/draft-jackson-tls-cert-abridge

A compression scheme for WebPKI certificate chains

Primary LanguagePythonOtherNOASSERTION

Abridged Certificate Compression for the WebPKI

This is the working area for the individual Internet-Draft, "Abridged Certificate Compression for the WebPKI".

This drafts defines WebPKI specific compression scheme for use in TLS Certificate Compression. The compression scheme relies on a static dictionary consisting of a snapshot of the root and intermediate certificates used in the WebPKI. The result is a dramatic improvement over the existing generic compression schemes used in TLS, equitable for both CAs and website operators and avoids the need for trust negotiation or additional error handling.

As the scheme removes the overhead of including root and intermediate certificates in the TLS handshake, it paves the way for a transition to PQ TLS certificates and has an outsized impact on QUIC's performance due to magnification limits on the server's response. This compression scheme may also be of interest in other situations where certificate chains are stored, for example in the operation of Certificate Transparency logs.

Preliminary Evaluation

This draft is a work in progress, however a preliminary evaluation is available:

Scheme p5 p50 p95
Original 2308 4032 5609
TLS Cert Compression 1619 3243 3821
Intermediate Suppression and TLS Cert Compression 1020 1445 3303
This Draft 661 1060 1437
Hypothetical Optimal Compression 377 742 1075

A complete table of results and benchmarking scripts can be found in benchmarks.

Contributing

See the guidelines for contributions.

Contributions can be made by creating pull requests. The GitHub interface supports creating pull requests using the Edit (✏) button.

Formatted text and HTML versions of the draft can be built using make. Command line usage requires that you have the necessary software installed. See the instructions.