Re: What ASN.1 got right

Michael Thomas <> Tue, 02 March 2021 22:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0031A3A129C for <>; Tue, 2 Mar 2021 14:19:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.749
X-Spam-Status: No, score=-6.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id a-En6im5HqrP for <>; Tue, 2 Mar 2021 14:19:16 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B47D63A12FA for <>; Tue, 2 Mar 2021 14:19:16 -0800 (PST)
Received: by with SMTP id o10so14863557pgg.4 for <>; Tue, 02 Mar 2021 14:19:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=qlM6DeVVCUqOqtP/ys2cir2rvM0isPxtuY0CyiS6MSY=; b=TlXgV7z2Dye4zuQ1eLQs9zPkShZX0sJdjqL2o2YiodrGfqceGtUV8IwtAmDT/wtJlF 8EAp/oJE4KFYBlIsSS2uOPr780qGc0R5GQpTEszxvw31RWkIc3bJR3mARTTU+3alCg5v 0DOOUd4iVa5jG3dzovYy0J9Ebq4GLdRz8fFlXnPtR/F3HraqK0KgN4O/xX2SI/ETs1ND 7H8bqoUWonWDyZPyMPa5EaNBg8FHEZ1L+BD++Eu3UpkPnuZc0gvkjgbumiAWsrw0PhKx ABYkMJaHDdVcQrzMY0E09TH8Eh7Ap4HH0po448k3DD2V3mnr0rUPef0HqHcC7KSj8NJs nD/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=qlM6DeVVCUqOqtP/ys2cir2rvM0isPxtuY0CyiS6MSY=; b=e2ll/Y/k+2Hj8Uh5r5ify7B80rQmQvZtbZ+G4Wgiu4i+QJs5v6pAZtwkkjkd0L5ezY 0N5bG9ressbyNKl8dwYwnBXyxKCiWB0tElTkB3quP3wjXXfe1lSiHN7+Yi8gZOZT2ii6 u0NCOuMfCUifS5S4fh7bNle33UgoLC+45F1GmEu8OfXgPqq/wL/uDuB494eLJfmgR2b1 tg3piuu0+zaIVZ51Lmh85p2iHsvPGg2Bn6PFkiVHlY/7aY2Lrh82mCPWDcE96kqkfdnq QPKiwdozXvdjrZ2jukvHRqneYDxfiWMD/MFsPyVxlNPiPcSI4lRYPm3gxJWA4qgHlWPK lJzw==
X-Gm-Message-State: AOAM531bDDpZgMVUoJDpWWSJ2/TKdr+GezzzUgjJ06b6SECiTktkwha6 rP22iTJ9jUwu28r7f2CPryjuHyUZSofsSg==
X-Google-Smtp-Source: ABdhPJzalyQGQwBnT/5/oxRonAzTEBQITBZqtcfNoGB50gBF7Uk9P8X2PP3hvvnxP/gAuOmatmeUBg==
X-Received: by 2002:a63:6606:: with SMTP id a6mr19889786pgc.310.1614723554596; Tue, 02 Mar 2021 14:19:14 -0800 (PST)
Received: from mike-mac.lan ([]) by with ESMTPSA id 14sm22287767pfy.55.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Mar 2021 14:19:14 -0800 (PST)
Subject: Re: What ASN.1 got right
To: Phillip Hallam-Baker <>
Cc: Nico Williams <>, IETF Discussion Mailing List <>
References: <20210302010731.GL30153@localhost> <> <> <> <20210302183901.GV30153@localhost> <> <> <>
From: Michael Thomas <>
Message-ID: <>
Date: Tue, 2 Mar 2021 14:19:12 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------51911696042C1F7ECDF21E3B"
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Mar 2021 22:19:18 -0000

On 3/2/21 1:38 PM, Phillip Hallam-Baker wrote:
>     Or skip all of this complexity and just enroll the naked public
>     key bound to whatever name you like (if any) and having the side
>     benefit of not having to deal with a dinosauric encoding scheme.
> https is not the same as TLS. You don't need the TLS name to be bound 
> to the domain but the https name does. And you also have to provide 
> backwards compatibility for 30 years of https browsers.

As I said, x.509 with TLS for https is water under the bridge. My point 
is that we don't need to keep thinking that they are the only way or 
even the preferred way to implement identity with asymmetric keys across 
trust boundaries, and most especially not when they are within trust 
boundaries. I've seen people get completely wrapped around the axle 
trying to shoehorn enterprise level certs and just shake my head of what 
on earth they are thinking.

> We looked at this approach in 1995. Really we did. And the problem is 
> that you aren't avoiding a central point of control, you are 
> pretending ICANN is that point of control. And it isn't up to that 
> role institutionally, nor is DNS suited for that purpose.

So instead we got a whole bunch of trust anchors basically by fiat. And 
business models. Lots of business models.

> The Mesh callsign registry is designed to support exactly that.

Is this supposed to make me feel better about induced complexity?