[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: encodings: do we need binary at all?


I'll take a slightly contrarian position:

I think that binary-format certificates and protocols may be
appropriate, so we shouldn't rule them out at this point in the
discussion.  I think the whole discussion of encoding is premature at
this stage; let's decide on *what* we want to encode, and only *then*
decide *how* to encode it.  Using an abstract syntax (e.g., ASN.1- or
IDL-like) at this point in the discussion may be appropriate; once we
fix on a set of fields we want in certificates, we should toss the
abstract syntax and *then* focus on a concrete encoding (whether that
encoding is ascii, traditional Internet bits-in-boxes, DER, NDR, XDR,
or something else is another story..)

The rest of my message is an attempt to justify binary as being

For certain applications, (e.g., key management for ipsec), binary is
a natural certificate format, since the enclosing protocol is also

it's also worth noting that all computer-oriented encryption
algorithms these days operate on binary data, not ASCII, so it may
become necessary to ASCII-encode the output.  If you have multiple
nested layers of encryption in the protocol as a whole, and you do
only ASCII-encoding, not binary encoding, you'll get a 2x-3x expansion
on each encryption, so two levels of nesting would give you 4x-9x
expansion; three will give you 8x-27x expansion, etc.,

Other examples..

If you want certificates which expire (and I do..), you need
timestamps.  Kerberos v5 tickets, which are a little like
certificates, need three or four timestamps..

ASN.1/DER timestamps are essentially almost-human-readable ASCII
timestamps with the punctuation squeezed out.  They're something like
16-20 bytes long, not counting the DER field framing overhead.  A
pure-binary timestamp as used by Internet protocols is typically 4 or
8 bytes, depending on what kind of resolution you want.  This is a ~4x

If you're encoding network protocol addresses (again, something you
may want for ipsec), an ascii encoding (dotted quads) will be ~3x-4x
bigger than a binary encoding.

                                        - Bill

Version: 2.6.1