[Internet]Re: JEP Review Request: TLS Certificate Compression

Sean Mullan sean.mullan at oracle.com
Mon Mar 7 18:16:25 UTC 2022


Hi Xuelei,

Please start this discussion in a new thread with a new subject (ex: 
Proposal for potential new feature: TLS Certificate Compression) as it 
should be evaluated on its own prior to reaching consensus and deciding 
if a JEP should be drafted.

Also, keep in mind that it may take a few days or longer for members of 
the Security Group and other interested participants to find time to 
review new proposals for significant features.

Thanks,
Sean

On 2/28/22 3:33 PM, xueleifan(XueleiFan) wrote:
> Hi,
> 
> It may be better to have more detail here, rather than refer you to the 
> draft JEP.  The first question maybe, if TLS Certificate Compression is 
> something we want it in OpenJDK?
> 
> The TLS Certificate Compression standard was described in RFC 8879, and 
> has been enabled in browser Chrome and Safari. But, what’s TLS 
> Certificate Compression and what’s the benefits of this feature?
> 
> For TLS connections, a client must authenticate the identity of the 
> server. This typically involves verification that the identity of the 
> server is included in a certificate and that the certificate is issued 
> by a trusted entity.
> 
> Where servers provide certificates for authentication, the size of the 
> certificate chain can consume a large number of bytes. Controlling the 
> size of certificate chains is critical to performance and security in 
> QUIC. TLS certificate compression has the potential to ameliorate the 
> attacks/problems by reducing the size of the handshakes to a size 
> compatible with the security restriction.  The TLS Certificate 
> Compression feature is an essential part for QUIC-TLS protocols.
> 
> For more details, please refer to section 4.4 in RFC 9001 (Using TLS to 
> Secure QUIC):
> ---------
> Note: Where servers provide certificates for authentication, the size of 
> the certificate chain can consume a large number of bytes. Controlling 
> the size of certificate chains is critical to performance in QUIC as 
> servers are limited to sending 3 bytes for every byte received prior to 
> validating the client address; see Section 8.1 of [QUIC-TRANSPORT]. The 
> size of a certificate chain can be managed by limiting the number of 
> names or extensions; using keys with small public key representations, 
> like ECDSA; or by using certificate compression [COMPRESS].¶
> ---------
> 
> and a more detailed description in the blog “Does the QUIC handshake 
> require compression to be 
> fast?”(https://www.fastly.com/blog/quic-handshake-tls-compression-certificates-extension-study 
> <https://www.fastly.com/blog/quic-handshake-tls-compression-certificates-extension-study>). 
>   I just copy part of the conclusion section of the bog here for your 
> quick reference.
> ---------
> First, the TLS certificate compression extension has a very large impact 
> on QUIC performance. Even though the extension is new and being 
> introduced fairly late in the process when compared to overall QUIC 
> deployment schedules, it seems quite important for both clients and 
> servers to implement the new extension so that the QUIC handshake can 
> live up to its billing. Without some help, 40% of QUIC full handshakes 
> would be no better than TCP, but compression can repair most of that 
> issue. I have heard of other non-standardized approaches to reducing the 
> size of the certificate chain, and they seem reasonable, but this is a 
> problem worth addressing immediately with the existing compression 
> extension.
> 
> ...
> 
> Lastly, data from the real world again proves to be more insightful than 
> intuition and is invaluable in making protocol design and implementation 
> decisions. When I started this work I expected the impact of compression 
> to be positive but marginally focused on a few edge cases. The data 
> shows this optimization lands right on the sweet spot that ties 
> configurations and the QUIC specification together and impacts a large 
> portion of QUIC handshakes. My thanks to the authors of the compression 
> extension.
> ---------
> 
> 
> Besides, reducing the amount of information exchanged during a TLS 
> handshake to a minimum helps to improve performance in environments, for 
> example Internet of Things, where devices are connected to a network 
> with a low bandwidth and lossy radio technology.
> 
> This feature is a part to improve the performance of TLS connections, 
> and it is also a part of the path towards QUIC standards.
> 
> Chrome support TLS certificate compression with Brotil compression 
> algorithm, and Safari support TLS certificate compression with Zlib 
> compression algorithm.
> 
> In a summary, JDK could benefits from support RFC 8879 in the following 
> areas:
> 
>      Performance - Reduce latency and improve performance of TLS and 
> QUIC connections by support the TLS certificate compression standard in JDK.
>      Security - Mitigate the impact of amplification attacks threat by 
> reducing the size of the TLS handshakes with compressed certificates.
> 
> Please feel free to share you comments, if it is something we want in 
> OpenJDK?
> 
> Thanks,
> Xuelei
> 
> 
>> On Feb 28, 2022, at 10:57 AM, xueleifan(XueleiFan) 
>> <xueleifan at tencent.com <mailto:xueleifan at tencent.com>> wrote:
>>
>> Hi,
>>
>> Could I have this JEP reviewed?  One or more qualified Committers 
>> review is required to move it forward.
>>
>> Here is the PR if you want to have a further look at the 
>> implementation and test:
>> https://github.com/openjdk/jdk/pull/7599 
>> <https://github.com/openjdk/jdk/pull/7599>
>>
>> Thanks,
>> Xuelei
>>
>>> On Feb 15, 2022, at 9:30 PM, xueleifan(XueleiFan) 
>>> <xueleifan at tencent.com <mailto:xueleifan at tencent.com>> wrote:
>>>
>>> Hi all,
>>>
>>> The JDK Enhancement Proposal, TLS Certificate Compression, has been 
>>> opened for community review.  Detailed, please refer to the draft:
>>>
>>> https://bugs.openjdk.java.net/browse/JDK-8281710 
>>> <https://bugs.openjdk.java.net/browse/JDK-8281710>
>>>
>>> Feel free to make comment and send your feedback to the alias.  I may 
>>> submit this JEP in the beginning of next week if I hear no objections 
>>> by the end of this week.
>>>
>>> Thanks,
>>> Xuelei
>>>
>>
> 



More information about the security-dev mailing list