IETF Logo Mail Archive

Re: [saag] ASN.1 vs. DER Encoding

Yoav Nir <ynir.ietf@gmail.com> Tue, 26 March 2019 16:36 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51C0D1205FC for <saag@ietfa.amsl.com>; Tue, 26 Mar 2019 09:36:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MakgAZe9slft for <saag@ietfa.amsl.com>; Tue, 26 Mar 2019 09:36:21 -0700 (PDT)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DFB01205F4 for <saag@ietf.org>; Tue, 26 Mar 2019 09:36:21 -0700 (PDT)
Received: by mail-wr1-x434.google.com with SMTP id t5so15094838wri.7 for <saag@ietf.org>; Tue, 26 Mar 2019 09:36:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=aQLSdeCJmZPN9z4SsYe1d1ccOUvklOxkWTUGyDH8oEQ=; b=i+tp00A+KKjw1dSF15rYeGMbcACQ1P/O3Tv9ktGdoQKfToY7nUVF0Bo4ixuI5m63ci bEoXq+4nPLSWkxusqruRtF7idVt5HgiDbBm3OWzEAGT7O0Lh4USJs+1mXB0N8EwESrbL sdw1phiaBVWgTBAXlj0ufnR1qh8l2an/hYoGG0QRel7Tsr73T6ufWHz++BObOWjPrgwO XYTh3i+UcapeXVX+TbZD2aLIs0QYEyRwCXvdbmG9ENecZcpZT9kDVnddEWND059SobiO GwQSIgSTVGYm9Ju/Rd52vtEgMA0H0Cey/hNtw6VYTSpeuKLnlKa6rKBCmUidJA1bN+N4 96NQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=aQLSdeCJmZPN9z4SsYe1d1ccOUvklOxkWTUGyDH8oEQ=; b=ujlXUyM//HJO8n1IQqWv9i/asEBuHVMnSm7DEhUyu9G3y5GsYo58INHngTRz6Gya+I Jbp8sMZQaCMgyH6bzU1a+0A8+bd5iCC8AwjGcQvZ61kG7nyouydVzzp2rGsko3F75k04 v5SU72gFvLp2ljK33F4bfLGQa+xW6SUWDbiHA0v8MuB/VKaWmz2LvFT9nJUoqXOTNvID 4yti1aEiug2ScnuM+PL6D5hGmjgjfXSD5g75XNykSCP5l56+hTndjnpPK6VtXuedHh+c bSNLUdeXFwfOEUI6ztdfyG+/QmDdMG1/z3LflvglwMLSEordLp3jRLOmoGETPm2dZ/Cz BYLQ==
X-Gm-Message-State: APjAAAVAQMguJtvNZdj6TLThI39ZGp+2RZpi9+4TNbeCKkXTK6qAGwRl q4SbtuzhTJD7G4S2DLM7F3+4QxShvrA=
X-Google-Smtp-Source: APXvYqxH7ivkehoHdauynvqV5HxoDEQl03Fd4PJaWcccw4TCl9egx+SvYP4bnrS8Vdgb5DYgcyyzpw==
X-Received: by 2002:a5d:4a4f:: with SMTP id v15mr18918233wrs.5.1553618179633; Tue, 26 Mar 2019 09:36:19 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:9980:b4e6:152:a4aa? ([2001:67c:370:128:9980:b4e6:152:a4aa]) by smtp.gmail.com with ESMTPSA id g8sm42461613wro.77.2019.03.26.09.36.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Mar 2019 09:36:18 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <2E91314E-F26D-4368-B02E-77D66FADDC59@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8FD2CFF4-D56A-407F-B1E5-19F6EE4130EA"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 26 Mar 2019 17:36:17 +0100
In-Reply-To: <21dec229-5b5c-8d52-6817-edac2e39ceec@openca.org>
Cc: Security Area Advisory Group <saag@ietf.org>
To: "Dr. Pala" <madwolf@openca.org>
References: <21dec229-5b5c-8d52-6817-edac2e39ceec@openca.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/fHaOVOleZIYAy5iLdCiHZMlz358>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 16:36:24 -0000


> On 26 Mar 2019, at 17:24, Dr. Pala <madwolf@openca.org> wrote:
> 
> Hi SAAG,
> 
> I just wanted to provide some feedback based on the contents of some presentations I have seen in the security area. In particular, I noticed that some authors seem to confuse the definition of information objects (ASN.1) and their encoding (e.g., DER). I noticed that, sometimes, when ASN.1 was mentioned, what was really the topic of discussion was actually related to DER encoding.
> 
> Since I have seen this happening multiple times, I am starting to wonder if I am the one who is wrong. In particular, my question is: do people in the security area support the statement that ASN.1 is equivalent to DER encoding ?
> 
> I ask this because ASN.1 is "used for the definition of data types, values, and constraints on data types." independently from the how the data is actually encoded (BER, PER, XER, DER, etc.) - it just happens that in X.509 PKIs, we use DER as the preferred encoding (and PEM for 7-bit transport mode). Therefore when we talk about certificate parsing, for example, we do parse DER/PEM, not ASN.1. For example, for the proposal around CBOR-encoded certificates (not endorsing the idea, just using this as an example), defining the CBOR Encoding Rules (CER ?) would provide a path to provide CBOR encoding for all ASN.1 definitions we use in PKIX.
> 
> Maybe this distinction is not important for people that already have a good understanding of the information model, however there might be newcomers (new IETF-ers or just new to the security area) that might think the two are the same when they are not, in my opinion.
> 
> Therefore, my recommendation is to keep this distinction in mind when talking about encoding and parsing of, for example, certificates. I hope this helps.
> 

Hi, Max.

I have noticed this as well. The thing is, although there are several sets of encoding rules (like GSER <https://tools.ietf.org/html/rfc3641>), in practice all of our certificates (and CRLs, certificate requests, and any other structure defined in ASN.1) are encoded in DER or BER. So it has become common to refer to “things whose structure is defined with ASN.1” and “things whose encoding is DER” as the same sets. Because they are. So a lot of us are referring to DER encoding as ASN.1 even though this is a mistake.

Maybe if some other encoding rule (like a CBOR encoding rule) got some traction, people would be more motivated to use the terms correctly.

Yoav

v2.23.0 | Report a Bug | By Email