corresponding response extension is needed. | corresponding response extension is needed. | |||
| 4. Compressed Certificate Message | 4. Compressed Certificate Message | |||
| If the peer has indicated that it supports compression, server and | If the peer has indicated that it supports compression, server and | |||
| client MAY compress their corresponding Certificate messages and send | client MAY compress their corresponding Certificate messages | |||
| them in the form of the CompressedCertificate message (replacing the | (Section 4.4.2 of [RFC8446]) and send them in the form of the | |||
| Certificate message). | CompressedCertificate message (replacing the Certificate message). | |||
| The CompressedCertificate message is formed as follows: | The CompressedCertificate message is formed as follows: | |||
| struct { | struct { | |||
| CertificateCompressionAlgorithm algorithm; | CertificateCompressionAlgorithm algorithm; | |||
| uint24 uncompressed_length; | uint24 uncompressed_length; | |||
| opaque compressed_certificate_message<1..2^24-1>; | opaque compressed_certificate_message<1..2^24-1>; | |||
| } CompressedCertificate; | } CompressedCertificate; | |||
| algorithm The algorithm used to compress the certificate. The | algorithm The algorithm used to compress the certificate. The | |||
| skipping to change at page 5, line 19 ¶ | skipping to change at page 5, line 22 ¶ | |||
| CompressedCertificate message. | CompressedCertificate message. | |||
| Implementations MUST limit the size of the resulting decompressed | Implementations MUST limit the size of the resulting decompressed | |||
| chain to the specified uncompressed length, and they MUST abort the | chain to the specified uncompressed length, and they MUST abort the | |||
| connection if the size of the output of the decompression function | connection if the size of the output of the decompression function | |||
| exceeds that limit. TLS framing imposes 16777216 byte limit on the | exceeds that limit. TLS framing imposes 16777216 byte limit on the | |||
| certificate message size, and the implementations MAY impose a limit | certificate message size, and the implementations MAY impose a limit | |||
| that is lower than that; in both cases, they MUST apply the same | that is lower than that; in both cases, they MUST apply the same | |||
| limit as if no compression were used. | limit as if no compression were used. | |||
| While the Certificate message in TLS 1.3 is encrypted, third parties | ||||
| can draw inferences from the message length observed on the wire. | ||||
| TLS 1.3 provides a padding mechanism (discussed in Sections 5.4 and | ||||
| E.3 of [RFC8446]) to counteract such analysis. Certificate | ||||
| compression alters the length of the Certificate message, and the | ||||
| change in length is dependent on the actual contents of the | ||||
| certificate. Any padding scheme covering the Certificate message has | ||||
| to address compression within its design, or disable it altogether. | ||||
| 6. Middlebox Compatibility | 6. Middlebox Compatibility | |||
| It's been observed that a significant number of middleboxes intercept | It's been observed that a significant number of middleboxes intercept | |||
| and try to validate the Certificate message exchanged during a TLS | and try to validate the Certificate message exchanged during a TLS | |||
| handshake. This means that middleboxes that don't understand the | handshake. This means that middleboxes that don't understand the | |||
| CompressedCertificate message might misbehave and drop connections | CompressedCertificate message might misbehave and drop connections | |||
| that adopt certificate compression. Because of that, the extension | that adopt certificate compression. Because of that, the extension | |||
| is only supported in the versions of TLS where the certificate | is only supported in the versions of TLS where the certificate | |||
| message is encrypted in a way that prevents middleboxes from | message is encrypted in a way that prevents middleboxes from | |||
| intercepting it, that is, TLS version 1.3 [RFC8446] and higher. | intercepting it, that is, TLS version 1.3 [RFC8446] and higher. | |||
| skipping to change at page 5, line 42 ¶ | skipping to change at page 6, line 8 ¶ | |||
| 7.1. Update of the TLS ExtensionType Registry | 7.1. Update of the TLS ExtensionType Registry | |||
| Create an entry, compress_certificate(27), in the existing registry | Create an entry, compress_certificate(27), in the existing registry | |||
| for ExtensionType (defined in [RFC8446]), with "TLS 1.3" column | for ExtensionType (defined in [RFC8446]), with "TLS 1.3" column | |||
| values being set to "CH, CR", and "Recommended" column being set to | values being set to "CH, CR", and "Recommended" column being set to | |||
| "Yes". | "Yes". | |||
| 7.2. Update of the TLS HandshakeType Registry | 7.2. Update of the TLS HandshakeType Registry | |||
