Re: [Acme] ACME or EST?

"Joe Hildebrand (jhildebr)" <jhildebr@cisco.com> Thu, 27 November 2014 16:30 UTC

Return-Path: <jhildebr@cisco.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155611A009E for <acme@ietfa.amsl.com>; Thu, 27 Nov 2014 08:30:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1uUq_v_f8qJh for <acme@ietfa.amsl.com>; Thu, 27 Nov 2014 08:30:15 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DF7C1A007E for <acme@ietf.org>; Thu, 27 Nov 2014 08:30:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1708; q=dns/txt; s=iport; t=1417105816; x=1418315416; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=zIqjSzHrt/aDFL/UN3ydNboJxdskW8AmZToiRZ0mm4E=; b=fJAWUMuEZ/fTPASjag78U56gNupoe+TR3dtVE3EiW4flAC2HhGdskL98 JfOTArChqb8z/98/AwTa6PkelW3/w2VLLFf1NXKXk2lQQp/BbCUydi2oY K3LPseSxEedjYUX0Lx2IkOev9bInXC/8gG3wdBAgjdYpbXTJbVwJ+B3vh g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuIGANJQd1StJA2L/2dsb2JhbABbgwZRXMUZgiiGTQIcbhYBAQEBAX2EAgEBAQMBIxFFEAIBCBgCAiYCAgIfERUQAgQOBYgrAwkJDbt8j1gNhjsBAQEBAQEBAQEBAQEBAQEBAQEBAQETBIEujRUcgWkYGweCeDaBHwWSZYRnglSCTYIUkB6GfoN8b4FIgQIBAQE
X-IronPort-AV: E=Sophos;i="5.07,470,1413244800"; d="scan'208";a="100715075"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-8.cisco.com with ESMTP; 27 Nov 2014 16:30:15 +0000
Received: from xhc-rcd-x10.cisco.com (xhc-rcd-x10.cisco.com [173.37.183.84]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id sARGUEla003550 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 27 Nov 2014 16:30:14 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.204]) by xhc-rcd-x10.cisco.com ([173.37.183.84]) with mapi id 14.03.0195.001; Thu, 27 Nov 2014 10:30:14 -0600
From: "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
To: Randy Bush <randy@psg.com>
Thread-Topic: [Acme] ACME or EST?
Thread-Index: AQHQCjxuSOTiIOtL1U66R1BPQr7fWZx0mY8A
Date: Thu, 27 Nov 2014 16:30:13 +0000
Message-ID: <75B0FBDA-A3AD-4907-8DB6-21F2D2EC17ED@cisco.com>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <m27fyg4yzg.wl%randy@psg.com>
In-Reply-To: <m27fyg4yzg.wl%randy@psg.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/15.4.0.141110
x-originating-ip: [10.24.0.249]
Content-Type: text/plain; charset="utf-8"
Content-ID: <5825CE3CDCB8A3488546354EACF537C8@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/5jK4cv_pTW6zNm1VUDOfqbFZaB0
Cc: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 16:30:17 -0000

On 11/27/14, 12:19 PM, "Randy Bush" <randy@psg.com> wrote:

>> I would also like to ensure that the operational model that is implied
>> by ACME is congruent enough with EST that an operator might be able to
>> use both in parallel - if possible.
>
>could you explain why?  transition?

There are at least a few pockets of folks who have made bets on EST, and 
I'd like to be able to get those people onboard with the overall approach. 
 Some of them may want to transition, and some of them may want to run a 
mix of protocols in order to not have to modify and re-test existing code 
paths.

>Tony Arcieri <bascule@gmail.com> wrote:
>> ASN.1 is *not* "LANGSEC-friendly". JOSE comes a lot closer. For that 
>>reason
>> alone, ASN.1 is inferior.
>
>are there pure LR parsers for jose?

JOSE is "just" JSON.  Here is my favorite small JSON parser:

https://github.com/quartzjer/js0n/blob/master/src/js0n.c


That code makes it pretty clear what parser styles are possible.

JSON has plenty of other issues, but ease or clarity of parsing is not one 
of them.  For examples, look in RFC 7159 for interoperability problems.  
CBOR was developed (partially) to address most of those issues.

-- 
Joe Hildebrand