IETF Logo Mail Archive

Re: [saag] ASN.1 vs. DER Encoding

Adrian Hope-Bailie <adrian@hopebailie.com> Mon, 20 May 2019 09:55 UTC

Return-Path: <adrian@hopebailie.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63DBC120146 for <saag@ietfa.amsl.com>; Mon, 20 May 2019 02:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aNy_oU1OLMOz for <saag@ietfa.amsl.com>; Mon, 20 May 2019 02:55:52 -0700 (PDT)
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6EC41200B5 for <saag@ietf.org>; Mon, 20 May 2019 02:55:51 -0700 (PDT)
Received: by mail-ot1-x342.google.com with SMTP id u11so12391699otq.7 for <saag@ietf.org>; Mon, 20 May 2019 02:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zuNuF2MD3WfSbfFqSHGVwNW5WAqItfOyFE7VBzLuvXI=; b=gk8aFBjAf7+qbI5ibD61NA4NgAKT+XWOsZQh+z17NXDSsSlhmyIbdJIdsIU6FzDHfW YboiyyDjLwtYc5JyUeUtYMgJTI1tZqKldGZyRvIyWLieeiQTIcwQHd1lyG8HGYsI267R JmN2axD9ayne8HazJD2HMTEAZbH/Nwu9EqG5o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zuNuF2MD3WfSbfFqSHGVwNW5WAqItfOyFE7VBzLuvXI=; b=ln8qRsjOaCCMr7GkSQaOHFZ1mYdtDozPK+QRrALMtM3AfEwEEOTZSXUkLPnJcqFVbX Un6HIyd3Qwl4uHc+TXUDXbO2srxgr1t3x3ulc1y3PB8tsIPZ7kxi9oI2ilosMT1DFV8x KSlyYv9dsvqtQIeGXFYGmIfte7vQeMtPvo/FD91D0r9eY5wjCzNk0moo+/vH1IGoXNtb F3C+8EjrtNk5P4lGbo763bdZGgjFhrcIrzqTMgQWLmNrULgfOlQYsWRdz7klZrfLm/59 teM5nx6BFqyPqztuWhTKDR3S6Wex3ElOK3b1/dzdAA8o6r6FAwHvrlvu69KuxkTbxZN8 aXDg==
X-Gm-Message-State: APjAAAVMNWIslJjG8+V5UcenhjEF9kKqjWFuQIqQKaQn6d9Bioz/s3FP jHEj+JXSO1F5mtEDRn9JkWkrfj59yZWNH1QuFPV+VmJudXlaWw==
X-Google-Smtp-Source: APXvYqyZzgo8DIzKqN/JT7lAoOPCmF3+xx03/tWvO4qONOMnz621zLc+sca+HncS+PE4DUQr+d+LOr5CdwS5XtjYx1E=
X-Received: by 2002:a9d:6d8d:: with SMTP id x13mr22035039otp.193.1558346150758; Mon, 20 May 2019 02:55:50 -0700 (PDT)
MIME-Version: 1.0
References: <20190330153101.GT35679@kduck.mit.edu> <C3D9DD15-AB23-4B42-BA61-A4E4CD826B77@huitema.net> <F6387640-20F3-4B3C-8E61-58CAF7828CA1@tzi.org> <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie> <CAMm+Lwi1pNje_9HMYnf-gQN8scggQDTUB0z0uCsy9trtaYKBsg@mail.gmail.com> <20190422211449.GD3137@localhost> <233FB845-976C-49CA-ADA6-C97035A2426F@vigilsec.com> <20190423035415.GG3137@localhost> <6958.1556032103@dooku.sandelman.ca> <20190423151930.GI3137@localhost> <20190423182530.GD87116@straasha.imrryr.org>
In-Reply-To: <20190423182530.GD87116@straasha.imrryr.org>
From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Mon, 20 May 2019 11:55:39 +0200
Message-ID: <CA+eFz_J1wBkpd2qHG8ko-rFVt1cs_21GJGAJcnRv+7OY2+PR8w@mail.gmail.com>
To: saag <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0dbca05894ebc2f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Bn8jpWsdlo3oqWdauvApwY3S3Ao>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 09:55:55 -0000

