From nobody Mon May 20 02:55:57 2019
Return-Path: <adrian@hopebailie.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63DBC120146 for <saag@ietfa.amsl.com>; Mon, 20 May 2019 02:55:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level: 
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopebailie.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aNy_oU1OLMOz for <saag@ietfa.amsl.com>; Mon, 20 May 2019 02:55:52 -0700 (PDT)
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6EC41200B5 for <saag@ietf.org>; Mon, 20 May 2019 02:55:51 -0700 (PDT)
Received: by mail-ot1-x342.google.com with SMTP id u11so12391699otq.7 for <saag@ietf.org>; Mon, 20 May 2019 02:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopebailie.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zuNuF2MD3WfSbfFqSHGVwNW5WAqItfOyFE7VBzLuvXI=; b=gk8aFBjAf7+qbI5ibD61NA4NgAKT+XWOsZQh+z17NXDSsSlhmyIbdJIdsIU6FzDHfW YboiyyDjLwtYc5JyUeUtYMgJTI1tZqKldGZyRvIyWLieeiQTIcwQHd1lyG8HGYsI267R JmN2axD9ayne8HazJD2HMTEAZbH/Nwu9EqG5o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zuNuF2MD3WfSbfFqSHGVwNW5WAqItfOyFE7VBzLuvXI=; b=ln8qRsjOaCCMr7GkSQaOHFZ1mYdtDozPK+QRrALMtM3AfEwEEOTZSXUkLPnJcqFVbX Un6HIyd3Qwl4uHc+TXUDXbO2srxgr1t3x3ulc1y3PB8tsIPZ7kxi9oI2ilosMT1DFV8x KSlyYv9dsvqtQIeGXFYGmIfte7vQeMtPvo/FD91D0r9eY5wjCzNk0moo+/vH1IGoXNtb F3C+8EjrtNk5P4lGbo763bdZGgjFhrcIrzqTMgQWLmNrULgfOlQYsWRdz7klZrfLm/59 teM5nx6BFqyPqztuWhTKDR3S6Wex3ElOK3b1/dzdAA8o6r6FAwHvrlvu69KuxkTbxZN8 aXDg==
X-Gm-Message-State: APjAAAVMNWIslJjG8+V5UcenhjEF9kKqjWFuQIqQKaQn6d9Bioz/s3FP jHEj+JXSO1F5mtEDRn9JkWkrfj59yZWNH1QuFPV+VmJudXlaWw==
X-Google-Smtp-Source: APXvYqyZzgo8DIzKqN/JT7lAoOPCmF3+xx03/tWvO4qONOMnz621zLc+sca+HncS+PE4DUQr+d+LOr5CdwS5XtjYx1E=
X-Received: by 2002:a9d:6d8d:: with SMTP id x13mr22035039otp.193.1558346150758;  Mon, 20 May 2019 02:55:50 -0700 (PDT)
MIME-Version: 1.0
References: <20190330153101.GT35679@kduck.mit.edu> <C3D9DD15-AB23-4B42-BA61-A4E4CD826B77@huitema.net> <F6387640-20F3-4B3C-8E61-58CAF7828CA1@tzi.org> <269bee5d-e225-3484-04ed-3e5de6c19081@cs.tcd.ie> <CAMm+Lwi1pNje_9HMYnf-gQN8scggQDTUB0z0uCsy9trtaYKBsg@mail.gmail.com> <20190422211449.GD3137@localhost> <233FB845-976C-49CA-ADA6-C97035A2426F@vigilsec.com> <20190423035415.GG3137@localhost> <6958.1556032103@dooku.sandelman.ca> <20190423151930.GI3137@localhost> <20190423182530.GD87116@straasha.imrryr.org>
In-Reply-To: <20190423182530.GD87116@straasha.imrryr.org>
From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Mon, 20 May 2019 11:55:39 +0200
Message-ID: <CA+eFz_J1wBkpd2qHG8ko-rFVt1cs_21GJGAJcnRv+7OY2+PR8w@mail.gmail.com>
To: saag <saag@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0dbca05894ebc2f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/Bn8jpWsdlo3oqWdauvApwY3S3Ao>
Subject: Re: [saag] ASN.1 vs. DER Encoding
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2019 09:55:55 -0000

--000000000000c0dbca05894ebc2f
Content-Type: text/plain; charset="UTF-8"

Late to this thread but thought I'd mention that the Interledger community
has been using Canonical OER for 4 years now.
