Re: [Acme] ACME or EST?
Phillip Hallam-Baker <phill@hallambaker.com> Thu, 27 November 2014 16:58 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84A7C1A0099 for <acme@ietfa.amsl.com>; Thu, 27 Nov 2014 08:58:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYpAjxSRuMtD for <acme@ietfa.amsl.com>; Thu, 27 Nov 2014 08:58:26 -0800 (PST)
Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 349CE1A009E for <acme@ietf.org>; Thu, 27 Nov 2014 08:58:26 -0800 (PST)
Received: by mail-la0-f48.google.com with SMTP id s18so4575538lam.35 for <acme@ietf.org>; Thu, 27 Nov 2014 08:58:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=rzxYipPqB5y2I+Tnmllj2E1RqxOtsZ6S0hzTUZFJYiY=; b=n1EUUdFLu5Thf4xSoPy6DhKVwMYq8UCuS4uq4Pd0thcv1bxs72G5VLpvRuW4/R/Ejm hT2+jIkHVPyN8r7yyOZ885n/eZpNWC7YAYOMMr13jlaUe8AxgoKyZhZTUj1igwaRRtnS jYke2CmSQmMXVEHStPmKRxIykgpfsyWhUlenAVRcceZa+flHfISbJBW8kN2bQEANRvNz EUtROalSGcJbc/dWXyd/7C1Wfl+Rdi+z6qg/lSl12ukRVQup7dulnOIzIez5AT5bCr74 keTbO9/IXWXCDMx3uu3zpy2uiZ2alcTqnnvPxd0qzWJgvSJ872HQMcGalQx/NlBly/lB I27Q==
MIME-Version: 1.0
X-Received: by 10.112.162.101 with SMTP id xz5mr39449636lbb.49.1417107504416; Thu, 27 Nov 2014 08:58:24 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.34.212 with HTTP; Thu, 27 Nov 2014 08:58:24 -0800 (PST)
In-Reply-To: <m27fyg4yzg.wl%randy@psg.com>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com> <54752FD9.6040708@cs.tcd.ie> <m27fyg4yzg.wl%randy@psg.com>
Date: Thu, 27 Nov 2014 11:58:24 -0500
X-Google-Sender-Auth: rC53l_r7COdiVN5G8OtAkCzOR2E
Message-ID: <CAMm+LwjOgYistjb8jo_aw0jJ9+0YpL++Y4yJONj1rCGG0kC94A@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/reDuReRO9FeybMCuPuWEREzHhpk
Cc: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "Joe Hildebrand (jhildebr)" <jhildebr@cisco.com>
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 16:58:27 -0000
On Thu, Nov 27, 2014 at 7:19 AM, Randy Bush <randy@psg.com> wrote: >> I would also like to ensure that the operational model that is implied >> by ACME is congruent enough with EST that an operator might be able to >> use both in parallel - if possible. > > could you explain why? transition? > > Tony Arcieri <bascule@gmail.com> wrote: >> ASN.1 is *not* "LANGSEC-friendly". JOSE comes a lot closer. For that reason >> alone, ASN.1 is inferior. > > are there pure LR parsers for jose? > > Stephen Farrell wrote: >> Frankly, I couldn't give a rat's arse if its asn.1 or xml or json or >> punch cards via courier, or pigeons, so long as it works well enough, >> as a default, and at scale. > > i would think you, of the farrelous brothers, would be concerned about > the langsec-friendly aspect. One of the many reasons to drop ASN.1, particularly the Deranged Encoding Rules. The type of coding error that comes up is as follows: Tag Length[ Tag Length [Value]] Lets say each atom has a length of 1 byte, this would be coded xx 03 xx 01 xx Now what happens if the coder is wrong and instead gives: xx 99 xx 01 xx Buffer overrun error time! ASN.1 has the added stupidity of the tags being variable lengths which makes it quite likely that there will be an error in the encoding. What this means is that you can not tell folk 'just use an ASN.1 package'. It is a bitch to write the code and you cannot rely on others to get it right. ASN.1 is deprecated. It is not for use in new projects. This is a new project. Ergo no ASN.1
- [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Paul Hoffman
- Re: [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Michael Jenkins
- Re: [Acme] ACME or EST? Stephen Farrell
- [Acme] first order requirement - suitable as an o… Stephen Farrell
- Re: [Acme] ACME or EST? Salz, Rich
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] ACME or EST? Joe Hildebrand (jhildebr)
- Re: [Acme] ACME or EST? Stephen Farrell
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Viktor Dukhovni
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] ACME or EST? Tony Arcieri
- Re: [Acme] ACME or EST? Phillip Hallam-Baker
- Re: [Acme] ACME or EST? Christian Huitema
- [Acme] kinds of proof (was: Re: ACME or EST?) Stephen Farrell
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Phillip Hallam-Baker
- Re: [Acme] kinds of proof Stephen Farrell
- Re: [Acme] kinds of proof Salz, Rich
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Eric Rescorla
- Re: [Acme] ACME or EST? Eliot Lear
- Re: [Acme] kinds of proof (was: Re: ACME or EST?) Viktor Dukhovni
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Nico Williams
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Nico Williams
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] ACME or EST? Richard Barnes
- Re: [Acme] ACME or EST? Randy Bush
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Tony Arcieri
- Re: [Acme] kinds of proof Eric Mill
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Christian Huitema
- Re: [Acme] kinds of proof Viktor Dukhovni
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Peter Bowen
- Re: [Acme] kinds of proof Paul Hoffman
- Re: [Acme] kinds of proof Phillip Hallam-Baker
- Re: [Acme] kinds of proof Trevor Freeman
- Re: [Acme] kinds of proof Randy Bush
- Re: [Acme] kinds of proof Martin Thomson