Re: [pkix] a question of cert (and OCSP) extension syntax

Paul Hoffman <paul.hoffman@vpnc.org> Tue, 31 March 2015 14:56 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 322791ACDCE for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 07:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mccqoc0FJmK6 for <pkix@ietfa.amsl.com>; Tue, 31 Mar 2015 07:56:37 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E0981A92DC for <pkix@ietf.org>; Tue, 31 Mar 2015 07:56:37 -0700 (PDT)
Received: from [10.20.30.101] (50-1-51-95.dsl.dynamic.fusionbroadband.com [50.1.51.95]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t2VEuY1p019268 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 31 Mar 2015 07:56:35 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-51-95.dsl.dynamic.fusionbroadband.com [50.1.51.95] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
Date: Tue, 31 Mar 2015 07:56:33 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <B679DABC-5B8B-40C4-A7C3-527227D4A876@vpnc.org>
References: <00d201d06b68$779e2c90$66da85b0$@akayla.com>
To: Peter Yee <peter@akayla.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/efquh3J1_wxXq9sZB7NdyK7Q1bg>
Cc: pkix@ietf.org
Subject: Re: [pkix] a question of cert (and OCSP) extension syntax
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Mar 2015 14:56:38 -0000

On Mar 30, 2015, at 9:09 PM, Peter Yee <peter@akayla.com> wrote:
> We've been doing ASN.1 for more than 20 years.  Is it really that hard to
> encode things as ASN.1?

If it means that the system doing the encoding has to add ASN.1 code just to do the encoding, yes. There are few ASN.1 libraries, and they are only lightly maintained. You are asking for security applications to carry around additional code that would otherwise be unnecessary.

If it was assumed that all PKIX-processing software would need to descend into this extension, there might be a better argument, but they don't.

--Paul Hoffman