Some rationale here: https://interledger.org/rfcs/0030-notes-on-oer-encoding

There are OER codecs available in a few languages as a result (Rust,
Typescript/Javascript, Java, Golang...) and our experience has been that
trying to write codecs that parse ASN.1 are over-kill.
i.e. They're hand-coded to provide the read/write functions needed by the
protocol.

As a general comment about OER, it is easy to use and understand and
writing code for it was significantly simpler than anything I have seen for
BER/DER etc.

It also helps that most number parsing follows the representations already
natively supported by most programming languages (not sure if that is also
true for BER/DER).



On Tue, 23 Apr 2019 at 20:25, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> On Tue, Apr 23, 2019 at 10:19:31AM -0500, Nico Williams wrote:
>
> > On Tue, Apr 23, 2019 at 11:08:23AM -0400, Michael Richardson wrote:
> > >     >> X.500 one are used in certificates.  I strongly encourage
> people to
> > >     >> keep it simple.  The bits on the wire sitll get too
> complicated, but
> > >     >> the code can mostly do exact match processing.
> > >
> > >     > To keep it simple means to leave the subjectName empty and use
> dNSName
> > >     > and rfc822Name SANs instead wherever possible.
> > >
> > > Yes, but we can't leave the IssuerDN empty, and if we want chains of
> > > certificates (we do), then we need to put something into the subjectDN.
> >
> > Well, there is id-ce-issuerAltName, but indeed, the issuer Name must not
> > be empty.
>
> Of course the chaining need not in principle have been based on a
> fictional global X.509 directory tree.  It could have been just key
> ids, with the CA names as commentary for human eyes and audit trails.
> The only downside would then be loss of the ability to bypass path
> length constraints via self-issued certificates.  Not clear we'd
> really miss that.  But this is of course entirely hypothetical...
>
> FWIW, despite clear non-compliance with RFC 5280 and potential
> interoperability risk, some users seem to manage with "self-signed"
> (below skid == akid) certificates that have empty DNs for *both*
> the subject and the issuer (and indeed no SANs of any kind).
>
> These are of course outside the WebPKI, used solely for unauthenticated
> or DANE TLS.  A live example below, yes, in continuous use for the
> last 5 years or so. [ The 4096-bit RSA key and ~1000 year validity
> is a bold challenge to the coming scalable QC crypto apocalypse.
> :-) ]
>
> --
>         Viktor.
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             c3:26:2b:13:ca:b1:36:72
>         Signature Algorithm: sha256WithRSAEncryption
>         Issuer:
>         Validity
>             Not Before: Jul 27 14:59:59 2014 GMT
>             Not After : Nov 27 14:59:59 3013 GMT
>         Subject:
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 RSA Public-Key: (4096 bit)
>                 Modulus:
>                     00:b6:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30:
>                     b5:0b:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15:
>                     cc:24:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3:
>                     c9:91:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7:
>                     41:c6:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03:
>                     0a:0b:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80:
