Re: [saag] ASN.1 vs. DER Encoding
Nico Williams <nico@cryptonector.com> Tue, 26 March 2019 22:05 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 801011203B6 for <saag@ietfa.amsl.com>; Tue, 26 Mar 2019 15:05:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ebMNq580zC3N for <saag@ietfa.amsl.com>; Tue, 26 Mar 2019 15:05:20 -0700 (PDT)
Received: from catfish.maple.relay.mailchannels.net (catfish.maple.relay.mailchannels.net [23.83.214.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3CC12034E for <saag@ietf.org>; Tue, 26 Mar 2019 15:05:19 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 0BAF33E530F; Tue, 26 Mar 2019 22:05:19 +0000 (UTC)
Received: from pdx1-sub0-mail-a5.g.dreamhost.com (unknown [100.96.11.48]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 763183E568A; Tue, 26 Mar 2019 22:05:18 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a5.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.17.2); Tue, 26 Mar 2019 22:05:18 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Spot-Wipe: 32fcd7aa172b087f_1553637918793_82986774
X-MC-Loop-Signature: 1553637918793:1144012841
X-MC-Ingress-Time: 1553637918793
Received: from pdx1-sub0-mail-a5.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a5.g.dreamhost.com (Postfix) with ESMTP id 304BD7FC3A; Tue, 26 Mar 2019 15:05:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=IRax0CIIrIbXPN TU9yE3e7VbOM0=; b=LPUYM8Jhwgo/sUAAQ54d3PWjcSTkHA+9vKKqXccVLljc1+ GlwRT3NgM9OYJIAsbFEgrCKHDHp+uQz/HERQ6L86lTY9yLTGG9vvhWf6HIcdr4cI J7he+FeumuIGaL7lMCgLOOiU5UWuwR+jgNKaKxviBxFgmz4T3cC39xPY4LKdo=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a5.g.dreamhost.com (Postfix) with ESMTPSA id C93E67FC39; Tue, 26 Mar 2019 15:05:16 -0700 (PDT)
Date: Tue, 26 Mar 2019 17:05:13 -0500
X-DH-BACKEND: pdx1-sub0-mail-a5
From: Nico Williams <nico@cryptonector.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Dr. Pala" <madwolf@openca.org>, "saag@ietf.org" <saag@ietf.org>
Message-ID: <20190326220512.GC4211@localhost>
References: <21dec229-5b5c-8d52-6817-edac2e39ceec@openca.org> <20198.1553629138@dooku.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20198.1553629138@dooku.sandelman.ca>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: 0
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedutddrkedtgdduvdduucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuggftfghnshhusghstghrihgsvgdpffftgfetoffjqffuvfenuceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/OerQ5GfrENtPwG8GIbhMHIQ19I8>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 22:05:23 -0000
On Tue, Mar 26, 2019 at 08:38:58PM +0100, Michael Richardson wrote: > ASN.1 is the goo the causes DER encoding to be present on the wire. ASN.1 has a number of encoding rules options. One can always add more. Indeed, the IETF already has! (Search for GSER.) It would be more accurate to say that "ASN.1 is the goo that generally causes us to use DER encoding", but to be truly accurate I'd rephrase it as "often, because we've chosen DER in the past, we tend to or have to stick to DER in the future". E.g., if you're working on an extension to PKIX/CMS/Kerberos, it's pretty natural to use DER for it because if you have a PKIX or Kerberos implementation, chances are you have an ASN.1/DER implementation You could use a different encoding, but sticking to what you already have tooling for is the simplest thing to do. If you're making changes to PKIX/CMS/Kerberos that don't even fit in BIT STRING / OCTET STRING typed holes, then you must use DER. > While it is true that ASN.1 could be used with different encoding rules, > nobody really cares about that. Almost nobody uses encoders/decoders that > generate code from ASN.1 today, it's all hand-coded... > > This is why we hate DER, and we like CDDL/CBOR. It would be easier for me to adapt Heimdal's ASN.1 compiler to support alternate encoding rules than to start from scratch or add a new syntax to it. The syntax is just a syntax, but by ditching ASN.1 gratouitously you force me to spend a lot more effort on my tooling, thus creating more new legacy, and also more old legacy if I do start from scratch (because now I have TWO implementations of different but similar things to maintain). That is huge cost that CDDL is going to force on the rest of us, which is why, unless there is some compelling reason for it, or unless there is a straightforward mapping between the two syntaxes (which would make clear that the one is not necessary, but at least not too problematic) I'm opposed. If there's a simple mapping between CDDL and ASN.1, then I'll grudgingly accept CDDL. > > Maybe this distinction is not important for people that already have a > > good understanding of the information model, however there might be > > newcomers (new IETF-ers or just new to the security area) that might > > think the two are the same when they are not, in my opinion. > > They are, from a practical point of view, the same. > That wasn't true back in 1986, but many of the people who would make the > mistake were not even alive then. It's the reverse. In 1984 BER/DER/CER were pretty much the only ERs, and PER was a thing the ITU-T was building in response to the Internet community's dislike of TLV encodings. Now there's a plethora of encoding rules. You might say that perception trumps things, but if it's your perception and you're not willing to consider that it's wrong, then I'd say that's a problem because it causes me to do more work to deal with the fallout of your incorrect perception. CBOR is fine, and we do need better alternatives to BER/DER in the IETF, but we don't need a new syntax. Nico --
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Peter Gutmann
- [saag] ASN.1 vs. DER Encoding Dr. Pala
- Re: [saag] ASN.1 vs. DER Encoding Yoav Nir
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Carsten Bormann
- Re: [saag] ASN.1 vs. DER Encoding Carsten Bormann
- Re: [saag] ASN.1 vs. DER Encoding Volker Birk
- Re: [saag] ASN.1 vs. DER Encoding Volker Birk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Michael Richardson
- Re: [saag] ASN.1 vs. DER Encoding Viktor Dukhovni
- Re: [saag] ASN.1 vs. DER Encoding Carl Wallace
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Dr. Pala
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Peter Gutmann
- Re: [saag] ASN.1 vs. DER Encoding Peter Gutmann
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Sean Leonard
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Michael Richardson
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Christian Huitema
- Re: [saag] ASN.1 vs. DER Encoding Viktor Dukhovni
- Re: [saag] ASN.1 vs. DER Encoding Carsten Bormann
- Re: [saag] ASN.1 vs. DER Encoding Stephen Farrell
- Re: [saag] ASN.1 vs. DER Encoding Salz, Rich
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Salz, Rich
- Re: [saag] ASN.1 vs. DER Encoding Benjamin Kaduk
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Phillip Hallam-Baker
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Phillip Hallam-Baker
- Re: [saag] ASN.1 vs. DER Encoding Russ Housley
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Watson Ladd
- Re: [saag] ASN.1 vs. DER Encoding Phillip Hallam-Baker
- Re: [saag] ASN.1 vs. DER Encoding Michael Richardson
- Re: [saag] ASN.1 vs. DER Encoding Nico Williams
- Re: [saag] ASN.1 vs. DER Encoding Viktor Dukhovni
- Re: [saag] ASN.1 vs. DER Encoding Adrian Hope-Bailie