Re: What ASN.1 got right

Michael Thomas <> Wed, 03 March 2021 01:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BCDE23A15AA for <>; Tue, 2 Mar 2021 17:06:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9qz-PLaG-E0W for <>; Tue, 2 Mar 2021 17:06:51 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8F3D03A15A7 for <>; Tue, 2 Mar 2021 17:06:51 -0800 (PST)
Received: by with SMTP id h4so15061163pgf.13 for <>; Tue, 02 Mar 2021 17:06:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=DDvYuiLD4dNdvlZtDKp8fDulY80MWRldo7cgafcvmcY=; b=I293Rjfq3KXFXJMemrrDoWsoqZ7+nz8z6NzfmGsg6fZccUdf71DdmkEOOURRqUN7Bt zg88lv01jQNQ3dXw6xdLfom+eMGJxDZGX8taODhqYEPJd5YtMtVwzRV3nJasB2jSm7cX zNbKtJCLNZqNhFlwY2Eix/OV7hOGfAig0LkIr6qJhEkUrmd1KQxhC8DDCM/gW6JNv6Rz Lkpjpn3JVWkmroZmUSBNdOvHShvDOaAJoSK+HlP6dDMKH4EAz+Ld6ByZ+BK+6WGC+391 6KB5ahrO7VVUoVDhZLU+F+ecVJO19zgTzDlMycEOFtTvplCRPhg3frVdQINdNCdtNTOW wsQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=DDvYuiLD4dNdvlZtDKp8fDulY80MWRldo7cgafcvmcY=; b=CX0V6TsgjPwwGsQ/InQx7k6t8110nd+TpYAU2DsGNn4cNVTwfHf9CKlGKWFBI2W7gN B1dJKvmjHbXmBxwUn4n5HW7yWpQMGgiD+l9LjRNvRWVIE45n4NCZROAVdzIos+rRlzkT DN6hm5FpPFBkFa0uVsi9GZdqPVJ914iZXlWoSQbiuCzSdX98/2dHzDFo+iEJ+XqW7Whw 8YJQ1nLa5oxxb/2KAEy6j/D1exkRar9B6rNFMIU4z8sI+Z4ADUb5fyTQeZ0Pb7AeJDeE RyYBG6j2Mrx5qGpGndFL1RhcrvhbkYoeKuCO4SJhMxTZHY16oTnDnUvTz2i8uo3F4AA7 ++RQ==
X-Gm-Message-State: AOAM533ytm1WJ3Cv08ZScXBya1cMVmhbJVcL95nJJwPPJhRXsmHOWn8Q Oqxu9ndPI6Ka62qy70M9bDaM3GbuJ8cVxg==
X-Google-Smtp-Source: ABdhPJwSxOhYFLPVaCWyoUqbWuJ5JC13ML+Zn7+3CsbKNKqHnbuGT/ZNKrPnfxOWcm8fTwhDIF5Fsg==
X-Received: by 2002:a63:e64a:: with SMTP id p10mr20397987pgj.190.1614733609978; Tue, 02 Mar 2021 17:06:49 -0800 (PST)
Received: from mike-mac.lan ([]) by with ESMTPSA id js2sm4835812pjb.54.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Mar 2021 17:06:49 -0800 (PST)
Subject: Re: What ASN.1 got right
To: Nico Williams <>
Cc: Phillip Hallam-Baker <>, IETF Discussion Mailing List <>
References: <> <> <> <> <> <> <20210302234928.GX30153@localhost> <> <20210303002330.GZ30153@localhost> <> <20210303005136.GB30153@localhost>
From: Michael Thomas <>
Message-ID: <>
Date: Tue, 2 Mar 2021 17:06:47 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <20210303005136.GB30153@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Mar 2021 01:06:53 -0000

On 3/2/21 4:51 PM, Nico Williams wrote:
> On Tue, Mar 02, 2021 at 04:43:10PM -0800, Michael Thomas wrote:
>> On 3/2/21 4:23 PM, Nico Williams wrote:
>>> I wouldn't want to do this.  It's much more complex than the client
>>> sending a certificate.
>> Huh? It's a bit of configuration on the server side that is probably
>> captured in provisioning systems. And client provisioning -- which is what
>> certs imply -- is extremely problematic. How do I get a client ssh cert onto
>> my phone's ssh app, for example? Not having to change client behavior or
>> provisioning significantly simplifies the problem.
> It's the same problem as getting the keys into the directory.

But it's not the same problem as getting a cert (chain) out of the CA 
and installing it on the client. In the one case it is nothing at all to 
do, in the cert case it's a whole lot of things to do and go wrong. 
Client provisioning is a minefield and it speaks miles that there is 
little to no client cert deployment for anything. Even with ssh where 
clue is probably higher than average, I wouldn't want to think about the 
support desk implications.

>> Not having to do anything at all on the client is a significant savings. I
>> would much rather the help desk cost of nothing different than taking calls
>> on how to install the ssh certs on exotic and not so exotic clients.
> Yes, if you ignore the part about having to get the keys into the
> directory.
They both have to do that, so it cancels that out.

> Uploading a new public keys is the ~same for both. Downloading a 
> client cert
>> is a whole lot of something. And if your corpro directory is down, you are
>> already in a world of hurt. The advantage of offline verification in the age
>> of 24/7 internet is very niche.
> We have an online CA with an HTTP API.  You POST a CSR authenticating
> with whatever credentials you've got, and you get back a short-live
> certificate for your authenticated name(s) or for the requested name(s)
> if you're authorized to them.  Using this is trivial.

That doesn't alter that needing offline authentication is niche. A Mars 
rover might need that. My phone connected to the internet, not so much.