>                     db:5f:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e:
>                     1f:ad:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb:
>                     70:92:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d:
>                     90:eb:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6:
>                     d0:bb:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6:
>                     c7:b7:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17:
>                     17:a5:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e:
>                     98:7e:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2:
>                     64:1a:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc:
>                     37:aa:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11:
>                     21:64:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8:
>                     1d:1d:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b:
>                     d2:34:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55:
>                     ce:a2:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47:
>                     a6:ea:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf:
>                     e6:ca:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66:
>                     07:fc:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3:
>                     97:23:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e:
>                     01:52:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36:
>                     a3:a9:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13:
>                     77:02:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b:
>                     fe:d2:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb:
>                     f8:90:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02:
>                     5e:03:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68:
>                     7d:2b:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be:
>                     e9:5d:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc:
>                     10:09:09:2e:1e:bf:23:4c:67:be:64:c1:90:fd:62:
>                     57:17:d4:33:e6:1d:4c:70:d7:58:f6:17:5e:d2:4b:
>                     d5:1f:9b
>                 Exponent: 65537 (0x10001)
>         X509v3 extensions:
>             X509v3 Subject Key Identifier:
>                 98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
>             X509v3 Authority Key Identifier:
>
> keyid:98:C6:9B:D5:20:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59
>
>             X509v3 Basic Constraints:
>                 CA:TRUE
>     Signature Algorithm: sha256WithRSAEncryption
>          8d:47:1d:df:5f:63:ec:db:7b:a3:a3:a6:50:d0:76:f5:1a:86:
>          da:21:bf:78:4d:4c:ab:ef:af:a1:be:e9:a5:29:20:6b:05:a3:
>          88:85:0e:57:17:9c:e6:8c:f5:87:c7:07:a3:7b:ed:7d:f4:03:
>          07:5a:6e:b4:bf:9c:db:6d:33:24:ae:4d:0e:39:06:54:9e:71:
>          68:f6:5d:58:e9:19:ff:ef:e2:e5:7c:a9:b9:da:21:dd:14:19:
>          d8:c1:6b:ab:ae:fd:2f:86:14:b9:8f:bf:77:75:b8:07:cc:0a:
>          62:8a:00:98:c4:fb:0e:ec:ef:f7:11:88:0a:05:0e:ef:9b:c0:
>          98:e0:39:47:c0:83:af:5a:f6:aa:3d:8f:2c:5d:b1:95:b4:93:
>          a1:86:bf:1d:b1:45:91:e5:7f:6f:63:ab:59:cf:03:4e:c0:37:
>          fe:ce:9f:2d:cd:64:a1:81:62:00:79:32:4d:b0:43:2e:58:6e:
>          c7:79:f7:b6:74:be:c9:65:c6:2f:d0:e9:b8:56:60:d4:46:48:
