Re: What ASN.1 got right

Keith Moore <> Thu, 04 March 2021 19:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EAA843A146A for <>; Thu, 4 Mar 2021 11:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BqxT-TRGvUlQ for <>; Thu, 4 Mar 2021 11:03:11 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2747B3A1468 for <>; Thu, 4 Mar 2021 11:03:11 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id 09EE15C00E1 for <>; Thu, 4 Mar 2021 14:03:09 -0500 (EST)
Received: from mailfrontend2 ([]) by compute1.internal (MEProxy); Thu, 04 Mar 2021 14:03:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=1HUqg2 hs7CrkT8MA5xrZhk8lN7VPROcSmE5q2lkJMww=; b=MbOVZqFI96egMy0RfRVGgt FP1WlNJrFEETupoD05RXR+NiMNxgMjZevRnYCrrR5Fo473PyroEt37Enz/G4e7OE 8EMWmnAz2nsnHF62cY0bQGyVSECfA4KUi4cCYuL2K8acfVBVbxFBN934ndnsBHbM lH5jkx0YwdEEJmQOUlWWpqWV0coO7Q8zb8ZSprzJQg8I2D/OUVYEOFgnCfsJSD09 jF+6dkgY+lzgbldNxts2Tgif9BepwBFnl37dej7GedMI3/Orvwxoxr7syUh1ATKS iTxIVePNoSTExqX2QdJ7Z9GZxDMybLkpFeTu9LqqaL2qaUnHEAsOIb0KxLjbkTUQ ==
X-ME-Sender: <xms:6y5BYDSFiNlMs6H1vuzA8IqmNqI15S-nYrXxy8AfKcGuFYDndwi4hA> <xme:6y5BYOYhUgbTlShjzv6goMC26CCpOPR3ExtjEyAfOdEb55VfxDSCBrZXBup7O_NOC 82Ynv8TahI9sA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddtgedgudduudcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtd erredtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthif ohhrkhdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeevfeetudeige dtledvvddtudefjeejffdvfeetjeeiueelgfdtgfegtdffkeetudenucfkphepuddtkedr vddvuddrudektddrudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:6y5BYI0KR-EP69JbWnM7tz0rV3ToRabmk8lKQXPZMuM666306GE3mg> <xmx:6y5BYGU0NPNbOBC0ajlmfbalrZ3qKVCdKKuQ7buDiBRJvYpNBAi2zA> <xmx:6y5BYKWQM0DvpqzNzvhiJsIfenMwHz5QaAhXwQ9pN61YmrW0k2Fy4Q> <xmx:7S5BYOfpP77bQwE0lUMhGOeO-ZLJYVDhITrlIqwc6ORhiRUcdH97CA>
Received: from [] ( []) by (Postfix) with ESMTPA id 6C2AA1080064 for <>; Thu, 4 Mar 2021 14:03:07 -0500 (EST)
Subject: Re: What ASN.1 got right
References: <20210302010731.GL30153@localhost> <> <> <> <> <> <>
From: Keith Moore <>
Message-ID: <>
Date: Thu, 4 Mar 2021 14:03:06 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------B4F0F3BBA29E0D7B2C64AB63"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 19:03:14 -0000

On 3/4/21 1:56 PM, Michael Thomas wrote:
>> It's silly to dismiss those as if they didn't exist or weren't 
>> important. They're quite often parts of critical infrastructure.
> Online != Internet connected. If you're using TLS you are online 
> definitionally. You may be on a stub air-gapped network but you're 
> still using internet protocols to communicate. That stub network can 
> have all it needs to support its infrastructure. It's just as online 
> as anything else.

Usually, "all it needs to support its infrastructure" is an Ethernet 
switch or WiFi access point.   DNS is often considered an operational 
hazard in such environments, sometimes DHCP is also, as is firmware update.

> X.509 comes from a time where you couldn't even make that assumption. 
> Applications that require that assumption are pretty far and few 
> between these days.

I don't think it makes sense to waste otherwise good protocol 
engineering just because it doesn't fit someone's idea of "how the 
network works".   TLS can be profiled to work well in such environments 
(without change to the TLS stack), and so can X.509. Why re-invent the