Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

Paul Hoffman <paul.hoffman@vpnc.org> Wed, 10 October 2007 15:36 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfdbZ-0000Sc-Rj for pkix-archive@lists.ietf.org; Wed, 10 Oct 2007 11:36:13 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfdbY-0005s6-IE for pkix-archive@lists.ietf.org; Wed, 10 Oct 2007 11:36:13 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9AEa5Zs007155 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Oct 2007 07:36:05 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l9AEa5jl007154; Wed, 10 Oct 2007 07:36:05 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from [192.168.1.3] (pool-72-76-39-171.nwrknj.fios.verizon.net [72.76.39.171]) (authenticated bits=0) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9AEZfHI007127 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 10 Oct 2007 07:35:43 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240801c332913ed8ad@[192.168.1.3]>
In-Reply-To: <470C1C32.70603@eb2bcom.com> <470C1FA3.40000@eb2bcom.com>
References: <4707E6DA.1070703@cs.tcd.ie> <2788466ED3E31C418E9ACC5C316615570536E1@mou1wnexmb09.vcorp.ad.vrsn.com> <FA998122A677CF4390C1E291BFCF59890849839E@EXCH.missi.ncsc.mil> <470BB253.3030703@cs.tcd.ie> <FA998122A677CF4390C1E291BFCF598908498416@EXCH.missi.ncsc.mil> <470C1C32.70603@eb2bcom.com> <E75F200AF1718F45B2024A88C3141A1D06437A82F3@EA-EXMSG-C320.europe.corp.micr osoft.com> <p0624082cc331ad9846db@[192.168.1.100]> <470C1FA3.40000@eb2bcom.com>
Date: Wed, 10 Oct 2007 10:35:36 -0400
To: Steven Legg <steven.legg@eb2bcom.com>, "Kemp, David P." <DPKemp@missi.ncsc.mil>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, ietf-pkix@imc.org, "ietf-pkix@vpnc.org" <ietf-pkix@vpnc.org>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465

At 10:26 AM +1000 10/10/07, Steven Legg wrote:
>The way out of this dilemma is for PKIX, LDAP and X.500 to agree
>on the upper bounds. The consensus in the X.500 working group is
>to completely remove the (non-normative) upper bounds, rather than
>rejigging them.

Has the X.500 working group communicated that to the PKIX WG, or the IETF?

At 10:41 AM +1000 10/10/07, Steven Legg wrote:
>>- Do we object to the ITU making the upper bound on DirectoryString optional
>
>They've been optional since the second edition of X.500. The defect
>resolution will make that clearer, as well as steering away from
>any specific suggestions for the upper bounds.

We disagree that this DR "will make it clearer". What was sent to the 
PKIX WG said:

In relation to resolve a Defect Report, it appears to majority within 
the X.500 community to remove hard-coded length restriction whenever 
a DirectoryString is used.
. . .
We plan to remove the upper bounds specified in the standard. In 
particular we intend to eliminate the Upper Bounds for 
DirectoryString.

That does not sound anything like "They've been optional since the 
second edition of X.500."

Could you get the X.500 working group to make it clear if they are 
considering, or have already, removed the upper bounds on all the 
X.500-related strings that Russ listed?

>>- Should we do anything to draft-ietf-pkix-rfc3280bis to reflect that
>>
>>The answer to the first should be "no, we don't". Russ gave a list 
>>that shows the the ITU has a *long* way to go before it gets rid of 
>>the silly maximum lengths in X.509.
>
>The defect resolution will throw them all out at the same time.

Where does it say that? The DR listed exactly one string type, 
DirectoryString. Again, having this be clearer would help us out a 
lot.


--Paul Hoffman, Director
--VPN Consortium