>          d8:6d:da:b2:81:59:a9:f4:94:8c:c4:9f:f6:ab:16:6f:f1:04:
>          e7:e9:2a:bb:04:1f:4d:c5:c2:e0:0b:b0:60:d8:1c:31:59:da:
>          c6:32:6c:77:8b:db:e7:77:88:4d:15:45:c9:ea:b8:95:5a:d3:
>          d6:5f:19:ed:cd:5d:84:0d:30:75:70:ac:a3:9a:6d:83:fe:bc:
>          60:fa:bb:2b:48:d7:12:eb:4a:e3:40:bf:01:56:a9:0d:d4:fc:
>          49:88:70:6b:0a:24:36:e8:c2:dd:ea:6c:67:cf:5e:d2:0a:7a:
>          31:b8:92:93:7c:f5:8c:91:8e:e9:d9:39:ec:1f:f2:98:0c:3d:
>          d5:33:33:53:bd:b1:63:b6:18:e3:20:c6:50:2a:f1:09:50:5d:
>          88:69:76:91:38:a1:c1:47:71:09:12:75:6d:a0:17:72:ad:e6:
>          78:40:18:d3:04:04:70:3a:bf:74:45:0c:48:7a:7b:fe:0a:fd:
>          ff:cb:ae:f7:85:50:fa:e2:23:73:87:54:ea:80:7e:c9:5f:da:
>          80:3f:af:04:3a:58:d8:4b:24:75:58:a0:c5:94:0a:b8:8e:62:
>          15:7e:3e:da:41:a8:a2:80:1b:c6:43:03:ae:2c:8c:fc:c7:83:
>          df:38:df:b8:12:d2:ac:c1:10:b4:66:75:77:c8:a5:6f:49:16:
>          c4:27:04:c2:fe:52:a4:ef:62:86:25:00:e7:ce:02:e7:4d:6c:
>          c8:60:83:1f:4c:ba:d9:1b:83:da:cc:5d:bf:89:37:04:a7:85:
>          62:de:4d:2c:4e:d0:13:c4:cd:81:51:4a:b0:07:53:95:6f:42:
>          9e:2e:32:12:7b:1c:c1:c3
> -----BEGIN CERTIFICATE-----
> MIIE1TCCAr2gAwIBAgIJAMMmKxPKsTZyMA0GCSqGSIb3DQEBCwUAMAAwIBcNMTQw
> NzI3MTQ1OTU5WhgPMzAxMzExMjcxNDU5NTlaMAAwggIiMA0GCSqGSIb3DQEBAQUA
> A4ICDwAwggIKAoICAQC200I1aOkqnrr48PS/MLULQM0QSyCUqvzo07G4Fcwkun+V
> tYWS6dWXcNP9s8mRutWFXcZtmIvDs3l0p0HG9N8UU7uQIXJxuuJWAwoLqdvVktOQ
> WE7rpItRgNtfVibPmyaoLkLfVBSGTh+tspxXVBZ6OSWjs5CX63CSBCcQtv2ecE+y
> AuL6bZDrmgxkPDGGTJiZRwB1ttC7gAITx0OXJOwePrEc1se33vzou8bYIHQWCSct
> FxelpEHQ9mDeooT65I3dHph+GXWkh1IYRdltOT4ssmQaEzcmP3KMff4u1ibXzDeq
> Bkov6rwPAF/VMHnoESFkA7mR5dpHa31D5l4g6B0dHj24V2IBmBNbzKifa9I04G+G
> uKydifHpJ7n4Vc6iijMrrDplwPsSuPdaR6bqg4CID8rU1dxiXAjZz+bK/jIAnuPA
> U5kho8lPZgf8YeIgGAF/Yd3hcrX9w5cjKlG/QlhkDStOzIWgXgFSK3tG8GMZm6Ne
> LHAjNqOpOrNgLq14aJbOpEzqE3cCl8RVgvP9O/P0ZU7dO/7S3dDaKeg+3anjxhbb
> 6/iQctxUNxcVyUMf3p1bAl4DqT54dRVNvIS/oH5KaH0rxsW12gmL80VugiuLvuld
> t7Pw6A0EjOO4yiMd3BAJCS4evyNMZ75kwZD9YlcX1DPmHUxw11j2F17SS9UfmwID
> AQABo1AwTjAdBgNVHQ4EFgQUmMab1SBcHagxOb14ETf/va1bvVkwHwYDVR0jBBgw
> FoAUmMab1SBcHagxOb14ETf/va1bvVkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B
> AQsFAAOCAgEAjUcd319j7Nt7o6OmUNB29RqG2iG/eE1Mq++vob7ppSkgawWjiIUO
> Vxec5oz1h8cHo3vtffQDB1putL+c220zJK5NDjkGVJ5xaPZdWOkZ/+/i5Xypudoh
> 3RQZ2MFrq679L4YUuY+/d3W4B8wKYooAmMT7Duzv9xGICgUO75vAmOA5R8CDr1r2
> qj2PLF2xlbSToYa/HbFFkeV/b2OrWc8DTsA3/s6fLc1koYFiAHkyTbBDLlhux3n3
> tnS+yWXGL9DpuFZg1EZI2G3asoFZqfSUjMSf9qsWb/EE5+kquwQfTcXC4AuwYNgc
> MVnaxjJsd4vb53eITRVFyeq4lVrT1l8Z7c1dhA0wdXCso5ptg/68YPq7K0jXEutK
> 40C/AVapDdT8SYhwawokNujC3epsZ89e0gp6MbiSk3z1jJGO6dk57B/ymAw91TMz
> U72xY7YY4yDGUCrxCVBdiGl2kTihwUdxCRJ1baAXcq3meEAY0wQEcDq/dEUMSHp7
> /gr9/8uu94VQ+uIjc4dU6oB+yV/agD+vBDpY2EskdVigxZQKuI5iFX4+2kGoooAb
> xkMDriyM/MeD3zjfuBLSrMEQtGZ1d8ilb0kWxCcEwv5SpO9ihiUA584C501syGCD
> H0y62RuD2sxdv4k3BKeFYt5NLE7QE8TNgVFKsAdTlW9Cni4yEnscwcM=
> -----END CERTIFICATE-----
>
> _______________________________________________
> saag mailing list
> saag@ietf.org
> https://www.ietf.org/mailman/listinfo/saag
>

--000000000000c0dbca05894ebc2f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Late to this thread but thought I&#39;d mention that the I=
nterledger community has been using Canonical OER for 4 years now.<div>Some=
 rationale here:=C2=A0<a href=3D"https://interledger.org/rfcs/0030-notes-on=
-oer-encoding">https://interledger.org/rfcs/0030-notes-on-oer-encoding</a><=
