[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00

To: "Mark Brown" <mark@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Jan 2007 18:46:33 -0800
Cc: tls@xxxxxxxx
In-reply-to: <00aa01c7313a$ed9c34d0$6801a8c0@xxxxxxxxx> (Mark Brown's message of "Fri, 5 Jan 2007 20:32:36 -0600")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <00aa01c7313a$ed9c34d0$6801a8c0@xxxxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

"Mark Brown" <mark@xxxxxxxxxxxxxxxxxxxx> writes:

> Eric,
>
>> I think "not great" is quite an understatement here. You've just
>> required that every TLS record write requires *two* signatures,
>> one from the sender and one from the receiver. This includes
>> record read/writes which the application doesn't even care
>> about having evidence for. Your typical brokerage transaction
>> requires 10s if not hundreds of separate HTTP fetches, each
>> of which requires one or more record in each direction. Doing
>> 25 digital signatures for every transaction is an enormous
>> load on the server.
>
> Turn on TLS Evidence only for one POST, skip the GETs.  There's typically
> one important POST per transaction, the one before the
> print-this-page-for-your-records response.  That's the page the user
> typically prints for evidence of the transaction, despite its failings.

Yes, but *now* you're in the business of having the application
require tight control of when signatures are created and when
they're available, which brings us back to the situation I
was complaining about in my initial review, where this isn't
just automatic, it requires esxtensively modifying the
app, plus the race condition/lockstep issues I raised in my
original review.

> It doesn't make sense to create TLS Evidence for every fetch.  What would be
> the point of being able to show for posterity that some browser downloaded
> 20 gifs, a css file and two javascript files?  None.

I totally agree with that. That's the virtue of a message signing
scheme like S/MIME.

> Regarding performance estimates, whether you use a FIPS 140 accelerator or
> not, the cost of two digital signatures and the extra TLS Evidence messages
> is less than the 20+ round trips made to load the page, even if the client
> is using multiple connections.  

It depends what you're measuring, latency or CPU time. The dominant
CPU cost of SSL/TLS is the RSA key exchange (which is commensurate cost
with signing, of course)[0]. Providing evidence (independent signatures)
for a single request/response pair entails that the server do two 
additional signatures (one in response to the Evidence-Request for
the client request and one in its Evidence-Request for the response).
This substantially increases the server load quite a bit beyond the
symmetric crypto cost. And of course there's no guarantee that
a request or response goes in a single TLS record, which may or
may not be the case.

-Ekr

[0] C. Coarfa, P. Druschel, and D. Wallach. Performance Analysis of
TLS Web Servers. In Proceedings of NDSS '02, 2002. 0

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
  - From: Mark Brown

References:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00
  - From: Mark Brown

Prev by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by Date: [TLS] draft-housley-evidence-extns-00 worse than key escrow
Previous by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00 - brokerage illustration
Index(es):
- Date
- Thread