diff --git a/draft-ietf-tls-cert-abridge.md b/draft-ietf-tls-cert-abridge.md index fa25248..8337be4 100644 --- a/draft-ietf-tls-cert-abridge.md +++ b/draft-ietf-tls-cert-abridge.md @@ -215,8 +215,9 @@ Compression Algorithm: The resulting output should be a well-formatted `Certificate` message payload with the recognized intermediate and root certificates replaced with three byte identifiers and resulting lengths corrected. Note that the `extensions` field in each `CertificateEntry` remains unchanged, as does the `certificate_request_context` and any unrecognized certificates. -The decompression algorithm requires the above steps but in reverse, swapping any recognized three-byte identifier in a `cert_data` field with the DER representation of the associated certificate and updating the lengths. Unrecognized three-byte identifiers are ignored. Note that this does not have security implications, as the peer could send a Certificate message with an arbitrary payload directly. -If the compressed certificate chain cannot be parsed (e.g. due to incorrect length fields) the decompression algorithm MUST report the failure and as required by {{TLSCertCompress}}, the connection MUST be terminated with the "bad_certificate" alert. +The decompression algorithm requires the above steps but in reverse, swapping any recognized three-byte identifier in a `cert_data` field with the DER representation of the associated certificate and updating the lengths. + +If the compressed certificate chain cannot be parsed (e.g. due to incorrect length fields) the decompression algorithm MUST report the failure to the TLS library. Any unrecognized three-byte identifiers encountered during decompression MUST also be treated as decompression failures. As required by {{TLSCertCompress}}, decompression failures mean that the connection MUST be terminated with the "bad_certificate" alert. TLS implementations intending to only use this scheme as a compressor (e.g. servers) SHOULD minimize the storage requirements of pass 1 by using a lookup table which maps the cryptographic hash of each certificate in the pass 1 listing to its assigned three byte identifier. This avoids the need for the compressor to retain a full copy of the pass 1 list. The hashing algorithm used in this lookup table is internal to the implementation and not exposed, but MUST be cryptographically secure. Note that implementations using this scheme as a decompressor (e.g. clients) typically already ship with a listing of trusted root and intermediate certificates which can be reused by the decompressor without any additional storage overhead.