On Tue, Jul 30, 2019 at 11:59 PM Martin Thomson <[email protected]> wrote:
> On Wed, Jul 31, 2019, at 13:54, Ben Schwartz wrote: > > The batch signing idea is very cool. I'm not entirely sure I understand > > the intended use case, though. The intro suggests that this motivated > > by DoS defense, but presumably an attacker who controls their own TLS > > client stack could simply omit support for these signature schemes. Do > > you envision a future where servers can safely omit support for all the > > non-batch signature schemes? Or are you thinking of attackers who don't > > control the TLS client stack? > > The usual trick when under duress is to attempt to process some requests, > and lowering the cost of handling those requests enables higher tolerance > to attack and better continuity of service. A server might choose not to > serve clients that don't offer batching if it is stressed. > Yup. The signing cost of a batch-capable client is effectively zero. (I expect it's already common to preferentially serve ECDSA-capable clients when under load.) Also, if many clients implement this, serving load under normal operation goes down, which is also valuable. > > Minor question: in the tree diagrams, m2 goes to t04. Is there any > > reason it couldn't go directly to t12? That would seem more natural to > > me. > > The blinding process is explained in Section 4.3. > I think Ben is asking why the tree doesn't put m2 a level higher (like CT does), instead of adding the padding nodes. That would work too. I chose this one because I found it more straightforward, and it doesn't particularly matter. Also it's what Roughtime did and I cribbed the construction from Roughtime. :-) In principle, the signer could pick any tree strategy as long as it produced valid paths for each message. But I think it's probably better for the draft to be opinionated, rather than risk implementers mess things up. David
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
