Re: What ASN.1 got right

Michael Thomas <mike@mtcc.com> Wed, 03 March 2021 01:06 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCDE23A15AA for <ietf@ietfa.amsl.com>; Tue, 2 Mar 2021 17:06:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9qz-PLaG-E0W for <ietf@ietfa.amsl.com>; Tue, 2 Mar 2021 17:06:51 -0800 (PST)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F3D03A15A7 for <ietf@ietf.org>; Tue, 2 Mar 2021 17:06:51 -0800 (PST)
Received: by mail-pg1-x529.google.com with SMTP id h4so15061163pgf.13 for <ietf@ietf.org>; Tue, 02 Mar 2021 17:06:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=DDvYuiLD4dNdvlZtDKp8fDulY80MWRldo7cgafcvmcY=; b=I293Rjfq3KXFXJMemrrDoWsoqZ7+nz8z6NzfmGsg6fZccUdf71DdmkEOOURRqUN7Bt zg88lv01jQNQ3dXw6xdLfom+eMGJxDZGX8taODhqYEPJd5YtMtVwzRV3nJasB2jSm7cX zNbKtJCLNZqNhFlwY2Eix/OV7hOGfAig0LkIr6qJhEkUrmd1KQxhC8DDCM/gW6JNv6Rz Lkpjpn3JVWkmroZmUSBNdOvHShvDOaAJoSK+HlP6dDMKH4EAz+Ld6ByZ+BK+6WGC+391 6KB5ahrO7VVUoVDhZLU+F+ecVJO19zgTzDlMycEOFtTvplCRPhg3frVdQINdNCdtNTOW wsQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DDvYuiLD4dNdvlZtDKp8fDulY80MWRldo7cgafcvmcY=; b=CX0V6TsgjPwwGsQ/InQx7k6t8110nd+TpYAU2DsGNn4cNVTwfHf9CKlGKWFBI2W7gN B1dJKvmjHbXmBxwUn4n5HW7yWpQMGgiD+l9LjRNvRWVIE45n4NCZROAVdzIos+rRlzkT DN6hm5FpPFBkFa0uVsi9GZdqPVJ914iZXlWoSQbiuCzSdX98/2dHzDFo+iEJ+XqW7Whw 8YJQ1nLa5oxxb/2KAEy6j/D1exkRar9B6rNFMIU4z8sI+Z4ADUb5fyTQeZ0Pb7AeJDeE RyYBG6j2Mrx5qGpGndFL1RhcrvhbkYoeKuCO4SJhMxTZHY16oTnDnUvTz2i8uo3F4AA7 ++RQ==
X-Gm-Message-State: AOAM533ytm1WJ3Cv08ZScXBya1cMVmhbJVcL95nJJwPPJhRXsmHOWn8Q Oqxu9ndPI6Ka62qy70M9bDaM3GbuJ8cVxg==
X-Google-Smtp-Source: ABdhPJwSxOhYFLPVaCWyoUqbWuJ5JC13ML+Zn7+3CsbKNKqHnbuGT/ZNKrPnfxOWcm8fTwhDIF5Fsg==
X-Received: by 2002:a63:e64a:: with SMTP id p10mr20397987pgj.190.1614733609978; Tue, 02 Mar 2021 17:06:49 -0800 (PST)
Received: from mike-mac.lan ([206.107.197.192]) by smtp.gmail.com with ESMTPSA id js2sm4835812pjb.54.2021.03.02.17.06.48 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Mar 2021 17:06:49 -0800 (PST)
Subject: Re: What ASN.1 got right
To: Nico Williams <nico@cryptonector.com>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, IETF Discussion Mailing List <ietf@ietf.org>
References: <CAMm+Lwj8QwuqaA3f625Ui8arc0TxY3uLXbG-PKToWGdtq8az6w@mail.gmail.com> <613072c6-5518-91e3-41b9-3b7590ee2346@mtcc.com> <CAMm+LwiEqL3bMg09e5NBNZwkPJ90DmQgLTy=SQNEN0q=vp=wrQ@mail.gmail.com> <ed6830b3-e650-d3fa-b253-9f53e01f9615@mtcc.com> <CAMm+LwifpPg-Sg9cXLpWvjmExt8KfuYq6oRZd4D1L0ZBR3nRFg@mail.gmail.com> <1631e20d-9d8a-b8c2-9d5e-6c7f4defa72d@mtcc.com> <20210302234928.GX30153@localhost> <cb4960e2-05a1-9d28-f17b-9f610ac378c9@mtcc.com> <20210303002330.GZ30153@localhost> <7d70044c-88e8-0165-5ce3-4c8612965f16@mtcc.com> <20210303005136.GB30153@localhost>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <8e4d3b84-0357-524e-b8f5-b8f7290adf2b@mtcc.com>
Date: Tue, 02 Mar 2021 17:06:47 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <20210303005136.GB30153@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/N3-Ez3shBLLkd6I855xkrR_Dr5A>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2021 01:06:53 -0000

On 3/2/21 4:51 PM, Nico Williams wrote:
> On Tue, Mar 02, 2021 at 04:43:10PM -0800, Michael Thomas wrote:
>> On 3/2/21 4:23 PM, Nico Williams wrote:
>>> I wouldn't want to do this.  It's much more complex than the client
>>> sending a certificate.
>> Huh? It's a bit of configuration on the server side that is probably
>> captured in provisioning systems. And client provisioning -- which is what
>> certs imply -- is extremely problematic. How do I get a client ssh cert onto
>> my phone's ssh app, for example? Not having to change client behavior or
>> provisioning significantly simplifies the problem.
> It's the same problem as getting the keys into the directory.

But it's not the same problem as getting a cert (chain) out of the CA 
and installing it on the client. In the one case it is nothing at all to 
do, in the cert case it's a whole lot of things to do and go wrong. 
Client provisioning is a minefield and it speaks miles that there is 
little to no client cert deployment for anything. Even with ssh where 
clue is probably higher than average, I wouldn't want to think about the 
support desk implications.

>> Not having to do anything at all on the client is a significant savings. I
>> would much rather the help desk cost of nothing different than taking calls
>> on how to install the ssh certs on exotic and not so exotic clients.
> Yes, if you ignore the part about having to get the keys into the
> directory.
They both have to do that, so it cancels that out.

> Uploading a new public keys is the ~same for both. Downloading a 
> client cert
>> is a whole lot of something. And if your corpro directory is down, you are
>> already in a world of hurt. The advantage of offline verification in the age
>> of 24/7 internet is very niche.
> We have an online CA with an HTTP API.  You POST a CSR authenticating
> with whatever credentials you've got, and you get back a short-live
> certificate for your authenticated name(s) or for the requested name(s)
> if you're authorized to them.  Using this is trivial.

That doesn't alter that needing offline authentication is niche. A Mars 
rover might need that. My phone connected to the internet, not so much.

Mike