Re: [Acme] ACME or EST?

Nico Williams <> Fri, 28 November 2014 18:58 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9D0401A0149 for <>; Fri, 28 Nov 2014 10:58:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AFYO6re0xCTf for <>; Fri, 28 Nov 2014 10:58:55 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id AC58F1A0110 for <>; Fri, 28 Nov 2014 10:58:55 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 5030120047B82; Fri, 28 Nov 2014 10:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=P6oukLd6BeQ8Nx szDEFmIm+zkdA=; b=uNRGQ2TrgxIup+PkI+ljtlr5zp0twcq0hc0bgoqdo0vZT0 SXdc5sX23vxXrq5+EHoSxmfI1gVd1b2D4ZjhTxXjr/w3R610pSfzQaEaExSWf4sX apOGwdkkpWauMPJ6ZvOGE86AOaegMJt/wwixE6EwmrO35w/8odShlI5y/f1Xc=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id F2ADA20047B81; Fri, 28 Nov 2014 10:58:54 -0800 (PST)
Date: Fri, 28 Nov 2014 12:58:54 -0600
From: Nico Williams <>
To: Phillip Hallam-Baker <>
Message-ID: <20141128185851.GD3200@localhost>
References: <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Christian Huitema <>, "" <>
Subject: Re: [Acme] ACME or EST?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Nov 2014 18:58:56 -0000

On Thu, Nov 27, 2014 at 09:30:03PM -0500, Phillip Hallam-Baker wrote:
> On Thu, Nov 27, 2014 at 5:42 PM, Christian Huitema
> <> wrote:
> > [...]
> But as a programer responsible for the security of the code, that
> means I can't just take an off the shelf ASN.1 library and use it. I
> have to roll my own to be sure the checks are made. Which in fact is
> what I do.
> So the existence of ASN.1 tools does nothing to reduce the impact of
> the needless complexity.

I find this very strange, whether said about ASN.1 or anything else.
Sure, often there's no better choice than open-coding whatever you need,
but do you write everything in assembly?  Probably not.

My advice: find the most hackable ASN.1 open source tooling, and use
that.  My preference is Heimdal's ASN.1 compiler, which is damn near
standalone, produces C code as well as bytecode (--template option), and
is easy to hack on to output other code.

> > I am not sure that the message description language matters very
> > much, the quality of the implementation matters much more. And, as
> > far as protocol go, better keep the syntax as simple as possible.
> > But you are right about the level of "exotic complexity" in ASN.1.
> > It does not help.

The base languages, x.680, is not exotic at all.  Compared to XDR, for
example, it has a few features that XDR doesn't have (e.g., default-able
struct fields, SETs), and somewhat different syntax, but otherwise the
two are roughly very similar.  It's *just* syntax, after all.  It's the
encoding rules that are cause problems, and even there, ASN.1's rules
cover all the bases: don't use the TLV encodings.

The various additions like x.681 and x.683 are quite complex, but not
needed for Internet protocols.