IETF Logo Mail Archive

Re: [saag] ASN.1 vs. DER Encoding

Nico Williams <nico@cryptonector.com> Tue, 23 April 2019 03:54 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD1C2120150 for <saag@ietfa.amsl.com>; Mon, 22 Apr 2019 20:54:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHDs_Ci97a-m for <saag@ietfa.amsl.com>; Mon, 22 Apr 2019 20:54:27 -0700 (PDT)
Received: from quail.birch.relay.mailchannels.net (quail.birch.relay.mailchannels.net [23.83.209.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28BDC1200C3 for <saag@ietf.org>; Mon, 22 Apr 2019 20:54:27 -0700 (PDT)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 65542141BB8; Tue, 23 Apr 2019 03:54:26 +0000 (UTC)
Received: from pdx1-sub0-mail-a18.g.dreamhost.com (100-96-7-81.trex.outbound.svc.cluster.local [100.96.7.81]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id D88BF141470; Tue, 23 Apr 2019 03:54:25 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a18.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.17.2); Tue, 23 Apr 2019 03:54:26 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Befitting-Spot: 79166c69771a7838_1555991666243_4229458605
X-MC-Loop-Signature: 1555991666243:2085895440
X-MC-Ingress-Time: 1555991666243
Received: from pdx1-sub0-mail-a18.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a18.g.dreamhost.com (Postfix) with ESMTP id 83ED48265E; Mon, 22 Apr 2019 20:54:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=3IlgEPVBuwZi3G Sb80B1K6ciTOY=; b=dQdSjTitQYdWJdiXh9BYFE4j/K2Gftqu4CWcVLo2juGtJo cjTpnJ/2gw/lXi6zmrVWOSVczO3M284s1Rzt3+80r9OPjSRjnzQx0Qrb+6P18/Io wDWd09R3XpfHIdAtFmOI5xw77a1qkVAXXWWbgN/pkFqaSp9cv/jf+mo0j1mhw=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a18.g.dreamhost.com (Postfix) with ESMTPSA id 4E6C082661; Mon, 22 Apr 2019 20:54:18 -0700 (PDT)
Date: Mon, 22 Apr 2019 22:54:16 -0500
X-DH-BACKEND: pdx1-sub0-mail-a18
From: Nico Williams <nico@cryptonector.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF SAAG <saag@ietf.org>
Message-ID: <20190423035415.GG3137@localhost>
References: <20190326214816.GB4211@localhost> <1553679912618.8510@cs.auckland.ac.nz> <20190327151545.GG4211@localhost> <20190330153101.GT35679@kduck.mit.edu> <C3D9DD15-AB23-4B42-BA61-A4E4CD826B77@huitema.net> <F6387640-20F3-4B3C-8E61-58CAF7828CA1@tzi.org> <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie> <CAMm+Lwi1pNje_9HMYnf-gQN8scggQDTUB0z0uCsy9trtaYKBsg@mail.gmail.com> <20190422211449.GD3137@localhost> <233FB845-976C-49CA-ADA6-C97035A2426F@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <233FB845-976C-49CA-ADA6-C97035A2426F@vigilsec.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgeduuddrgeejgdeihecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecurfgrrhgrmhepmhhouggvpehsmhhtphdphhgvlhhopehlohgtrghlhhhoshhtpdhinhgvthepvdegrddvkedruddtkedrudekfedprhgvthhurhhnqdhprghthheppfhitghoucghihhllhhirghmshcuoehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmqedpmhgrihhlfhhrohhmpehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmpdhnrhgtphhtthhopehnihgtohestghrhihpthhonhgvtghtohhrrdgtohhmnecuvehluhhsthgvrhfuihiivgeptd
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/s5wXedtR7YMYgx5PBvYZiorvF8M>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 03:54:29 -0000

On Mon, Apr 22, 2019 at 07:54:52PM -0400, Russ Housley wrote:
> > And x.400/x.500 naming is an awful disaster.
> 
> They are not the same.  Once can completely avoid X.400 names, but the

They are not, but they are similar, and similarly difficult to use.

> X.500 one are used in certificates.  I strongly encourage people to
> keep it simple.  The bits on the wire sitll get too complicated, but
> the code can mostly do exact match processing.

To keep it simple means to leave the subjectName empty and use dNSName
and rfc822Name SANs instead wherever possible.

Naming is more than half the battle.  Internet-style naming of things
won long, long ago.  It's not just that users can handle domainnames and
name@domainname syntax but not x.500, but that x.500 naming is
fiendishly difficult to handle in code, or even in specs -- there's not
even a lossless textual representation of x.500 names [RFC4514]!

Nico
--

v2.23.0 | Report a Bug | By Email