Late to this thread but thought I'd mention that the Interledger community
has been using Canonical OER for 4 years now.
Some rationale here: https://interledger.org/rfcs/0030-notes-on-oer-encoding

There are OER codecs available in a few languages as a result (Rust,
Typescript/Javascript, Java, Golang...) and our experience has been that
trying to write codecs that parse ASN.1 are over-kill.
i.e. They're hand-coded to provide the read/write functions needed by the
protocol.

As a general comment about OER, it is easy to use and understand and
writing code for it was significantly simpler than anything I have seen for
BER/DER etc.

It also helps that most number parsing follows the representations already
natively supported by most programming languages (not sure if that is also
true for BER/DER).



On Tue, 23 Apr 2019 at 20:25, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Tue, Apr 23, 2019 at 10:19:31AM -0500, Nico Williams wrote:
>
> > On Tue, Apr 23, 2019 at 11:08:23AM -0400, Michael Richardson wrote:
> > >     >> X.500 one are used in certificates.  I strongly encourage
> people to
> > >     >> keep it simple.  The bits on the wire sitll get too
> complicated, but
> > >     >> the code can mostly do exact match processing.
> > >
> > >     > To keep it simple means to leave the subjectName empty and use
> dNSName
> > >     > and rfc822Name SANs instead wherever possible.
> > >
> > > Yes, but we can't leave the IssuerDN empty, and if we want chains of
> > > certificates (we do), then we need to put something into the subjectDN.
> >
> > Well, there is id-ce-issuerAltName, but indeed, the issuer Name must not
> > be empty.
>
> Of course the chaining need not in principle have been based on a
> fictional global X.509 directory tree.  It could have been just key
> ids, with the CA names as commentary for human eyes and audit trails.
> The only downside would then be loss of the ability to bypass path
> length constraints via self-issued certificates.  Not clear we'd
> really miss that.  But this is of course entirely hypothetical...
>
> FWIW, despite clear non-compliance with RFC 5280 and potential
> interoperability risk, some users seem to manage with "self-signed"
> (below skid == akid) certificates that have empty DNs for *both*
> the subject and the issuer (and indeed no SANs of any kind).
>
> These are of course outside the WebPKI, used solely for unauthenticated
> or DANE TLS.  A live example below, yes, in continuous use for the
> last 5 years or so. [ The 4096-bit RSA key and ~1000 year validity
> is a bold challenge to the coming scalable QC crypto apocalypse.
> :-) ]
>
> --
>         Viktor.
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             c3:26:2b:13:ca:b1:36:72
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer:
>         Validity
>             Not Before: Jul 27 14:59:59 2014 GMT
>             Not After : Nov 27 14:59:59 3013 GMT
>         Subject:
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 RSA Public-Key: (4096 bit)
>                 Modulus:
>                     00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30:
>                     b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15:
>                     cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3:
>                     c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7:
>                     41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03:
>                     0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80:
>                     db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e:
>                     1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb:
>                     70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d:
>                     90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6:
>                     d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6:
>                     c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17:
>                     17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e:
>                     98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2:
>                     64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc:
>                     37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11:
>                     21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8:
>                     1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b:
>                     d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55:
>                     ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47:
>                     a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf:
>                     e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66:
>                     07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3:
>                     97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e:
>                     01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36:
>                     a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13:
>                     77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b:
>                     fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb:
>                     f8:90:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02:
>                     5e:03:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68:
>                     7d:2b:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be:
>                     e9:5d:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc:
>                     10:09:09:2e:1e:bf:23:4c:67:be:64:c1:90:fd:62:
>                     57:17:d4:33:e6:1d:4c:70:d7:58:f6:17:5e:d2:4b:
>                     d5:1f:9b
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
>             X509v3 Authority Key Identifier:
>
> keyid:98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: sha256WithRSAEncryption
>          8d:47:1d:df:5f:63:ec:db:7b:a3:a3:a6:50:d0:76:f5:1a:86:
>          da:21:bf:78:4d:4c:ab:ef:af:a1:be:e9:a5:29:20:6b:05:a3:
>          88:85:0e:57:17:9c:e6:8c:f5:87:c7:07:a3:7b:ed:7d:f4:03:
>          07:5a:6e:b4:bf:9c:db:6d:33:24:ae:4d:0e:39:06:54:9e:71:
>          68:f6:5d:58:e9:19:ff:ef:e2:e5:7c:a9:b9:da:21:dd:14:19:
>          d8:c1:6b:ab:ae:fd:2f:86:14:b9:8f:bf:77:75:b8:07:cc:0a:
>          62:8a:00:98:c4:fb:0e:ec:ef:f7:11:88:0a:05:0e:ef:9b:c0:
>          98:e0:39:47:c0:83:af:5a:f6:aa:3d:8f:2c:5d:b1:95:b4:93:
>          a1:86:bf:1d:b1:45:91:e5:7f:6f:63:ab:59:cf:03:4e:c0:37:
>          fe:ce:9f:2d:cd:64:a1:81:62:00:79:32:4d:b0:43:2e:58:6e:
>          c7:79:f7:b6:74:be:c9:65:c6:2f:d0:e9:b8:56:60:d4:46:48:
>          d8:6d:da:b2:81:59:a9:f4:94:8c:c4:9f:f6:ab:16:6f:f1:04:
>          e7:e9:2a:bb:04:1f:4d:c5:c2:e0:0b:b0:60:d8:1c:31:59:da:
>          c6:32:6c:77:8b:db:e7:77:88:4d:15:45:c9:ea:b8:95:5a:d3:
>          d6:5f:19:ed:cd:5d:84:0d:30:75:70:ac:a3:9a:6d:83:fe:bc:
>          60:fa:bb:2b:48:d7:12:eb:4a:e3:40:bf:01:56:a9:0d:d4:fc:
>          49:88:70:6b:0a:24:36:e8:c2:dd:ea:6c:67:cf:5e:d2:0a:7a:
>          31:b8:92:93:7c:f5:8c:91:8e:e9:d9:39:ec:1f:f2:98:0c:3d:
>          d5:33:33:53:bd:b1:63:b6:18:e3:20:c6:50:2a:f1:09:50:5d:
>          88:69:76:91:38:a1:c1:47:71:09:12:75:6d:a0:17:72:ad:e6:
>          78:40:18:d3:04:04:70:3a:bf:74:45:0c:48:7a:7b:fe:0a:fd:
>          ff:cb:ae:f7:85:50:fa:e2:23:73:87:54:ea:80:7e:c9:5f:da:
>          80:3f:af:04:3a:58:d8:4b:24:75:58:a0:c5:94:0a:b8:8e:62:
>          15:7e:3e:da:41:a8:a2:80:1b:c6:43:03:ae:2c:8c:fc:c7:83:
>          df:38:df:b8:12:d2:ac:c1:10:b4:66:75:77:c8:a5:6f:49:16:
>          c4:27:04:c2:fe:52:a4:ef:62:86:25:00:e7:ce:02:e7:4d:6c:
>          c8:60:83:1f:4c:ba:d9:1b:83:da:cc:5d:bf:89:37:04:a7:85:
>          62:de:4d:2c:4e:d0:13:c4:cd:81:51:4a:b0:07:53:95:6f:42:
>          9e:2e:32:12:7b:1c:c1:c3
> -----BEGIN CERTIFICATE-----
> MIIE1TCCAr2gAwIBAgIJAMMmKxPKsTZyMA0GCSqGSIb3DQEBCwUAMAAwIBcNMTQw
> NzI3MTQ1OTU5WhgPMzAxMzExMjcxNDU5NTlaMAAwggIiMA0GCSqGSIb3DQEBAQUA
> A4ICDwAwggIKAoICAQC200I1aOkqnrr48PS/MLULQM0QSyCUqvzo07G4Fcwkun+V
> tYWS6dWXcNP9s8mRutWFXcZtmIvDs3l0p0HG9N8UU7uQIXJxuuJWAwoLqdvVktOQ
> WE7rpItRgNtfVibPmyaoLkLfVBSGTh+tspxXVBZ6OSWjs5CX63CSBCcQtv2ecE+y
> AuL6bZDrmgxkPDGGTJiZRwB1ttC7gAITx0OXJOwePrEc1se33vzou8bYIHQWCSct
> FxelpEHQ9mDeooT65I3dHph+GXWkh1IYRdltOT4ssmQaEzcmP3KMff4u1ibXzDeq
> Bkov6rwPAF/VMHnoESFkA7mR5dpHa31D5l4g6B0dHj24V2IBmBNbzKifa9I04G+G
> uKydifHpJ7n4Vc6iijMrrDplwPsSuPdaR6bqg4CID8rU1dxiXAjZz+bK/jIAnuPA
> U5kho8lPZgf8YeIgGAF/Yd3hcrX9w5cjKlG/QlhkDStOzIWgXgFSK3tG8GMZm6Ne
> LHAjNqOpOrNgLq14aJbOpEzqE3cCl8RVgvP9O/P0ZU7dO/7S3dDaKeg+3anjxhbb
> 6/iQctxUNxcVyUMf3p1bAl4DqT54dRVNvIS/oH5KaH0rxsW12gmL80VugiuLvuld
> t7Pw6A0EjOO4yiMd3BAJCS4evyNMZ75kwZD9YlcX1DPmHUxw11j2F17SS9UfmwID
> AQABo1AwTjAdBgNVHQ4EFgQUmMab1SBcHagxOb14ETf/va1bvVkwHwYDVR0jBBgw
> FoAUmMab1SBcHagxOb14ETf/va1bvVkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
> AQsFAAOCAgEAjUcd319j7Nt7o6OmUNB29RqG2iG/eE1Mq++vob7ppSkgawWjiIUO
> Vxec5oz1h8cHo3vtffQDB1putL+c220zJK5NDjkGVJ5xaPZdWOkZ/+/i5Xypudoh
> 3RQZ2MFrq679L4YUuY+/d3W4B8wKYooAmMT7Duzv9xGICgUO75vAmOA5R8CDr1r2
> qj2PLF2xlbSToYa/HbFFkeV/b2OrWc8DTsA3/s6fLc1koYFiAHkyTbBDLlhux3n3
> tnS+yWXGL9DpuFZg1EZI2G3asoFZqfSUjMSf9qsWb/EE5+kquwQfTcXC4AuwYNgc
> MVnaxjJsd4vb53eITRVFyeq4lVrT1l8Z7c1dhA0wdXCso5ptg/68YPq7K0jXEutK
> 40C/AVapDdT8SYhwawokNujC3epsZ89e0gp6MbiSk3z1jJGO6dk57B/ymAw91TMz
> U72xY7YY4yDGUCrxCVBdiGl2kTihwUdxCRJ1baAXcq3meEAY0wQEcDq/dEUMSHp7
> /gr9/8uu94VQ+uIjc4dU6oB+yV/agD+vBDpY2EskdVigxZQKuI5iFX4+2kGoooAb
> xkMDriyM/MeD3zjfuBLSrMEQtGZ1d8ilb0kWxCcEwv5SpO9ihiUA584C501syGCD
> H0y62RuD2sxdv4k3BKeFYt5NLE7QE8TNgVFKsAdTlW9Cni4yEnscwcM=
> -----END CERTIFICATE-----
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

v2.23.0 | Report a Bug | By Email