Re: What ASN.1 got right

Michael Thomas <mike@mtcc.com> Thu, 04 March 2021 17:14 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F18553A1136 for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:14:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.748
X-Spam-Level:
X-Spam-Status: No, score=-1.748 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOqlYICoWiYn for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:14:58 -0800 (PST)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C2813A112F for <ietf@ietf.org>; Thu, 4 Mar 2021 09:14:58 -0800 (PST)
Received: by mail-pj1-x1031.google.com with SMTP id e9so6991277pjs.2 for <ietf@ietf.org>; Thu, 04 Mar 2021 09:14:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=bUAaZs6RauPwSC/N4NQdqMO1J7E5Y8z86ntZD2/2VT0=; b=Q1tEJ00jOJgyXy5Jy1RmdcFvZ8/Jx7LFnkg14aXS78hikjvFCvl2PHo1qIRVZuBEPb IwU7K+6yzCA56R1MRwoG6lJTHgHkeWkfh2Ct1SOjcFlpwCMZSBQtXn3SO8aGofewkkdz rACAg7wtsjk3YzVyixcZkbNiA84+TCGQWwTws7W4p/jiRSHtZaRM/Ou9PsRbo6zfSUJ+ a97lWdV35WIPfxjV9S75vsJ058m+ODnLpRR5+4wVkIy4x8geJOxRhMX5s6c9MokXVQuW +Mq9uo7hBccIJEsyaIvymRq6aeEiF3KOzCNeev/fkGfQYzEk930XXaGzuXlWl0JGqbzd 4mzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=bUAaZs6RauPwSC/N4NQdqMO1J7E5Y8z86ntZD2/2VT0=; b=oCTV9XgAAuCdvjsxyWUyvEl9D4OoaEm2+n/s57oB/JG8tRlD3eC3CmyBaBYGS1UnzC aJ6qLpwIBqbvWJHKEkhO4bUMOQDblPl1gxRChItfDKpXQhDPu+yGQkdj/AJI/GBoFgtr tCOtp41cPd4ZN566hR356Q1SJRk8Zq8FjT8rnUahgW7V4YFjDVgM6QAynhl6xbzZS/hS pk/8Uj11vn1mnhKZ1o1bNJpGsW0theb3dcZgz5e0QamIEa9MPDAvYGAMlxZLbcdUb6Bx s/dqjdYJD/IVK/JJSj2zc3kAecxmt0TsFM7mToo/6XJ1nQQfcMM+w8Q65+tTqwcHOpuC 6acw==
X-Gm-Message-State: AOAM533gqvRlA61Q2q3EWCyZEmn4H82oY2KQGKeDpluX7jrpHQKDn9/l 8KsakoKtUcrBcW24CcWUoeFgw+GA2gAMKA==
X-Google-Smtp-Source: ABdhPJzz8gcsHusqZE58/t2xs4i11dj7g9WgglOW1cT9W8CmGacerta2rDPLthn5FEOBVwu25N3vHQ==
X-Received: by 2002:a17:902:e80b:b029:e3:3df1:5e93 with SMTP id u11-20020a170902e80bb02900e33df15e93mr4789129plg.80.1614878096431; Thu, 04 Mar 2021 09:14:56 -0800 (PST)
Received: from mike-mac.lan (107-182-37-239.volcanocom.com. [107.182.37.239]) by smtp.gmail.com with ESMTPSA id gg22sm10796422pjb.20.2021.03.04.09.14.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Mar 2021 09:14:55 -0800 (PST)
Subject: Re: What ASN.1 got right
To: Phillip Hallam-Baker <phill@hallambaker.com>, Jared Mauch <jared@puck.nether.net>
Cc: IETF Discussion Mailing List <ietf@ietf.org>
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <86b382d8-dd3c-ed0a-8dde-f0837cf10e98@mtcc.com>
Date: Thu, 4 Mar 2021 09:14:54 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------0122F9E70DAE75022BAD667F"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/A0hgPyCFK4Nrx6AOB537AlkdueY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 17:15:00 -0000

On 3/4/21 6:57 AM, Phillip Hallam-Baker wrote:
>
>
> On Thu, Mar 4, 2021 at 4:35 AM Jared Mauch <jared@puck.nether.net 
> <mailto:jared@puck.nether.net>> wrote:
>
>     On Mon, Mar 01, 2021 at 05:18:10PM -0800, Michael Thomas wrote:
>     > The combination of ASN.1 and X.509 has done irreparable harm to
>     identity on
>     > the internet. X.509 provides exactly one benefit: the ability to
>     verify
>     > offline that almost nobody cares about anymore. They have needlessly
>
>             As someone who had to build my own fiber/internet access in
>     a developed country, I believe the community often misses the mark in
>     assuming everyone is as well connected as they are.
>
>             I encourage you to review this assumption.
>
>
> It is really rare that people try to use TLS without Internet 
> connectivity. And the deployed base really isn't good at working in 
> that mode.
>
> Kohnfelder was originally writing for email messaging. But even then, 
> how do you send a mail without some connectivity?
>
> X.509 is really optimized around the totally offline case. And that is 
> a bad choice for many applications. But it does work for some.
>
>
That's the thing: the only thing that X.509 is used for at any scale is 
TLS and that is definitionally online. Everything else is niche in 
comparison. If you need offline capability, fine, but almost nothing 
does anymore if it's associated with the internet in any way.

Mike