Re: [Acme] ACME or EST?
Nico Williams <nico@cryptonector.com> Fri, 28 November 2014 18:58 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0401A0149 for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 10:58:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFYO6re0xCTf for <acme@ietfa.amsl.com>; Fri, 28 Nov 2014 10:58:55 -0800 (PST)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id AC58F1A0110 for <acme@ietf.org>; Fri, 28 Nov 2014 10:58:55 -0800 (PST)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 5030120047B82; Fri, 28 Nov 2014 10:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=P6oukLd6BeQ8Nx szDEFmIm+zkdA=; b=uNRGQ2TrgxIup+PkI+ljtlr5zp0twcq0hc0bgoqdo0vZT0 SXdc5sX23vxXrq5+EHoSxmfI1gVd1b2D4ZjhTxXjr/w3R610pSfzQaEaExSWf4sX apOGwdkkpWauMPJ6ZvOGE86AOaegMJt/wwixE6EwmrO35w/8odShlI5y/f1Xc=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id F2ADA20047B81; Fri, 28 Nov 2014 10:58:54 -0800 (PST)
Date: Fri, 28 Nov 2014 12:58:54 -0600
From: Nico Williams <nico@cryptonector.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
Message-ID: <20141128185851.GD3200@localhost>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com> <54752FD9.6040708@cs.tcd.ie> <m27fyg4yzg.wl%randy@psg.com> <CAMm+LwjOgYistjb8jo_aw0jJ9+0YpL++Y4yJONj1rCGG0kC94A@mail.gmail.com> <DM2PR0301MB0655D5E0292BAE408C92B3B7A8710@DM2PR0301MB0655.namprd03.prod.outlook.com> <CAMm+LwhwthKmjGm-uebjcDm_4Uy57pt0v7--J8MvTWKEftbx4w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAMm+LwhwthKmjGm-uebjcDm_4Uy57pt0v7--J8MvTWKEftbx4w@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/q7z-uHLaXLN4i8T7TXm_sSGMn64
Cc: Christian Huitema <huitema@microsoft.com>, "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Nov 2014 18:58:56 -0000
On Thu, Nov 27, 2014 at 09:30:03PM -0500, Phillip Hallam-Baker wrote: > On Thu, Nov 27, 2014 at 5:42 PM, Christian Huitema > <huitema@microsoft.com> wrote: > > [...] > > But as a programer responsible for the security of the code, that > means I can't just take an off the shelf ASN.1 library and use it. I > have to roll my own to be sure the checks are made. Which in fact is > what I do. > > So the existence of ASN.1 tools does nothing to reduce the impact of > the needless complexity. I find this very strange, whether said about ASN.1 or anything else. Sure, often there's no better choice than open-coding whatever you need, but do you write everything in assembly? Probably not. My advice: find the most hackable ASN.1 open source tooling, and use that. My preference is Heimdal's ASN.1 compiler, which is damn near standalone, produces C code as well as bytecode (--template option), and is easy to hack on to output other code. https://github.com/heimdal/heimdal/tree/master/lib/asn1 > > I am not sure that the message description language matters very > > much, the quality of the implementation matters much more. And, as > > far as protocol go, better keep the syntax as simple as possible. > > But you are right about the level of "exotic complexity" in ASN.1. > > It does not help. The base languages, x.680, is not exotic at all. Compared to XDR, for example, it has a few features that XDR doesn't have (e.g., default-able struct fields, SETs), and somewhat different syntax, but otherwise the two are roughly very similar. It's *just* syntax, after all. It's the encoding rules that are cause problems, and even there, ASN.1's rules cover all the bases: don't use the TLV encodings. The various additions like x.681 and x.683 are quite complex, but not needed for Internet protocols. Nico --
- [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Michael Jenkins
- Re: [Acme] ACME or EST? Stephen Farrell
- [Acme] first order requirement - suitable as an o… Stephen Farrell
- Re: [Acme] ACME or EST? Salz, Rich
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Stephen Farrell
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Viktor Dukhovni
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] kinds of proof (was: Re: ACME or EST?) Stephen Farrell
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Phillip Hallam-Baker
- Re: [Acme] kinds of proof Stephen Farrell
- Re: [Acme] kinds of proof Salz, Rich
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Eric Rescorla
- Re: [Acme] ACME or EST? Eliot Lear
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Viktor Dukhovni
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Nico Williams
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Tony Arcieri
- Re: [Acme] kinds of proof Eric Mill
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Christian Huitema
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Trevor Freeman
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Martin Thomson