Re: What ASN.1 got right

Michael Thomas <> Thu, 04 March 2021 17:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C4D633A10F5 for <>; Thu, 4 Mar 2021 09:04:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t5IT44XsWrSD for <>; Thu, 4 Mar 2021 09:04:32 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34B013A10F3 for <>; Thu, 4 Mar 2021 09:04:32 -0800 (PST)
Received: by with SMTP id g20so16506133plo.2 for <>; Thu, 04 Mar 2021 09:04:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=fluffulence; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=HvQCUFvBbAERvimZsvA0hDO5CvUKqKvcdSjp19Iofto=; b=dFTC0NsmVMwoi3yO5BVCebuLDXaGlqPtTdtWn3V4N/k8pYULXBP6TCNFImM8of3EFJ 8MZ3PEmEZbXMCEc4ZwPFrFvYAhPjthsVWfvH+5JGsHCedl4/vkzqNA9w3MnPSfSCErv3 MgKvI1Fobq0pb+GcnpNY0NNUdfp92DaTq7b/wYmzyl4vdvuGFMHPLWwzO+VmgIuD9zFi JnRBgkQ2fejkRhOtPNxNHtLxIG86mnlBqaS6w0QuCQTesynhhgg5Qy9qUhqiMzXfEwqB jNyt3RTHc/TNCErXoJwiRip+sBB8h5E6OLdSUx/0wHkD51zaXjoCPds/f0ser/eCuZNP Pkkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=HvQCUFvBbAERvimZsvA0hDO5CvUKqKvcdSjp19Iofto=; b=brckW/CtGs073wKY2MAixvdJXHSBY+QvFpoEiLEqGjYDjS1tsWeXXGU0N1t6gUTHZy +D/IMdGcPPyDcQJcvn9o8HS+rxKSbi0VaUBO47c3a+XdGVpu6K4o20BllhlFYRcQSlX8 8+uJBibH35TDR4KF8An0sJ+/2Jbe043HRcEJxgpclw2uvj1ReQFMG4SDCJyRGd3Q55ou XIfiMiRwA0gL1joM4MVPJArOFauDI/KXYJquoFfx4WnrgH2oisor7olHVlSnkkYrdXri J6svbZF2luA812l4hbtCffcWlvWZH838S4hNtntuQIgElCc+kBKpZ5Vu/kYVBTSpuwp0 ooSQ==
X-Gm-Message-State: AOAM531VTRL384CtCqvDv4d4/eGCHdAAymkjTbu+5jkJEUosisoyrgJw QbssCyBkzkuoimDGk8KqqvMuyoVyD4dH5Q==
X-Google-Smtp-Source: ABdhPJxSYysPB/ekkzdQQV0xJCJN+z63NeDasPFU6PWewJxzHxK/gbrtFllbzWJPs5N6eFLkkoCHdA==
X-Received: by 2002:a17:902:9f94:b029:e3:287f:9a3a with SMTP id g20-20020a1709029f94b02900e3287f9a3amr4668984plq.46.1614877469932; Thu, 04 Mar 2021 09:04:29 -0800 (PST)
Received: from mike-mac.lan ( []) by with ESMTPSA id 68sm14947737pfd.75.2021. for <> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Mar 2021 09:04:28 -0800 (PST)
Subject: Re: What ASN.1 got right
References: <20210302010731.GL30153@localhost> <> <> <> <20210304155223.GM30153@localhost>
From: Michael Thomas <>
Message-ID: <>
Date: Thu, 4 Mar 2021 09:04:27 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <20210304155223.GM30153@localhost>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Mar 2021 17:04:34 -0000

On 3/4/21 7:52 AM, Nico Williams wrote:
> On Thu, Mar 04, 2021 at 09:57:47AM -0500, Phillip Hallam-Baker wrote:
>> X.509 is really optimized around the totally offline case. And that is a
>> bad choice for many applications. But it does work for some.
> No, that's not it.
> X.509 tries to minimize online infrastructure, but not to zero.
> In particular, it minimizes *state*.
Um, why should we care about that? Nothing else cares about holding state.
> Now, if you start binding public keys to users via a directory, you'll
> be unhappy because you'll have all the problems directories have, and
> because you might get the schema wrong and allow only one key per-user,
> and even if you don't get the schema wrong you'll have a garbage
> collection problem, and even if you manage to solve that with
> expirations then the act of registering new keys is still more complex
> than the act of signing new certificates.
Oh brother. When you start arguing that people might get implementations 
wrong, you're grasping at straws. All of the sites that I've used that 
allow public key authentication have groked that there might be more 
than one key like, oh say, github. This is complete nonsense. People 
might issue certs for a 150 years too.