Re: What ASN.1 got right

Nico Williams <> Wed, 03 March 2021 15:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AACC23A14CA for <>; Wed, 3 Mar 2021 07:26:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xcxET9gin9py for <>; Wed, 3 Mar 2021 07:26:39 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2BD773A14C4 for <>; Wed, 3 Mar 2021 07:26:39 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id 6E62948346F; Wed, 3 Mar 2021 15:26:38 +0000 (UTC)
Received: from (100-105-161-82.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id B613A4833CC; Wed, 3 Mar 2021 15:26:37 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by (trex/6.0.2); Wed, 03 Mar 2021 15:26:38 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Harbor-Versed: 229174fe57752fbf_1614785197996_3260662000
X-MC-Loop-Signature: 1614785197996:4220474658
X-MC-Ingress-Time: 1614785197996
Received: from (localhost []) by (Postfix) with ESMTP id 753A67EFBD; Wed, 3 Mar 2021 07:26:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=oe+acvccHOyLpu vvLvj4sq1rS8c=; b=VeKwH0TQsVOwjk4+zsHEJ9Z+ReULVoptIFKbpcDO2txbif Osny4uqee/8YUnaHMvXVXc8l9KE4/KcbsRWE6OTkhpJ2rPu8o/AMQmhYl5uD8HF0 4+gVS/zvgP5YNAf70QsgnEr1A2X4z3wPf7WjZeP+w13mRB89xo4DZjVB1HqOk=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 73DC282EA6; Wed, 3 Mar 2021 07:26:36 -0800 (PST)
Date: Wed, 3 Mar 2021 09:26:33 -0600
X-DH-BACKEND: pdx1-sub0-mail-a18
From: Nico Williams <>
To: Phillip Hallam-Baker <>
Cc: Michael Thomas <>, IETF Discussion Mailing List <>
Subject: Re: What ASN.1 got right
Message-ID: <20210303152632.GH30153@localhost>
References: <20210302234928.GX30153@localhost> <> <20210303002330.GZ30153@localhost> <> <20210303005136.GB30153@localhost> <> <20210303022234.GE30153@localhost> <> <20210303033555.GG30153@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Mar 2021 15:26:41 -0000

On Wed, Mar 03, 2021 at 12:34:19AM -0500, Phillip Hallam-Baker wrote:
> The practical limit on certificate lifespan is 48 hours renewed every 24
> unless you have a means of reliably getting trusted time into the client.

For server certificates five days is fine.  For clients you want
something akin to Kerberos.  Typical Kerberos installations issue 10
hour TGTs that are renewable (note: Kerberos sense of renewal) for a few
days, and after that the user has to type in their password or do
whatever MFA dance.

> I have been trying to find info on SSH user certs on and off for quite a
> while. Seems like an under-documented feature... They solve a big problem
> for me :-)

Honestly, they're not that interesting to me because of the limited
hierarchy they have.  I'd rather it were PKIX certs.  But at least they
got something right: subject naming, which they call principal names,
and which are just strings, freeform strings.  That means that if you
are migrating from some other system, you can keep that other system's