IETF Logo Mail Archive

Re: [saag] ASN.1 vs. DER Encoding

Watson Ladd <watsonbladd@gmail.com> Tue, 23 April 2019 04:03 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C596E1201EE for <saag@ietfa.amsl.com>; Mon, 22 Apr 2019 21:03:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwNiXCSgNJlB for <saag@ietfa.amsl.com>; Mon, 22 Apr 2019 21:03:08 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 738A6120150 for <saag@ietf.org>; Mon, 22 Apr 2019 21:03:08 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id k18so10547761lfj.13 for <saag@ietf.org>; Mon, 22 Apr 2019 21:03:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BlBa9M3rPUpKTf+UnbsbbRG6UkeY66dtK2QAa/07jh8=; b=PFra33YRka4zwW9P2e6ddJOVFPtrhHpqt5IxIm2+VwET/F0cxglsSUaxDsioPp2IpM mNTafDNJWTF2GLNxlq/D78sVLOi5j/6mWLPcygs/hhT89G4KJ02wjbGyu6vYyJUMQGad uDFgMhjxocTW5gz7DvZVCgz74vGU3c6wJl+CA86RBFHv4CXURAdbIz21Kc+uUFvppZgZ glHizTeX4laLWeYcW5QIm9BiHlYJgugzz8rxMZe3iKT5Bp76Tl7XEZsF+b4M8r+7IxCd MxQTbp6L78U8bNc3LqOW7sXX1xFPtjsNF2Ez7hlbGjFfaF6XPsnq4cKQsnvwNm/HNK2X 4QEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BlBa9M3rPUpKTf+UnbsbbRG6UkeY66dtK2QAa/07jh8=; b=MxU+ce+ODUq1LOziuVRKB4/7Y5aBhaM61FUOwjDtDzOjPeXTuW3T2pH1joPO7TAQHc CXwEFqN2q3rm5kwkiN5iJco4y7r0FqTPebUuoD+k5xDv0BRF32xzhnTiwblsz3YHQ25C mnrgErgsUTF0XPEEfvn1gP36XA0WzGOGT086enkA9a6vK8dJxloe90njlgHEYPZ64ZGW zv1l1ehoESzI1rGsMBJOMepXCK8M3I89whi/S/byI0wgHkBW+Jlb9C+2FX/j+gNQv2mi diFgZhaG+P5ToAtgWpuJgeGiQqTs6bCbCBfulmifMsk7c43XLMxk3BoLq2brPLixEy66 0G3g==
X-Gm-Message-State: APjAAAX45KTgrZICoeLY27WiSMRoVqQzq7XS4irHEvBUBOdd5WmJGaXd 4AUqDREqDvVVxq9Yg2jWIriZYoURq3e4FCKNguOs+Q==
X-Google-Smtp-Source: APXvYqx9etOhV4w66UTs3B0mJ1N+yseOiQtiqBM+g2KQijKylzn7QLvctMbZCHgdDIqKtQn+g5l5W3qWbveCssbCRKc=
X-Received: by 2002:ac2:5326:: with SMTP id f6mr12163307lfh.100.1555992186429; Mon, 22 Apr 2019 21:03:06 -0700 (PDT)
MIME-Version: 1.0
References: <20190326214816.GB4211@localhost> <1553679912618.8510@cs.auckland.ac.nz> <20190327151545.GG4211@localhost> <20190330153101.GT35679@kduck.mit.edu> <C3D9DD15-AB23-4B42-BA61-A4E4CD826B77@huitema.net> <F6387640-20F3-4B3C-8E61-58CAF7828CA1@tzi.org> <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie> <CAMm+Lwi1pNje_9HMYnf-gQN8scggQDTUB0z0uCsy9trtaYKBsg@mail.gmail.com> <20190422211449.GD3137@localhost> <233FB845-976C-49CA-ADA6-C97035A2426F@vigilsec.com> <20190423035415.GG3137@localhost>
In-Reply-To: <20190423035415.GG3137@localhost>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 22 Apr 2019 21:02:54 -0700
Message-ID: <CACsn0cnD15QX2tOPg20XNnfHSbHOY3BTnqSiyKEB=7zQyTGaLQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Russ Housley <housley@vigilsec.com>, IETF SAAG <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/w6sjx4F6mBJVbvbVQHp-btx7Rbc>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 04:03:11 -0000

On Mon, Apr 22, 2019 at 8:54 PM Nico Williams <nico@cryptonector.com> wrote:
>
> On Mon, Apr 22, 2019 at 07:54:52PM -0400, Russ Housley wrote:
> > > And x.400/x.500 naming is an awful disaster.
> >
> > They are not the same.  Once can completely avoid X.400 names, but the
>
> They are not, but they are similar, and similarly difficult to use.
>
> > X.500 one are used in certificates.  I strongly encourage people to
> > keep it simple.  The bits on the wire sitll get too complicated, but
> > the code can mostly do exact match processing.
>
> To keep it simple means to leave the subjectName empty and use dNSName
> and rfc822Name SANs instead wherever possible.
>
> Naming is more than half the battle.  Internet-style naming of things
> won long, long ago.  It's not just that users can handle domainnames and
> name@domainname syntax but not x.500, but that x.500 naming is
> fiendishly difficult to handle in code, or even in specs -- there's not
> even a lossless textual representation of x.500 names [RFC4514]!

Let us not forget the valiant battle to enforce the requirements that
CAs know that Bremerhaven is in Bremen and not in Niedersachsen. I
await the discovery that a small company in Baarle-Hertzog is actually
three feet across the border, with dire consequences for the web PKI.
(If the border moves and you don't, does the certificate need
revocation? Or what about countries being renamed?)
>
> Nico
> --
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

v2.23.0 | Report a Bug | By Email