Re: What ASN.1 got right

Michael Thomas <mike@mtcc.com> Thu, 04 March 2021 17:07 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1010F3A1106 for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:07:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKUHMeU3E0uV for <ietf@ietfa.amsl.com>; Thu, 4 Mar 2021 09:07:55 -0800 (PST)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06B823A1105 for <ietf@ietf.org>; Thu, 4 Mar 2021 09:07:54 -0800 (PST)
Received: by mail-pf1-x431.google.com with SMTP id a188so1958296pfb.4 for <ietf@ietf.org>; Thu, 04 Mar 2021 09:07:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=LANY+ksy2MjEjdaqe0IjgYxONj6BQeirkmZ9GWeOH/M=; b=e6xvVSaOBeoOvSqHbo7gXsMcJT3R1yw/gA/3M/toCULwM9Sb63bCM9spDuN4JxxGdg YaggmmJWS3pRmvO3LE6wOzuA4ejHbjOgj2w5/jBtYr3hHHo24oAzfk88eGge8AAHG0Oo P33Oti3vlDI6mWsFPtsvcH1S36IzridpT20bPeutVIjvIWaz7ABqeF8r7pOWy/EQMC1L 43EKISsued19MLlEcKRoX7GJcq7Rm2HylOy6peJ7+0CoAvLzk25OGrFzT2omaYVaxWvb whp7NeA+gBrWfB1xf69UzMNOsfTRxWYt4/f3iQ5JUOQT9DTC427B43Igj9alIGwbW9TE 4Cvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=LANY+ksy2MjEjdaqe0IjgYxONj6BQeirkmZ9GWeOH/M=; b=teZYL/pVYX1ZYyeLkkx+iTG7CABLsL53gIRSrkzW0AM7FB/rK2KAmMDj7XVefKAqwG DvXC6zk7d5RgJgIy0+5g5Gjh6gWlYW6bX6IO8tf7DpAZycL9QpARHR46ShkBLJFlELQR BC2cGG5rkRJWatYX27ABGT/mri5CToIDP958lDIxfsVBSdQGGE9pMqsIssZY99EnBY1q mnildoOeK3LSbweaqNCMnx7Y6kGQU4IzNCb9I3ND1BXZs93n4kQmqBgpXmfOM4+/7hlJ AxjyJzSV2Rfa2yE4sfJuvMVYnUXvU2JMJtQE5eG3+IAdOqovQUYFjSTsoWLbu6oHsvpG Ogog==
X-Gm-Message-State: AOAM533haLJeuwPuP7gN9maiTjMoPfn/Mi7/1GBBc2Pm0Ex3PjNYnwvJ H/vcZJ7CEtbDm2BqTJtDlxz3gDJEeQmAtg==
X-Google-Smtp-Source: ABdhPJxIUh5bas64jFCNkUGaQ0BTqWaus6q2NPYsZxpit5S8wJwtOx8Zx+tfkIcf9TW1byUFwmoQaw==
X-Received: by 2002:a62:2543:0:b029:1ef:362:b100 with SMTP id l64-20020a6225430000b02901ef0362b100mr4586122pfl.80.1614877673037; Thu, 04 Mar 2021 09:07:53 -0800 (PST)
Received: from mike-mac.lan (107-182-37-239.volcanocom.com. [107.182.37.239]) by smtp.gmail.com with ESMTPSA id mw13sm10414848pjb.42.2021.03.04.09.07.52 for <ietf@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Mar 2021 09:07:52 -0800 (PST)
Subject: Re: What ASN.1 got right
To: ietf@ietf.org
References: <20210302010731.GL30153@localhost> <0632b948-9ed1-f2bd-96da-9922ebb2aa60@mtcc.com> <YECpybvczdbKHvHx@puck.nether.net> <CAMm+LwiiySi5O1_WDc4-F9x1XfMFFvE-rEbc4uw+31DHJNEHEA@mail.gmail.com> <37C80C42-98A8-4077-AB0F-27539C21934D@webweaving.org> <20210304155417.GN30153@localhost>
From: Michael Thomas <mike@mtcc.com>
Message-ID: <45065b63-2766-6f0f-eef3-2d2984fcc4ac@mtcc.com>
Date: Thu, 4 Mar 2021 09:07:51 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <20210304155417.GN30153@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/lRdBNzTNy522LUX62k63UlYwQdk>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2021 17:07:56 -0000

On 3/4/21 7:54 AM, Nico Williams wrote:
> On Thu, Mar 04, 2021 at 04:11:18PM +0100, Dirk-Willem van Gulik wrote:
>> As it allows key management, verification, etc without necessarily
>> telling world+dog what you are doing (but for the occasional bulk down
>> load of some CRLs).
> You can dispense with CRLs/OCSP if you use sufficiently short-lived
> certificates.
>
> That requires an online CA to certify those short-lived certificates,
> but it's online infrastructure that is required only once or twice per
> rotation period for any one end entity.

"requires an online" being the key phrase. If you require online, you 
can reduce the revocation linger time to zero, and you don't need to 
onerous infrastructure of X.509 at all. Naked public keys are our friends.

Mike