br></div><div><br><div>There are OER codecs available in a few languages as=
 a result (Rust, Typescript/Javascript, Java, Golang...) and our experience=
 has been that trying to write codecs that parse ASN.1 are over-kill.</div>=
<div>i.e. They&#39;re hand-coded to provide the read/write functions needed=
 by the protocol.</div><div><br></div><div>As a general comment about OER, =
it is easy to use and understand and writing code for it was significantly =
simpler than anything I have seen for BER/DER etc.</div><div><br></div><div=
>It also helps that most number parsing follows the representations already=
 natively supported by most programming languages (not sure if that is also=
 true for BER/DER).</div><div><br></div><div><br></div></div></div><br><div=
 class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Tue, 23 Apr=
 2019 at 20:25, Viktor Dukhovni &lt;<a href=3D"mailto:ietf-dane@dukhovni.or=
g">ietf-dane@dukhovni.org</a>&gt; wrote:<br></div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,20=
4,204);padding-left:1ex">On Tue, Apr 23, 2019 at 10:19:31AM -0500, Nico Wil=
liams wrote:<br>
<br>
&gt; On Tue, Apr 23, 2019 at 11:08:23AM -0400, Michael Richardson wrote:<br=
>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0&gt;&gt; X.500 one are used in certificates.=
=C2=A0 I strongly encourage people to<br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0&gt;&gt; keep it simple.=C2=A0 The bits on the=
 wire sitll get too complicated, but<br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0&gt;&gt; the code can mostly do exact match pr=
ocessing.<br>
&gt; &gt; <br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0&gt; To keep it simple means to leave the subj=
ectName empty and use dNSName<br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0&gt; and rfc822Name SANs instead wherever poss=
ible.<br>
&gt; &gt; <br>
&gt; &gt; Yes, but we can&#39;t leave the IssuerDN empty, and if we want ch=
ains of<br>
&gt; &gt; certificates (we do), then we need to put something into the subj=
ectDN.<br>
&gt; <br>
&gt; Well, there is id-ce-issuerAltName, but indeed, the issuer Name must n=
ot<br>
&gt; be empty.<br>
<br>
Of course the chaining need not in principle have been based on a<br>
fictional global X.509 directory tree.=C2=A0 It could have been just key<br=
>
ids, with the CA names as commentary for human eyes and audit trails.<br>
The only downside would then be loss of the ability to bypass path<br>
length constraints via self-issued certificates.=C2=A0 Not clear we&#39;d<b=
r>
really miss that.=C2=A0 But this is of course entirely hypothetical...<br>
<br>
FWIW, despite clear non-compliance with RFC 5280 and potential<br>
interoperability risk, some users seem to manage with &quot;self-signed&quo=
t;<br>
(below skid =3D=3D akid) certificates that have empty DNs for *both*<br>
the subject and the issuer (and indeed no SANs of any kind).<br>
<br>
These are of course outside the WebPKI, used solely for unauthenticated<br>
or DANE TLS.=C2=A0 A live example below, yes, in continuous use for the<br>
last 5 years or so. [ The 4096-bit RSA key and ~1000 year validity<br>
is a bold challenge to the coming scalable QC crypto apocalypse.<br>
:-) ]<br>
<br>
-- <br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Viktor.<br>
<br>
Certificate:<br>
=C2=A0 =C2=A0 Data:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Version: 3 (0x2)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Serial Number:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 c3:26:2b:13:ca:b1:36:72<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Signature Algorithm: sha256WithRSAEncryption<br=
