Re: What ASN.1 got right

Michael Thomas <> Tue, 02 March 2021 23:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B783F3A141D for <>; Tue, 2 Mar 2021 15:23:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Wm-95hnHQpDK for <>; Tue, 2 Mar 2021 15:23:31 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D1313A141C for <>; Tue, 2 Mar 2021 15:23:31 -0800 (PST)
Received: by with SMTP id z7so12939472plk.7 for <>; Tue, 02 Mar 2021 15:23:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=vBwuike7oVhAWDM2dNgq5S0BdPzbJIM4ywjUO4xV9JI=; b=BlCapllZkjIWnCcAM50yEyAOVZ5sL/J8TjXdI3Za7MuO1GVg4uuUT+Ue2tPFtJ/msp ZDMeL/O8/KfYy1INTt+3hUlHpYG2c3sPtvDYjJ0lUu6LySS5XDUZbRi4kbM7xTzYZ1sy MEG88pYDIjvRwDFaKTpDKQwOUZ3vlbA+QW+K9eQEvfJwvd/ZF4Pwr1+Q7j9leT9jdKSA 3WdSavAaKFdVoNv5KWIiXy+1w9YCqOjGwjRPvhGvF0KvD9DwM04uUnD82Q2V4CYAB6l0 CH9/eCgtnnPbeTEDi1MrjT/S+6Q6GUKATHOnqhQVjOElJMQD8dl//NAhnDa4YenKOUjv pkuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=vBwuike7oVhAWDM2dNgq5S0BdPzbJIM4ywjUO4xV9JI=; b=ENtRDarKUCvGhKhDEOmAR+XCf0K+RgQmlqzLZn+ugqmTco79EFmyVhIKyyqwYkJwd1 044c90InV3GY47ZEHR8fmZWmHBpNkiICV5YionBkWNPhNRgoycS5+DlDjbtZJ4FI1Bxt wVnL4FYnHDWUzALDVud0rVgYiP3UbCXSialYGJ82sfAYtCtwhkJXho3pt78FkY4MvLES MgP0miF2FICLrva5n4pnG57//UspzO1V6pCEsMG9sCKulu+2NDL59fkYaARuqqT/Fsq4 d6S6tcsWO0Vk3PAII+XAR1qYkzd3pIfgKeskuaF79bK29QvJAOAL4V2Zps6yCszeFD4F UnYw==
X-Gm-Message-State: AOAM532lUmYTaBO837jt2YKOj3IGxm9Z/uT6+VXt7GLBpRMp+t0ygeAi iWp0QH4VHNM7EJrbJ4h4oE2SLfd+7p1RZQ==
X-Google-Smtp-Source: ABdhPJwY4Z1zCkCIZYwdx9FGLAw9LEKHaYaqDdsIjD8i7/+gmEGz8siD+FOcvTY4ne4GMnxCwp+SJQ==
X-Received: by 2002:a17:902:a58a:b029:e4:6db1:656 with SMTP id az10-20020a170902a58ab02900e46db10656mr22258682plb.84.1614727407000; Tue, 02 Mar 2021 15:23:27 -0800 (PST)
Received: from mike-mac.lan ([]) by with ESMTPSA id w188sm22263915pfw.177.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Mar 2021 15:23:26 -0800 (PST)
Subject: Re: What ASN.1 got right
To: Phillip Hallam-Baker <>
Cc: Nico Williams <>, IETF Discussion Mailing List <>
References: <20210302010731.GL30153@localhost> <> <> <> <20210302183901.GV30153@localhost> <> <> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Tue, 2 Mar 2021 15:23:24 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------FD141E4E4F9657E3CC325B63"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Mar 2021 23:23:33 -0000

On 3/2/21 2:27 PM, Phillip Hallam-Baker wrote:
> On Tue, Mar 2, 2021 at 5:19 PM Michael Thomas < 
> <>> wrote:
>     On 3/2/21 1:38 PM, Phillip Hallam-Baker wrote:
>     []
>     Is this supposed to make me feel better about induced complexity?
>     Mike
> It is much simpler than what we have today and one person has written 
> all the specifications and 90% of the code in 26 months, and I was 
> recovering from whatever I picked up in Singapore for six of those.
> Things should be as simple as possible but it is absolutely critical 
> that they not be made simpler. I have 30 years experience with this 
> technology and its application to the real world. The Mesh PKI side is 
> much simpler than PKIX, OpenPGP or SAML but it is not simple. I know 
> what I missed by trying for too much simplicity in XKMS.

So I just looked up ssh certificates which I think somebody mentioned. 
This is a prime example of throwing needless complexity at a problem. If 
you just added the user's public keys to, say, an LDAP repo, you get the 
scaling they claim to be solving for, and avoid all of the needless 
complexity of issuing certs and installing them on the client. The 
client ssh doesn't need to do anything different as bonus. With LDAP you 
get the added bonus that it can dish out attributes for things like 
roles and permissions, which would be a giant headache if it had to be 
done with reissued certs every time your role or permission changed.

I'm trying to think of major things that use public key authentication. 
There's TLS with certs, DKIM using raw public keys, and SSH mainly using 
raw public keys. Am I missing anything else that is widely deployed? 
DNSsec and BGP are still pretty skimpy from what I can tell.