Re: What ASN.1 got right

Nico Williams <> Thu, 04 March 2021 15:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF70B3A0E55 for <>; Thu, 4 Mar 2021 07:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id v343K_PHSfjq for <>; Thu, 4 Mar 2021 07:52:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6BA653A0E54 for <>; Thu, 4 Mar 2021 07:52:31 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|
Received: from (localhost []) by (Postfix) with ESMTP id E6006402ED2; Thu, 4 Mar 2021 15:52:28 +0000 (UTC)
Received: from (100-96-17-38.trex.outbound.svc.cluster.local []) (Authenticated sender: dreamhost) by (Postfix) with ESMTPA id 5999A4030A7; Thu, 4 Mar 2021 15:52:28 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by (trex/6.0.2); Thu, 04 Mar 2021 15:52:28 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|
X-MailChannels-Auth-Id: dreamhost
X-Battle-Whimsical: 1dcb0c4a086d332d_1614873148737_4211197929
X-MC-Loop-Signature: 1614873148736:2239915372
X-MC-Ingress-Time: 1614873148736
Received: from (localhost []) by (Postfix) with ESMTP id 1AC197E387; Thu, 4 Mar 2021 07:52:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=kJ7CRLGtLBWa2M w7VFT8BKj8d/s=; b=mlYJW5t/tiClJWIaW4wisI9hy9siRH9Q/KjxHoOgFdiYQ2 M5C4bLFtMXtyKKwWeNtOIj+N3XmZfhdnZsrBOdQgG3AbZzbWY7kjy3/W22e7JvZy IwRAmWkmuWvkBCImQA6gy7IWRJQ6C+5UZsyvvRNIzwKVxoNwm+jzffz9KdCw4=
Received: from localhost (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 6557D86D73; Thu, 4 Mar 2021 07:52:26 -0800 (PST)
Date: Thu, 4 Mar 2021 09:52:23 -0600
X-DH-BACKEND: pdx1-sub0-mail-a25
From: Nico Williams <>
To: Phillip Hallam-Baker <>
Cc: Jared Mauch <>, IETF Discussion Mailing List <>
Subject: Re: What ASN.1 got right
Message-ID: <20210304155223.GM30153@localhost>
References: <20210302010731.GL30153@localhost> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 15:52:33 -0000

On Thu, Mar 04, 2021 at 09:57:47AM -0500, Phillip Hallam-Baker wrote:
> X.509 is really optimized around the totally offline case. And that is a
> bad choice for many applications. But it does work for some.

No, that's not it.

X.509 tries to minimize online infrastructure, but not to zero.

In particular, it minimizes *state*.

Kerberos too tries to minimize online infrastructure, but does much less
well than X.509, and, crucially, as-implemented, Kerberos does NOT
minimize STATE.

When we started using elastic clouds and hosts coming and going we
started having trouble scaling Kerberos even with very nice self-service
tooling for it because creating and key-rotating and deleting service
principals requires mutating and replicating state.  What we ended up
doing is implementing a notion of namespace wherein all host-based
service principals have their keys derived from base keys, the
principals' names, and the _clock_, leading to an unforgiving key
rotation schedule and needing host-based roots of trust other than
long-term keys for host-based services (since, after all, hosts/apps
need credentials to fetch these fast-changing Kerberos keys).

To make Kerberos scale we had to remove its dependence on state
mutation.  Fortunately the state mutation aspect of Kerberos is not
inherent in its specification, just in all KDC implementations to date
(except Heimdal, which has the feature described above).

Now, if you start binding public keys to users via a directory, you'll
be unhappy because you'll have all the problems directories have, and
because you might get the schema wrong and allow only one key per-user,
and even if you don't get the schema wrong you'll have a garbage
collection problem, and even if you manage to solve that with
expirations then the act of registering new keys is still more complex
than the act of signing new certificates.