>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Issuer: <br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Validity<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Not Before: Jul 27 14:59:59 2014 =
GMT<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Not After : Nov 27 14:59:59 3013 =
GMT<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject: <br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Subject Public Key Info:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Public Key Algorithm: rsaEncrypti=
on<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 RSA Public-Key: (40=
96 bit)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Modulus:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 00:b6=
:d3:42:35:68:e9:2a:9e:ba:f8:f0:f4:bf:30:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 b5:0b=
:40:cd:10:4b:20:94:aa:fc:e8:d3:b1:b8:15:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 cc:24=
:ba:7f:95:b5:85:92:e9:d5:97:70:d3:fd:b3:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 c9:91=
:ba:d5:85:5d:c6:6d:98:8b:c3:b3:79:74:a7:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 41:c6=
:f4:df:14:53:bb:90:21:72:71:ba:e2:56:03:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 0a:0b=
:a9:db:d5:92:d3:90:58:4e:eb:a4:8b:51:80:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 db:5f=
:56:26:cf:9b:26:a8:2e:42:df:54:14:86:4e:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1f:ad=
:b2:9c:57:54:16:7a:39:25:a3:b3:90:97:eb:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 70:92=
:04:27:10:b6:fd:9e:70:4f:b2:02:e2:fa:6d:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 90:eb=
:9a:0c:64:3c:31:86:4c:98:99:47:00:75:b6:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 d0:bb=
:80:02:13:c7:43:97:24:ec:1e:3e:b1:1c:d6:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 c7:b7=
:de:fc:e8:bb:c6:d8:20:74:16:09:27:2d:17:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 17:a5=
:a4:41:d0:f6:60:de:a2:84:fa:e4:8d:dd:1e:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 98:7e=
:19:75:a4:87:52:18:45:d9:6d:39:3e:2c:b2:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 64:1a=
:13:37:26:3f:72:8c:7d:fe:2e:d6:26:d7:cc:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 37:aa=
:06:4a:2f:ea:bc:0f:00:5f:d5:30:79:e8:11:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 21:64=
:03:b9:91:e5:da:47:6b:7d:43:e6:5e:20:e8:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 1d:1d=
:1e:3d:b8:57:62:01:98:13:5b:cc:a8:9f:6b:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 d2:34=
:e0:6f:86:b8:ac:9d:89:f1:e9:27:b9:f8:55:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ce:a2=
:8a:33:2b:ac:3a:65:c0:fb:12:b8:f7:5a:47:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 a6:ea=
:83:80:88:0f:ca:d4:d5:dc:62:5c:08:d9:cf:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 e6:ca=
:fe:32:00:9e:e3:c0:53:99:21:a3:c9:4f:66:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 07:fc=
:61:e2:20:18:01:7f:61:dd:e1:72:b5:fd:c3:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 97:23=
:2a:51:bf:42:58:64:0d:2b:4e:cc:85:a0:5e:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 01:52=
:2b:7b:46:f0:63:19:9b:a3:5e:2c:70:23:36:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 a3:a9=
:3a:b3:60:2e:ad:78:68:96:ce:a4:4c:ea:13:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 77:02=
