Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Require unrecognised identifiers to be decompression failures. #27

Open
wants to merge 1 commit into
base: brotli
Choose a base branch
from
Open

Require unrecognised identifiers to be decompression failures. #27

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions draft-ietf-tls-cert-abridge.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -215,8 +215,9 @@ Compression Algorithm:

The resulting output should be a well-formatted `Certificate` message payload with the recognized intermediate and root certificates replaced with three byte identifiers and resulting lengths corrected. Note that the `extensions` field in each `CertificateEntry` remains unchanged, as does the `certificate_request_context` and any unrecognized certificates.

The decompression algorithm requires the above steps but in reverse, swapping any recognized three-byte identifier in a `cert_data` field with the DER representation of the associated certificate and updating the lengths. Unrecognized three-byte identifiers are ignored. Note that this does not have security implications, as the peer could send a Certificate message with an arbitrary payload directly.
If the compressed certificate chain cannot be parsed (e.g. due to incorrect length fields) the decompression algorithm MUST report the failure and as required by {{TLSCertCompress}}, the connection MUST be terminated with the "bad_certificate" alert.
The decompression algorithm requires the above steps but in reverse, swapping any recognized three-byte identifier in a `cert_data` field with the DER representation of the associated certificate and updating the lengths.

If the compressed certificate chain cannot be parsed (e.g. due to incorrect length fields) the decompression algorithm MUST report the failure to the TLS library. Any unrecognized three-byte identifiers encountered during decompression MUST also be treated as decompression failures. As required by {{TLSCertCompress}}, decompression failures mean that the connection MUST be terminated with the "bad_certificate" alert.

TLS implementations intending to only use this scheme as a compressor (e.g. servers) SHOULD minimize the storage requirements of pass 1 by using a lookup table which maps the cryptographic hash of each certificate in the pass 1 listing to its assigned three byte identifier. This avoids the need for the compressor to retain a full copy of the pass 1 list. The hashing algorithm used in this lookup table is internal to the implementation and not exposed, but MUST be cryptographically secure. Note that implementations using this scheme as a decompressor (e.g. clients) typically already ship with a listing of trusted root and intermediate certificates which can be reused by the decompressor without any additional storage overhead.

Expand Down
Loading