Re: What ASN.1 got right

Michael Thomas <> Thu, 04 March 2021 18:56 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C9AA63A1455 for <>; Thu, 4 Mar 2021 10:56:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id R9IvvGlLeSK1 for <>; Thu, 4 Mar 2021 10:56:42 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B85DA3A1450 for <>; Thu, 4 Mar 2021 10:56:42 -0800 (PST)
Received: by with SMTP id n10so19485622pgl.10 for <>; Thu, 04 Mar 2021 10:56:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=YeWIDaMKTG1ha6g0ldOnr63c5abgeUfQdFF+rvh9xLc=; b=DdazXDYd9pne0+JRzvKEmGCuLmDsY7VjQLj/aBkgU2jMT6d9p8Bo2PzcQNRSFxcI2Y 3HoGkDjbvp+65rvYFddxcDA+MgxB0NIDp3sOhAv3d+Lo4QRQHqEmgZ1Je1sL6FVQ0p0x 8ohsTstzUCmqEbk2tt22UjzFVVc/IqRhlXpGSGBQ6gcO2Hmf68eEo5helDhfqfzu6xgg CWwXQ3iKyn99gNacyvI7MgaoxUexyzYgTKDEO5wYI3BjL13PDDEAvVUuhwceTEXP/b97 XCLZ7yKacCyBtbdQwvKySDdWms12TexHrSIPcGmhkY2hW6q39pfiIjDB7HWzP7LdCmis knqQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=YeWIDaMKTG1ha6g0ldOnr63c5abgeUfQdFF+rvh9xLc=; b=PooDoRyMhXXIHK+jcT6thPVmWjUEP5haE108t8+27t+gMURFjNgULT1ueX6N1BwEl9 dA6G1voX1DsLrq8CXklE6DZEEyU2pQxUcEVKQ2SGnPkIdtPgP2H2aa0OWvlnxgE1P8lZ DKucRhjzf8VaIhnZyUf47U1s3C7VFLCWce1f5UM8EnwPRXxeQkBwPCUjD4BIp/Rqxsxd 6xXQlgVtrTRD/8dYiKn04Nzy7UXdrIrHNrL/5/x1AC4MgDjn5V+GGL0jIMPeRJOZMv1o iK0l2mmehh1bSG35PY0qz5pVpqPKjPz3zRtSylYmDr/Zrt4+u3iyX6BU+0XTmfwIRM/4 s4uw==
X-Gm-Message-State: AOAM5312fhy+8Ko9XZQ3Xw64HFoz8eFn6pKk0iMg87loH3gWWdEnTNOy tc44DrM4yO9eERy7BJM6ntT9BeNIc9xkJw==
X-Google-Smtp-Source: ABdhPJxqWoCe3WRGRigjhtabtyyAccJ/B7YJEFpk/hnjwazeAN7El70+6W0xCfNwdCgwCuKSOUbcag==
X-Received: by 2002:a63:e858:: with SMTP id a24mr4767349pgk.56.1614884200975; Thu, 04 Mar 2021 10:56:40 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id a24sm159003pfo.9.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Mar 2021 10:56:40 -0800 (PST)
Subject: Re: What ASN.1 got right
References: <20210302010731.GL30153@localhost> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Thu, 4 Mar 2021 10:56:39 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 18:56:44 -0000

On 3/4/21 10:48 AM, Keith Moore wrote:
> On 3/4/21 12:14 PM, Michael Thomas wrote:
>> That's the thing: the only thing that X.509 is used for at any scale 
>> is TLS and that is definitionally online. Everything else is niche in 
>> comparison. If you need offline capability, fine, but almost nothing 
>> does anymore if it's associated with the internet in any way.
> I don't think that's true at all.   There are a vast number of 
> networks that are mostly disconnected from the Internet (but probably 
> do connect occasionally), but which still use Internet protocols and 
> applications.
> It's silly to dismiss those as if they didn't exist or weren't 
> important.  They're quite often parts of critical infrastructure.

Online != Internet connected. If you're using TLS you are online 
definitionally. You may be on a stub air-gapped network but you're still 
using internet protocols to communicate. That stub network can have all 
it needs to support its infrastructure. It's just as online as anything 
else. X.509 comes from a time where you couldn't even make that 
assumption. Applications that require that assumption are pretty far and 
few between these days.