:97:c4:55:82:f3:fd:3b:f3:f4:65:4e:dd:3b:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 fe:d2=
:dd:d0:da:29:e8:3e:dd:a9:e3:c6:16:db:eb:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 f8:90=
:72:dc:54:37:17:15:c9:43:1f:de:9d:5b:02:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 5e:03=
:a9:3e:78:75:15:4d:bc:84:bf:a0:7e:4a:68:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 7d:2b=
:c6:c5:b5:da:09:8b:f3:45:6e:82:2b:8b:be:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 e9:5d=
:b7:b3:f0:e8:0d:04:8c:e3:b8:ca:23:1d:dc:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 10:09=
:09:2e:1e:bf:23:4c:67:be:64:c1:90:fd:62:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 57:17=
:d4:33:e6:1d:4c:70:d7:58:f6:17:5e:d2:4b:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 d5:1f=
:9b<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Exponent: 65537 (0x=
10001)<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 X509v3 extensions:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 X509v3 Subject Key Identifier: <b=
r>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 98:C6:9B:D5:20:5C:1=
D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 X509v3 Authority Key Identifier: =
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 keyid:98:C6:9B:D5:2=
0:5C:1D:A8:31:39:BD:78:11:37:FF:BD:AD:5B:BD:59<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 X509v3 Basic Constraints: <br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 CA:TRUE<br>
=C2=A0 =C2=A0 Signature Algorithm: sha256WithRSAEncryption<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A08d:47:1d:df:5f:63:ec:db:7b:a3:a3:a6:50:d0=
:76:f5:1a:86:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0da:21:bf:78:4d:4c:ab:ef:af:a1:be:e9:a5:29=
:20:6b:05:a3:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A088:85:0e:57:17:9c:e6:8c:f5:87:c7:07:a3:7b=
:ed:7d:f4:03:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A007:5a:6e:b4:bf:9c:db:6d:33:24:ae:4d:0e:39=
:06:54:9e:71:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A068:f6:5d:58:e9:19:ff:ef:e2:e5:7c:a9:b9:da=
:21:dd:14:19:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0d8:c1:6b:ab:ae:fd:2f:86:14:b9:8f:bf:77:75=
:b8:07:cc:0a:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A062:8a:00:98:c4:fb:0e:ec:ef:f7:11:88:0a:05=
:0e:ef:9b:c0:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A098:e0:39:47:c0:83:af:5a:f6:aa:3d:8f:2c:5d=
:b1:95:b4:93:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0a1:86:bf:1d:b1:45:91:e5:7f:6f:63:ab:59:cf=
:03:4e:c0:37:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0fe:ce:9f:2d:cd:64:a1:81:62:00:79:32:4d:b0=
:43:2e:58:6e:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0c7:79:f7:b6:74:be:c9:65:c6:2f:d0:e9:b8:56=
:60:d4:46:48:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0d8:6d:da:b2:81:59:a9:f4:94:8c:c4:9f:f6:ab=
:16:6f:f1:04:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0e7:e9:2a:bb:04:1f:4d:c5:c2:e0:0b:b0:60:d8=
:1c:31:59:da:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0c6:32:6c:77:8b:db:e7:77:88:4d:15:45:c9:ea=
:b8:95:5a:d3:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0d6:5f:19:ed:cd:5d:84:0d:30:75:70:ac:a3:9a=
:6d:83:fe:bc:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A060:fa:bb:2b:48:d7:12:eb:4a:e3:40:bf:01:56=
:a9:0d:d4:fc:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A049:88:70:6b:0a:24:36:e8:c2:dd:ea:6c:67:cf=
