Today, root CAs typically issue shorter-lived intermediate certificates which, in turn, issue end-entity certificates. The long-lived root key is less exposed to attack, while the short-lived intermediate key can be more easily replaced without changes to relying parties.¶
-This operational improvement comes at a bandwidth cost: the TLS handshake includes an extra certificate, which includes a public key, signature, and X.509 metadata. An average X.509 name in the Chrome Root Store [CHROME-ROOTS] or Mozilla CA Certificate Program [MOZILLA-ROOTS] is around 100 bytes alone. Post-quantum signature algorithms will dramatically shift this tradeoff. ML-DSA-65 [FIPS204], for example, has a total public key and signature size of 5,245 bytes.¶
+This operational improvement comes at a bandwidth cost: the TLS handshake includes an extra certificate, which includes a public key, signature, and X.509 metadata. An average X.509 name in the Chrome Root Store [CHROME-ROOTS] or Mozilla CA Certificate Program [MOZILLA-ROOTS] is around 100 bytes alone. Post-quantum signature algorithms will dramatically shift this tradeoff. ML-DSA-65 [FIPS204], for example, has a total public key and signature size of 5,261 bytes.¶
[I-D.ietf-tls-cert-abridge] proposes to predistribute known intermediate certificates to relying parties, as a compression scheme. A multi-certificate deployment model provides another way to achieve this effect. To relying parties, a predistributed intermediate certificate is functionally equivalent to a root certificate. PKIs use intermediate certificates because changing root certificates requires updating relying parties, but predistributed intermediates already presume updated relying parties.¶
A CA operator could provide authenticating parties with two certification paths: a longer path ending at a long-lived trust anchor and shorter path the other ending at a short-lived, revocable root. Relying parties would be configured to trust both the long-lived root and the most recent short-lived root. A server that prioritizes the shorter path would then send the shorter path to up-to-date relying parties and the longer path to older relying parties.¶
This achieves the same effect with a more general-purpose multi-certificate mechanism. It is also more flexible, as the two paths need not be related. For example, root CA public keys are not distributed in each TLS connection, so a post-quantum signature algorithm that optimizes for signature size may be preferable. In this model, both the long-lived and short-lived roots may use such an algorithm. In a compression-based model, the same intermediate must optimize both its compressed and uncompressed size, so such an algorithm may not be suitable.¶
diff --git a/mldsa/draft-beck-tls-trust-anchor-ids.txt b/mldsa/draft-beck-tls-trust-anchor-ids.txt index e649d3e..41ccade 100644 --- a/mldsa/draft-beck-tls-trust-anchor-ids.txt +++ b/mldsa/draft-beck-tls-trust-anchor-ids.txt @@ -5,10 +5,10 @@ Transport Layer Security B. Beck Internet-Draft D. Benjamin Intended status: Standards Track D. O'Brien -Expires: 15 June 2025 Google LLC +Expires: 16 June 2025 Google LLC K. Nekritz Meta - 12 December 2024 + 13 December 2024 TLS Trust Anchor Identifiers @@ -60,7 +60,7 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 15 June 2025. + This Internet-Draft will expire on 16 June 2025. Copyright Notice @@ -776,7 +776,7 @@ Table of Contents [MOZILLA-ROOTS] is around 100 bytes alone. Post-quantum signature algorithms will dramatically shift this tradeoff. ML-DSA-65 [FIPS204], for example, has a total public key and signature size of - 5,245 bytes. + 5,261 bytes. [I-D.ietf-tls-cert-abridge] proposes to predistribute known intermediate certificates to relying parties, as a compression diff --git a/mldsa/draft-davidben-tls-trust-expr.html b/mldsa/draft-davidben-tls-trust-expr.html index e542712..8aca54d 100644 --- a/mldsa/draft-davidben-tls-trust-expr.html +++ b/mldsa/draft-davidben-tls-trust-expr.html @@ -1049,7 +1049,7 @@