Re: [Acme] ACME or EST?

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 26 November 2014 00:04 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9081A89B3 for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 16:04:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.647
X-Spam-Level:
X-Spam-Status: No, score=-3.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ktXjvlDH37H1 for <acme@ietfa.amsl.com>; Tue, 25 Nov 2014 16:04:02 -0800 (PST)
Received: from proper.com (Hoffman.Proper.COM [207.182.41.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2496C1A89A7 for <acme@ietf.org>; Tue, 25 Nov 2014 16:04:02 -0800 (PST)
Received: from [10.20.30.90] (142-254-17-143.dsl.dynamic.fusionbroadband.com [142.254.17.143]) (authenticated bits=0) by proper.com (8.14.9/8.14.7) with ESMTP id sAQ03xq2042290 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 25 Nov 2014 17:04:00 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 142-254-17-143.dsl.dynamic.fusionbroadband.com [142.254.17.143] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAHOTMVKtbasxAMo4qrx+HkJ14+z0vyAGOJMnFvdEhyMH=nLkCQ@mail.gmail.com>
Date: Tue, 25 Nov 2014 16:03:59 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <4DF92BBD-82A3-4155-A23C-44C9EF851035@vpnc.org>
References: <AD5940AA-6F01-4D0E-A4E0-19AEA56BBED3@vpnc.org> <CAL02cgTgpjQffow2XuaNuT7BtqYVttXdVUgyqBFbsAbN4g0VzQ@mail.gmail.com> <F5761985-AD8C-4CA3-9E55-D1AC33BB55E6@vpnc.org> <CAHOTMVKtbasxAMo4qrx+HkJ14+z0vyAGOJMnFvdEhyMH=nLkCQ@mail.gmail.com>
To: Tony Arcieri <bascule@gmail.com>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/zplGpRRrwA4AH7BiWtL7NP3em94
Cc: Richard Barnes <rlb@ipv.sx>, acme@ietf.org
Subject: Re: [Acme] ACME or EST?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 00:04:04 -0000

On Nov 25, 2014, at 2:59 PM, Tony Arcieri <bascule@gmail.com> wrote:
> On Tue, Nov 25, 2014 at 2:50 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:
> The JOSE message structure has been much more problem-laden than CMS ever was. Yes, ASN.1 is ugly; many people feel the same (or worse) about JOSE.

Yep, shades of grey or, in this case, shades of mud.

> We make extensive use of both CMS and JOSE for our enterprise's HSM-backed encryption service. We've gone full bore switching from CMS to JOSE with everyone agreeing CMS is terrible and JOSE is less terrible.
> 
> Are there specific concerns you have?

Wait for it...

> I think the main advantage is JOSE is considerably easier to implement than ASN.1, and aside from a handful of problems

There you go. :-) Folks who have fought with ASN.1 longer than JOSE find CMS's "handful of problems" already solved and JOSE's ones completely frustrating because they were brought up in the WG years ago (literally) and never fixed.

It doesn't matter; JOSE will work adequately for ACME.

--Paul Hoffman