Re: [Acme] ACME or EST?

Phillip Hallam-Baker <phill@hallambaker.com> Thu, 27 November 2014 16:58 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84A7C1A0099 for <acme@ietfa.amsl.com>; Thu, 27 Nov 2014 08:58:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vYpAjxSRuMtD for <acme@ietfa.amsl.com>; Thu, 27 Nov 2014 08:58:26 -0800 (PST)
Received: from mail-la0-x230.google.com (mail-la0-x230.google.com [IPv6:2a00:1450:4010:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 349CE1A009E for <acme@ietf.org>; Thu, 27 Nov 2014 08:58:26 -0800 (PST)
Received: by mail-la0-f48.google.com with SMTP id s18so4575538lam.35 for <acme@ietf.org>; Thu, 27 Nov 2014 08:58:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=rzxYipPqB5y2I+Tnmllj2E1RqxOtsZ6S0hzTUZFJYiY=; b=n1EUUdFLu5Thf4xSoPy6DhKVwMYq8UCuS4uq4Pd0thcv1bxs72G5VLpvRuW4/R/Ejm hT2+jIkHVPyN8r7yyOZ885n/eZpNWC7YAYOMMr13jlaUe8AxgoKyZhZTUj1igwaRRtnS jYke2CmSQmMXVEHStPmKRxIykgpfsyWhUlenAVRcceZa+flHfISbJBW8kN2bQEANRvNz EUtROalSGcJbc/dWXyd/7C1Wfl+Rdi+z6qg/lSl12ukRVQup7dulnOIzIez5AT5bCr74 keTbO9/IXWXCDMx3uu3zpy2uiZ2alcTqnnvPxd0qzWJgvSJ872HQMcGalQx/NlBly/lB I27Q==
MIME-Version: 1.0
X-Received: by 10.112.162.101 with SMTP id xz5mr39449636lbb.49.1417107504416; Thu, 27 Nov 2014 08:58:24 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.34.212 with HTTP; Thu, 27 Nov 2014 08:58:24 -0800 (PST)
In-Reply-To: <m27fyg4yzg.wl%randy@psg.com>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <DEC7A8A8-563D-41B3-94AC-71DC7219D3F8@cisco.com> <CAHOTMVLJFQsKUVaZueeqx4NRtzM+a4asU14YnQPC+2LHQCtcEQ@mail.gmail.com> <54752FD9.6040708@cs.tcd.ie> <m27fyg4yzg.wl%randy@psg.com>
Date: Thu, 27 Nov 2014 11:58:24 -0500
X-Google-Sender-Auth: rC53l_r7COdiVN5G8OtAkCzOR2E
Message-ID: <CAMm+LwjOgYistjb8jo_aw0jJ9+0YpL++Y4yJONj1rCGG0kC94A@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: Randy Bush <randy@psg.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/reDuReRO9FeybMCuPuWEREzHhpk
Cc: Richard Barnes <rlb@ipv.sx>, "acme@ietf.org" <acme@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>, "Joe Hildebrand \(jhildebr\)" <jhildebr@cisco.com>
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Nov 2014 16:58:27 -0000

On Thu, Nov 27, 2014 at 7:19 AM, Randy Bush <randy@psg.com> wrote:
>> I would also like to ensure that the operational model that is implied
>> by ACME is congruent enough with EST that an operator might be able to
>> use both in parallel - if possible.
>
> could you explain why?  transition?
>
> Tony Arcieri <bascule@gmail.com> wrote:
>> ASN.1 is *not* "LANGSEC-friendly". JOSE comes a lot closer. For that reason
>> alone, ASN.1 is inferior.
>
> are there pure LR parsers for jose?
>
> Stephen Farrell wrote:
>> Frankly, I couldn't give a rat's arse if its asn.1 or xml or json or
>> punch cards via courier, or pigeons, so long as it works well enough,
>> as a default, and at scale.
>
> i would think you, of the farrelous brothers, would be concerned about
> the langsec-friendly aspect.

One of the many reasons to drop ASN.1, particularly the Deranged Encoding Rules.

The type of coding error that comes up is as follows:

Tag Length[ Tag Length [Value]]

Lets say each atom has a length of 1 byte, this would be coded

xx 03 xx 01 xx

Now what happens if the coder is wrong and instead gives:

xx 99 xx 01 xx

Buffer overrun error time!

ASN.1 has the added stupidity of the tags being variable lengths which
makes it quite likely that there will be an error in the encoding.

What this means is that you can not tell folk 'just use an ASN.1
package'. It is a bitch to write the code and you cannot rely on
others to get it right.


ASN.1 is deprecated. It is not for use in new projects. This is a new
project. Ergo no ASN.1