Re: What ASN.1 got right

Nico Williams <nico@cryptonector.com> Thu, 04 March 2021 17:34 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96BE23A119D for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:34:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4kykJhZ5dpMU for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:34:06 -0800 (PST)
Received: from olivedrab.birch.relay.mailchannels.net (olivedrab.birch.relay.mailchannels.net [23.83.209.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF6AD3A119E for <ietf@ietf.org>; Thu, 4 Mar 2021 09:34:05 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 8ED94216FB; Thu, 4 Mar 2021 17:34:00 +0000 (UTC)
Received: from pdx1-sub0-mail-a25.g.dreamhost.com (100-96-18-39.trex.outbound.svc.cluster.local [100.96.18.39]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 1D642215AD; Thu, 4 Mar 2021 17:34:00 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a25.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.18.39 (trex/6.0.2); Thu, 04 Mar 2021 17:34:00 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Bitter-Cooing: 3ad2b30e62eda3b1_1614879240350_2466578135
X-MC-Loop-Signature: 1614879240350:735345484
X-MC-Ingress-Time: 1614879240349
Received: from pdx1-sub0-mail-a25.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a25.g.dreamhost.com (Postfix) with ESMTP id D423786D73; Thu, 4 Mar 2021 09:33:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=xNh681T9gpJn8g wgwKTqUNoQXQk=; b=QhO7P4OR5Nrw41G9h23GcdmucKxe7yS9702fipfFDmVuY9 JGKAyMIwJbpcrAk1q+x0nNzI5uliAmoOdTM4oPW3r747TohX2FhKVtY7HeUNbf9V wln0ztYagCu7jwon8IRjhKgEk1FNelgjBe2SwqK/mjQd0AZZU++PlrbuHylLQ=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a25.g.dreamhost.com (Postfix) with ESMTPSA id 6524F7F0FC; Thu, 4 Mar 2021 09:33:58 -0800 (PST)
Date: Thu, 4 Mar 2021 11:33:55 -0600
X-DH-BACKEND: pdx1-sub0-mail-a25
From: Nico Williams <nico@cryptonector.com>
To: Michael Thomas <mike@mtcc.com>
Cc: ietf@ietf.org
Subject: Re: What ASN.1 got right
Message-ID: <20210304173355.GU30153@localhost>
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <37C80C42-98A8-4077-AB0F-27539C21934D@webweaving.org> <20210304155417.GN30153@localhost> <45065b63-2766-6f0f-eef3-2d2984fcc4ac@mtcc.com> <20210304171529.GS30153@localhost> <672e173b-c21b-f95f-72dc-2a15273b947e@mtcc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <672e173b-c21b-f95f-72dc-2a15273b947e@mtcc.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/Fs49QVzB-oa6uem1RwzGprP1UxA>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 17:34:09 -0000

On Thu, Mar 04, 2021 at 09:19:32AM -0800, Michael Thomas wrote:
> On 3/4/21 9:15 AM, Nico Williams wrote:
> > On Thu, Mar 04, 2021 at 09:07:51AM -0800, Michael Thomas wrote:
> > > On 3/4/21 7:54 AM, Nico Williams wrote:
> > > > You can dispense with CRLs/OCSP if you use sufficiently short-lived
> > > > certificates.
> > > > 
> > > > That requires an online CA to certify those short-lived certificates,
> > > > but it's online infrastructure that is required only once or twice per
> > > > rotation period for any one end entity.
> > > "requires an online" being the key phrase. If you require online, you can
> > > reduce the revocation linger time to zero, and you don't need to onerous
> > > infrastructure of X.509 at all. Naked public keys are our friends.
> > The "... that is required only once or twice per rotation period for any
> > one end entity" part is an essential modifier to "requires an online".
> > You can't focus on the "requires an online" without addressing the other
> > part.
> 
> Your online requirements cherry picks that the online requirements will
> neatly line up in times of need and ignores other online requirements.
> Authentication is one small part of a larger system. That larger system
> almost always needs to be online 24/7. X.509 is a relic from the past.

I've explained about online requirements on every transaction vs. once
in a while.  It's not cherry-picking.  It's trade-offs.  I've tried
explaining, and you can disagree with good technical arguments about
cases where there's better trade-offs or whatever, but instead you've
just been unnecessarily rude.  Have a nice day.