| Create an entry, compressed_certificate(25), in the existing registry | Create an entry, compressed_certificate(25), in the existing registry | |||
| for HandshakeType (defined in [RFC8446]). | for HandshakeType (defined in [RFC8446]), with "DTLS-OK" column value | |||
| being set to "Yes". | ||||
| 7.3. Registry for Compression Algorithms | 7.3. Registry for Compression Algorithms | |||
| This document establishes a registry of compression algorithms | This document establishes a registry of compression algorithms | |||
| supported for compressing the Certificate message, titled | supported for compressing the Certificate message, titled | |||
| "Certificate Compression Algorithm IDs", under the existing | "Certificate Compression Algorithm IDs", under the existing | |||
| "Transport Layer Security (TLS) Extensions" heading. | "Transport Layer Security (TLS) Extensions" heading. | |||
| The entries in the registry are: | The entries in the registry are: | |||
| skipping to change at page 6, line 28 ¶ | skipping to change at page 6, line 43 ¶ | |||
| +------------------+------------------------------+-----------------+ | +------------------+------------------------------+-----------------+ | |||
| The values in this registry shall be allocated under "IETF Review" | The values in this registry shall be allocated under "IETF Review" | |||
| policy for values strictly smaller than 256, under "Specification | policy for values strictly smaller than 256, under "Specification | |||
| Required" policy for values 256-16383, and under "Experimental Use" | Required" policy for values 256-16383, and under "Experimental Use" | |||
| otherwise (see [RFC8126] for the definition of relevant policies). | otherwise (see [RFC8126] for the definition of relevant policies). | |||
| Experimental Use extensions can be used both on private networks and | Experimental Use extensions can be used both on private networks and | |||
| over the open Internet. | over the open Internet. | |||
| The procedures for requesting values in the Specification Required | The procedures for requesting values in the Specification Required | |||
| space are specified in [RFC8447]. | space are specified in Section 17 of [RFC8447]. | |||
| 8. Normative References | 8. References | |||
| 8.1. Normative References | ||||
| [I-D.kucherawy-rfc8478bis] | [I-D.kucherawy-rfc8478bis] | |||
| Collet, Y. and M. Kucherawy, "Zstandard Compression and | Collet, Y. and M. Kucherawy, "Zstandard Compression and | |||
| the application/zstd Media Type", draft-kucherawy- | the application/zstd Media Type", draft-kucherawy- | |||
| rfc8478bis-00 (work in progress), October 2019. | rfc8478bis-03 (work in progress), December 2019. | |||
| [RFC1950] Deutsch, P. and J-L. Gailly, "ZLIB Compressed Data Format | [RFC1950] Deutsch, P. and J-L. Gailly, "ZLIB Compressed Data Format | |||
| Specification version 3.3", RFC 1950, | Specification version 3.3", RFC 1950, | |||
| DOI 10.17487/RFC1950, May 1996, | DOI 10.17487/RFC1950, May 1996, | |||
| <https://www.rfc-editor.org/info/rfc1950>. | <https://www.rfc-editor.org/info/rfc1950>. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| skipping to change at page 7, line 31 ¶ | skipping to change at page 7, line 47 ¶ | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | [RFC8447] Salowey, J. and S. Turner, "IANA Registry Updates for TLS | |||
| and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | and DTLS", RFC 8447, DOI 10.17487/RFC8447, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8447>. | <https://www.rfc-editor.org/info/rfc8447>. | |||
| 8.2. Informative References | ||||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | ||||
| (TLS) Protocol Version 1.2", RFC 5246, | ||||
| DOI 10.17487/RFC5246, August 2008, | ||||
| <https://www.rfc-editor.org/info/rfc5246>. | ||||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| Certificate compression was originally introduced in the QUIC Crypto | Certificate compression was originally introduced in the QUIC Crypto | |||
| protocol, designed by Adam Langley and Wan-Teh Chang. | protocol, designed by Adam Langley and Wan-Teh Chang. | |||
| This document has benefited from contributions and suggestions from | This document has benefited from contributions and suggestions from | |||
| David Benjamin, Ryan Hamilton, Ilari Liusvaara, Piotr Sikora, Ian | David Benjamin, Ryan Hamilton, Christian Huitema, Benjamin Kaduk, | |||
| Swett, Martin Thomson, Sean Turner and many others. | Ilari Liusvaara, Piotr Sikora, Ian Swett, Martin Thomson, Sean Turner | |||
| and many others. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Alessandro Ghedini | Alessandro Ghedini | |||
| Cloudflare, Inc. | Cloudflare, Inc. | |||
| Email: alessandro@cloudflare.com | Email: alessandro@cloudflare.com | |||
| Victor Vasiliev | Victor Vasiliev | |||
| End of changes. 14 change blocks. | ||||
| 21 lines changed or deleted | 44 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||