:5e:d2:0a:7a:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A031:b8:92:93:7c:f5:8c:91:8e:e9:d9:39:ec:1f=
:f2:98:0c:3d:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0d5:33:33:53:bd:b1:63:b6:18:e3:20:c6:50:2a=
:f1:09:50:5d:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A088:69:76:91:38:a1:c1:47:71:09:12:75:6d:a0=
:17:72:ad:e6:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A078:40:18:d3:04:04:70:3a:bf:74:45:0c:48:7a=
:7b:fe:0a:fd:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ff:cb:ae:f7:85:50:fa:e2:23:73:87:54:ea:80=
:7e:c9:5f:da:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A080:3f:af:04:3a:58:d8:4b:24:75:58:a0:c5:94=
:0a:b8:8e:62:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A015:7e:3e:da:41:a8:a2:80:1b:c6:43:03:ae:2c=
:8c:fc:c7:83:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0df:38:df:b8:12:d2:ac:c1:10:b4:66:75:77:c8=
:a5:6f:49:16:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0c4:27:04:c2:fe:52:a4:ef:62:86:25:00:e7:ce=
:02:e7:4d:6c:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0c8:60:83:1f:4c:ba:d9:1b:83:da:cc:5d:bf:89=
:37:04:a7:85:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A062:de:4d:2c:4e:d0:13:c4:cd:81:51:4a:b0:07=
:53:95:6f:42:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A09e:2e:32:12:7b:1c:c1:c3<br>
-----BEGIN CERTIFICATE-----<br>
MIIE1TCCAr2gAwIBAgIJAMMmKxPKsTZyMA0GCSqGSIb3DQEBCwUAMAAwIBcNMTQw<br>
NzI3MTQ1OTU5WhgPMzAxMzExMjcxNDU5NTlaMAAwggIiMA0GCSqGSIb3DQEBAQUA<br>
A4ICDwAwggIKAoICAQC200I1aOkqnrr48PS/MLULQM0QSyCUqvzo07G4Fcwkun+V<br>
tYWS6dWXcNP9s8mRutWFXcZtmIvDs3l0p0HG9N8UU7uQIXJxuuJWAwoLqdvVktOQ<br>
WE7rpItRgNtfVibPmyaoLkLfVBSGTh+tspxXVBZ6OSWjs5CX63CSBCcQtv2ecE+y<br>
AuL6bZDrmgxkPDGGTJiZRwB1ttC7gAITx0OXJOwePrEc1se33vzou8bYIHQWCSct<br>
FxelpEHQ9mDeooT65I3dHph+GXWkh1IYRdltOT4ssmQaEzcmP3KMff4u1ibXzDeq<br>
Bkov6rwPAF/VMHnoESFkA7mR5dpHa31D5l4g6B0dHj24V2IBmBNbzKifa9I04G+G<br>
uKydifHpJ7n4Vc6iijMrrDplwPsSuPdaR6bqg4CID8rU1dxiXAjZz+bK/jIAnuPA<br>
U5kho8lPZgf8YeIgGAF/Yd3hcrX9w5cjKlG/QlhkDStOzIWgXgFSK3tG8GMZm6Ne<br>
LHAjNqOpOrNgLq14aJbOpEzqE3cCl8RVgvP9O/P0ZU7dO/7S3dDaKeg+3anjxhbb<br>
6/iQctxUNxcVyUMf3p1bAl4DqT54dRVNvIS/oH5KaH0rxsW12gmL80VugiuLvuld<br>
t7Pw6A0EjOO4yiMd3BAJCS4evyNMZ75kwZD9YlcX1DPmHUxw11j2F17SS9UfmwID<br>
AQABo1AwTjAdBgNVHQ4EFgQUmMab1SBcHagxOb14ETf/va1bvVkwHwYDVR0jBBgw<br>
FoAUmMab1SBcHagxOb14ETf/va1bvVkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B<br>
AQsFAAOCAgEAjUcd319j7Nt7o6OmUNB29RqG2iG/eE1Mq++vob7ppSkgawWjiIUO<br>
Vxec5oz1h8cHo3vtffQDB1putL+c220zJK5NDjkGVJ5xaPZdWOkZ/+/i5Xypudoh<br>
3RQZ2MFrq679L4YUuY+/d3W4B8wKYooAmMT7Duzv9xGICgUO75vAmOA5R8CDr1r2<br>
qj2PLF2xlbSToYa/HbFFkeV/b2OrWc8DTsA3/s6fLc1koYFiAHkyTbBDLlhux3n3<br>
tnS+yWXGL9DpuFZg1EZI2G3asoFZqfSUjMSf9qsWb/EE5+kquwQfTcXC4AuwYNgc<br>
MVnaxjJsd4vb53eITRVFyeq4lVrT1l8Z7c1dhA0wdXCso5ptg/68YPq7K0jXEutK<br>
40C/AVapDdT8SYhwawokNujC3epsZ89e0gp6MbiSk3z1jJGO6dk57B/ymAw91TMz<br>
U72xY7YY4yDGUCrxCVBdiGl2kTihwUdxCRJ1baAXcq3meEAY0wQEcDq/dEUMSHp7<br>
/gr9/8uu94VQ+uIjc4dU6oB+yV/agD+vBDpY2EskdVigxZQKuI5iFX4+2kGoooAb<br>
xkMDriyM/MeD3zjfuBLSrMEQtGZ1d8ilb0kWxCcEwv5SpO9ihiUA584C501syGCD<br>
H0y62RuD2sxdv4k3BKeFYt5NLE7QE8TNgVFKsAdTlW9Cni4yEnscwcM=3D<br>
-----END CERTIFICATE-----<br>
<br>
_______________________________________________<br>
saag mailing list<br>
<a href=3D"mailto:saag@ietf.org" target=3D"_blank">saag@ietf.org</a><br>
<a href=3D"https://www.ietf.org/mailman/listinfo/saag" rel=3D"noreferrer" t=
arget=3D"_blank">https://www.ietf.org/mailman/listinfo/saag</a><br>
</blockquote></div>

--000000000000c0dbca05894ebc2f--