Re: What ASN.1 got right

Nico Williams <nico@cryptonector.com> Thu, 04 March 2021 17:15 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 366803A112F for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:15:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.1
X-Spam-Level:
X-Spam-Status: No, score=-7.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLqTFvonh1LL for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:15:46 -0800 (PST)
Received: from cross.elm.relay.mailchannels.net (cross.elm.relay.mailchannels.net [23.83.212.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 374A03A1372 for <ietf@ietf.org>; Thu, 4 Mar 2021 09:15:36 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 13B08102A31; Thu, 4 Mar 2021 17:15:34 +0000 (UTC)
Received: from pdx1-sub0-mail-a25.g.dreamhost.com (100-96-27-126.trex.outbound.svc.cluster.local [100.96.27.126]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 876E81024EA; Thu, 4 Mar 2021 17:15:33 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a25.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.27.126 (trex/6.0.2); Thu, 04 Mar 2021 17:15:34 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Arithmetic-Towering: 1816caf22d505680_1614878133909_1475556185
X-MC-Loop-Signature: 1614878133908:3339974867
X-MC-Ingress-Time: 1614878133908
Received: from pdx1-sub0-mail-a25.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a25.g.dreamhost.com (Postfix) with ESMTP id 36B8387748; Thu, 4 Mar 2021 09:15:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=PXsew4Ruv2FO0U lbIF5lGzOh7xs=; b=MH7tQ5HJ2iaTHHwQBRI8UZnfUCH/f7mC4J2NhniaOMO0Hq JB4ZrNtDFVSdhbmkOpHkxxEeUCU4j8XJOL2IQHLwY9zph9Bn4bWkV4yHYdbEYYTA irUgBQj1zsD2rYYjRqoaAsJKBdDlwasOeBAgqEug/aVk4Z0bKlqOT05mN5KTg=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a25.g.dreamhost.com (Postfix) with ESMTPSA id 826E586D73; Thu, 4 Mar 2021 09:15:32 -0800 (PST)
Date: Thu, 4 Mar 2021 11:15:30 -0600
X-DH-BACKEND: pdx1-sub0-mail-a25
From: Nico Williams <nico@cryptonector.com>
To: Michael Thomas <mike@mtcc.com>
Cc: ietf@ietf.org
Subject: Re: What ASN.1 got right
Message-ID: <20210304171529.GS30153@localhost>
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <37C80C42-98A8-4077-AB0F-27539C21934D@webweaving.org> <20210304155417.GN30153@localhost> <45065b63-2766-6f0f-eef3-2d2984fcc4ac@mtcc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <45065b63-2766-6f0f-eef3-2d2984fcc4ac@mtcc.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/-FK-Cf7GKuAepGwz5RjW9GQc874>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 17:15:47 -0000

On Thu, Mar 04, 2021 at 09:07:51AM -0800, Michael Thomas wrote:
> On 3/4/21 7:54 AM, Nico Williams wrote:
> > You can dispense with CRLs/OCSP if you use sufficiently short-lived
> > certificates.
> > 
> > That requires an online CA to certify those short-lived certificates,
> > but it's online infrastructure that is required only once or twice per
> > rotation period for any one end entity.
> 
> "requires an online" being the key phrase. If you require online, you can
> reduce the revocation linger time to zero, and you don't need to onerous
> infrastructure of X.509 at all. Naked public keys are our friends.

The "... that is required only once or twice per rotation period for any
one end entity" part is an essential modifier to "requires an online".
You can't focus on the "requires an online" without addressing the other
part.

Nico
--