Re: What ASN.1 got right

Phillip Hallam-Baker <> Wed, 03 March 2021 19:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE47E3A1877 for <>; Wed, 3 Mar 2021 11:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5Qa0QF5ovZL0 for <>; Wed, 3 Mar 2021 11:05:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55F5D3A1876 for <>; Wed, 3 Mar 2021 11:05:47 -0800 (PST)
Received: by with SMTP id x19so25729719ybe.0 for <>; Wed, 03 Mar 2021 11:05:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8IU4p9jFlvZT/gzZIowLMTL8Sdcb9sqC2Cf3u5ugrEk=; b=ScgLVrg+5OJ1bc0UESTxf/t9LqfccdF7lAzF8OmB8qmORySH9MNGt64KEWubE9xxZs hRwiFqes3V7JHo67VYGgymHYzkunVoPT69frMxT5lRGR+Ggut3KeynpbDZcKTG35MGGa qcyl1hUAdgKSCMaXDcjgt0CKIuc07f+cj6fLw8rKSh+GiTu5WdvP0ViWgWNOiEtwcuvp hCS/6nkKyqDPwI7IvPEjJ/LjCjpycGcX0uY5wnZ+IeYbFZEAouozdtjzjTPqUsi5Npyo NaNO2jg0DnAihrP43ktxIULLoqzlRRMV3Lyg3BpSriaLCXFbLJGtpVTC3nIjAwQ2Ya4Y MK/g==
X-Gm-Message-State: AOAM532zO5bjh8ojsf3pDtVWKjdWi0H/g/vREH3DgenvxTV82fRKAiGV eKsyxdjpXubGlVCFm896rZ/oxCrrvyPvuMB5T1Y=
X-Google-Smtp-Source: ABdhPJxs6JPqPGTDGymRSRfuubZCicoKz8OoZvAYKHRQDckMQGFJI34Dny0VqeOoiaxf7YD9K0IMnBtESeEiIdVD4YU=
X-Received: by 2002:a25:2f43:: with SMTP id v64mr1085057ybv.302.1614798343813; Wed, 03 Mar 2021 11:05:43 -0800 (PST)
MIME-Version: 1.0
References: <20210302234928.GX30153@localhost> <> <20210303002330.GZ30153@localhost> <> <20210303005136.GB30153@localhost> <> <20210303022234.GE30153@localhost> <> <20210303033555.GG30153@localhost> <> <20210303183823.GJ30153@localhost>
In-Reply-To: <20210303183823.GJ30153@localhost>
From: Phillip Hallam-Baker <>
Date: Wed, 3 Mar 2021 14:05:33 -0500
Message-ID: <>
Subject: Re: What ASN.1 got right
To: Nico Williams <>
Cc: Michael Thomas <>, IETF Discussion Mailing List <>
Content-Type: multipart/alternative; boundary="000000000000aabc2d05bca68965"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Mar 2021 19:05:49 -0000

When I was writing my intro to crypto course, I covered Kerberos and then
moved on to PKI, I was astonished at just how close the Kohnfelder model
hews to Kerberos (maybe not so surprising, it was an MIT undergrad thesis).

But here is the thing, nobody should ever be ashamed of 're-inventing'
systems of the past. If old techniques work, then use them.

Since adding PKI to Kerberos wasn't exactly successful, one is going to
have to add PKI to Kerberos or Kerberos to PKI and the complexity of either
is likely to be rather greater than designing something from scratch using
the experience of the past 40 years.

There were dozens of AAA products on the market when I started work on
SAML. And SAML is merely PKIX attribute certificates done right encoded in

On Wed, Mar 3, 2021 at 1:38 PM Nico Williams <> wrote:

> On Wed, Mar 03, 2021 at 09:50:30AM -0800, Michael Thomas wrote:
> > Or you just expect online and not worry about any of this.
> No, sorry.  I've explained.  We'll have to disagree.
> > I'm not even sure why you'd want to use certs in your use case. You're
> just
> > reinventing Kerberos.
> Because we have a principal for a user, and also a trusted thing that
> wants to impersonate them (in order to run the user's batch jobs) but
> without the user having to delegate a credential to them.  So we issue
> that thing a client certificate (that the user never sees) that can be
> used to acquire a TGT on behalf of the user.  This isn't remotely like
> reinventing Kerberos.
> Nico
> --