Closed sftcd closed 3 years ago
sayrer
commented
3 years ago There is no sensible way for a client to decide what to compress in general
In Rustls, I've found that there are some extensions that depend only on the general configuration. The API has an "extra_exts" field for things actually supplied by the caller.
davidben
commented
3 years ago it doesn't save enough to be worth it until there are some PQ KEMs (which is not today)
That's not entirely true. We have had code in BoringSSL for an experimental PQ KEM for some time. I would be very supportive of ideas to simplify it, but dropping it altogether would be a non-starter for us. https://www.imperialviolet.org/2018/04/11/pqconftls.html https://www.imperialviolet.org/2018/12/12/cecpq2.html
There is no sensible way for a client to decide what to compress in general
I listed a couple likely strategies here: https://mailarchive.ietf.org/arch/msg/tls/dJemdTEuQxMMfxtqoU93NFd8W08/
For OpenSSL, which supports custom extensions, it could be dangerous if there are extension handlers that interact
I think any custom extensions APIs will need to ponder what to do ECH no matter what. Even without compression, you fundamentally need to decide what you put in the outer vs. inner ClientHello on the client.
None of these decisions are related to compression. They're fundamental to the whole outer vs. inner ClientHello design of ECH.
Once you've made that decision, whether to compress follows naturally.
As an aside, I don't think such custom extensions APIs are a good idea. There's no guarantee that future TLS versions won't change how extensions are used, which means they're very hard to make backwards-compatible. ECH changes extension-handling on the client, and TLS 1.3 changed it dramatically across the board.
chris-wood
commented
3 years ago So my suggestion: drop it entirely for now and consider again what to do once we have some PQ KEM that's too big and when we have some real experience with ECH.
I agree that it's not trivial, but we seem to have found a general design that works reasonably well. So putting aside the complexity (of implementation and testing) point temporarily, the other reasons listed seem to fall into one of three categories: YAGNI, library integration challenges (choosing what to compress, how to expose it, and how it interacts with custom extension handlers), and increased fingerprinting.
Given the above, would a reasonable (and simpler?) alternative be to only compress the key share extension?
cjpatton
commented
3 years ago Key share de-duplication will be essential, operationally. It also seems likely that the future will bring other extensions we will want to de-duplicate. In my view, the "ech_outer_extensions" mechanism needs to have as much generality as it currently supports. I'd be opening to re-designing it, if someone has a suggestion for a simpler design. However, the current mechanism has been through a few design cycles (e.g., https://github.com/tlswg/draft-ietf-tls-esni/issues/262), and it seems to work pretty well.
It's also important to note that the added complexity is optional. In my experience, the client bears most of the implementation complexity, since it must decide if/how to compress extensions. The server bits are fully specified and fairly straightforward to implement properly.
chris-wood
commented
3 years ago Indeed, and for the record, I'm happy to keep what we have now absent some other simplifying proposal. It works and is sufficiently general for future use cases. I merely offer an alternative for consideration if we want to remove generality.
chris-wood
commented
3 years ago Per the interim, closing this for now. If someone comes up with something simpler, please share it!
(I'd suggest we resolve this issue after or with #378) Having implemented it, I don't think the compression is worthwhile and would be better omitted from the first RFC version of ECH. My reasons:
So my suggestion: drop it entirely for now and consider again what to do once we have some PQ KEM that's too big and when we have some real experience with ECH.