Re: What ASN.1 got right

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 02, 2021 at 12:28:03AM -0500, Phillip Hallam-Baker wrote:
> Thing about the WebPKI is that everyone seems to hate it just as much today
> as when we originally proposed it 25 years ago. All the things people keep
> saying were better were on the table then as well. We could have a
> discussion about why DNSSEC is no better but that won't get us anywhere.

We hate WebPKI because it isn't really a PKI and because x.509 meant
x.500 naming and because it's ugly and old and creaky.

OTOH, PKIX at least has evolved almost enough over the years.  We now
have better naming, and we understand that short-lived credentials are
the only way to do revocation (Kerberos knew that long ago).

I like OpenSSH's simpler certificates, but in some ways they're too
simple.  I really do want a hint as to the "type" of a "principal" name
because the corporate world I inhabit has multiple types of principal
names.  Etc.

> None of the systems on the table in 1995 is going to work and if you want
> to understand why go get a machine that SHIPPED with Windows 95, boot it
> and see what we had to work with.
> 
> PKIX and the WebPKI were built for 30MHz machines with 32 bit processors
> and 4MB of memory.

I don't follow.  Given all the CPU, RAM, and storage available now, what
would you do differently?  Mesh, yes, I know, but, remind me how Mesh
uses all that extra HW that PKIX leaves on the table?

> If you want a decent PKI for user authentication you need to be willing to
> do Internet2 for PKI and do some blue sky research.

No please.  That's how we got X.500 naming to begin with.  Subject Alt
Names exist because X.500 failed.

SMTP and RFCx822-style email address naming killed X.400 because X.400
inherently meant an awful UX.  X.500 naming needs to die.

> There aren't many folk doing that at the moment as BitPonzi has sucked all
> the air out of the room.

Sadly this is too true.

> Its not ASN.1 that is the problem. Its actually Public Key crypto isn't
> enough, you need threshold. But we are getting rid of the ASN.1 as well for
> two reasons. First, nobody is going to use our stuff if we force them to do
> ASN.1. Second, nobody is paying me to do my stuff right now but once I have
> it working in JSON/JSON-B, I can probably find some ASN.1 aficionados to
> give me a consulting gig to write an ASN.1 version.

Eh, to be sure I don't anyone to have to use ASN.1.  And I agree any
replacement for PKIX should use JSON, like JWT does.  As I said, the
biggest problem with ASN.1 is the dearth of open source tooling, and
that is caused by bad pricing decisions made in 1984 [by people doing
blue sky research].

Though sometimes I think simpler is bad because it makes it too easy to
end up with ton of half-baked simple implementations and can lead to an
interoperability nightmare.

[And again, you can do JSON with ASN.1, but whatever.]

Nico
-- 




[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux