Re: What ASN.1 got right

Michael Thomas <> Thu, 04 March 2021 18:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BC4803A1383 for <>; Thu, 4 Mar 2021 10:07:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PD-dIrrARLA0 for <>; Thu, 4 Mar 2021 10:07:42 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::1029]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A0F293A1382 for <>; Thu, 4 Mar 2021 10:07:42 -0800 (PST)
Received: by with SMTP id e9so7083803pjs.2 for <>; Thu, 04 Mar 2021 10:07:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=XLTUgoxpqO0Wu213vbcSz3O621Z5VXOWEBKlWS0TyXA=; b=i66shNe1vGyXpL6uO7s/2EFnAvjGDPfX/jgdkK5g6TzlJ8tXVdG4Sfx5FkVuKFY7tb 5HA81j3d6KHZMDOXKbhRU3iqeG3vToUJL1vruFRd+itNMUbNNBtthDHyd73QgtsKFuWW NPnHWkJLo3TPQx+qpCaLukOE0CbYsSdX52RQARnD6Knff9HUHdKWn5tys9kZB+JZreTB 1kYElDX+U47xon1/9LAC2+uLi5Wi/4dVhJHnS67F6zZlQRQTfrXeUirO8IdLVklk/tRH Mi7BAXFVZnCiE7pYbrvPwTziXtXA8JJxtmqCDaK8NjtyCZWHParSJkieCH5YdIoYAbk8 hHRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=XLTUgoxpqO0Wu213vbcSz3O621Z5VXOWEBKlWS0TyXA=; b=JChYSJF50NsIN0cKNtKl3n3/9LyoQ3eEbB8RPL8PWLy2fp/Vxnnd8QyfAWxICjWy+2 e/YVrrHUYKbg4tF9jEi96O5KNfqoEkcYTqOvkyE6C3HHjJLHPoCqgEs2agxDQKxvrUVv lgZPBn0D0ehG/PV7uTu9qC6kslWio/lP/fllci4knwd4taAt5v/AoUdRjue6NM+6QH7P VAejteAi9DQQ3CUsGFASdjwgdriBP/Amk7nVV/Frjuw8E0oT4vFUlpks1LadVvBPCZHw sC3NpJWiLTBFExdfS8nV8Imd9q2ANM4QDDpA7osN3a1v+Ej3bN3Ilg0CqoysJ/2vduQ+ bBiw==
X-Gm-Message-State: AOAM530J2yz2dton/TSrSS2QJsv2bMrLgfX72Z4GBWe1/9ykfq6bDzfe nxwhI/ZDgoeANLXBew440WyC7Vc4naqdlQ==
X-Google-Smtp-Source: ABdhPJzownGIZnpp2RTvWa2Ny2EYRRa6UaxAdRy1bwsOh+WVIyBVR2ceedVYFFFN9tdrXeYayuX9yw==
X-Received: by 2002:a17:90b:508:: with SMTP id r8mr5890399pjz.83.1614881261138; Thu, 04 Mar 2021 10:07:41 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id u1sm64779pfn.209.2021. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Mar 2021 10:07:40 -0800 (PST)
Subject: Re: What ASN.1 got right
To: Nico Williams <>
References: <20210302010731.GL30153@localhost> <> <> <> <> <20210304155417.GN30153@localhost> <> <20210304171529.GS30153@localhost> <> <20210304173355.GU30153@localhost>
From: Michael Thomas <>
Message-ID: <>
Date: Thu, 4 Mar 2021 10:07:38 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <20210304173355.GU30153@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 18:07:44 -0000

On 3/4/21 9:33 AM, Nico Williams wrote:
>> Your online requirements cherry picks that the online requirements will
>> neatly line up in times of need and ignores other online requirements.
>> Authentication is one small part of a larger system. That larger system
>> almost always needs to be online 24/7. X.509 is a relic from the past.
> I've explained about online requirements on every transaction vs. once
> in a while.  It's not cherry-picking.  It's trade-offs.  I've tried
> explaining, and you can disagree with good technical arguments about
> cases where there's better trade-offs or whatever, but instead you've
> just been unnecessarily rude.  Have a nice day.

This entire subthread started from the observation that just putting a 
ssh public key in an employee directory would be a lot simpler than 
issuing certificates since it doesn't change anything on the client at 
all. You said that doing something -- installing certificates -- is 
easier than doing nothing at all. It's hard to take that sort of 
statement seriously because it's flat out wrong and contradictory.

But with respect to state and being able to do things offline, if your 
employee directory is down in you average company you have a 5 alarm 
fire that needs to be put out just as much as if your website went down. 
The need for offline verification is niche these days. Since that's the 
only advantage that X.509 brings, that tells me that there is a lot of 
tail wagging dogs going on. As it ever were.

Thankfully beyond the vast confusion factor that x.509 brings it mostly 
doesn't matter these days. Nobody uses client side certs because they 
don't scale. Manifestly.