RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

"Kemp, David P." <DPKemp@missi.ncsc.mil> Tue, 09 October 2007 17:48 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfJBg-0005BD-24 for pkix-archive@lists.ietf.org; Tue, 09 Oct 2007 13:48:08 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfJBW-0006BQ-OA for pkix-archive@lists.ietf.org; Tue, 09 Oct 2007 13:48:00 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l99H9tIm088804 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Oct 2007 10:09:55 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l99H9tqd088803; Tue, 9 Oct 2007 10:09:55 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from stingray.missi.ncsc.mil (stingray.missi.ncsc.mil [144.51.50.20]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l99H9smU088796 for <ietf-pkix@imc.org>; Tue, 9 Oct 2007 10:09:54 -0700 (MST) (envelope-from DPKemp@missi.ncsc.mil)
Received: from Cerberus.missi.ncsc.mil (cerberus.missi.ncsc.mil [144.51.51.8]) by stingray.missi.ncsc.mil with SMTP id l99H9rkt001773; Tue, 9 Oct 2007 13:09:53 -0400 (EDT)
Received: from 144.51.60.33 by Cerberus.missi.ncsc.mil (InterScan VirusWall 6); Tue, 09 Oct 2007 13:09:52 -0400
Received: from EXCH.missi.ncsc.mil ([144.51.60.19]) by antigone.missi.ncsc.mil with Microsoft SMTPSVC(6.0.3790.3959); Tue, 9 Oct 2007 13:09:52 -0400
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-MimeOLE: Produced By Microsoft Exchange V6.5
Subject: RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Date: Tue, 9 Oct 2007 13:09:52 -0400
Message-ID: <FA998122A677CF4390C1E291BFCF598908498416@EXCH.missi.ncsc.mil>
In-Reply-To: <470BB253.3030703@cs.tcd.ie>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Thread-Index: AcgKlSVBt3S9FikzTIOZTsOC3fA3EAAAEW+g
References: <4707E6DA.1070703@cs.tcd.ie> <2788466ED3E31C418E9ACC5C316615570536E1@mou1wnexmb09.vcorp.ad.vrsn.com> <FA998122A677CF4390C1E291BFCF59890849839E@EXCH.missi.ncsc.mil> <470BB253.3030703@cs.tcd.ie>
From: "Kemp, David P." <DPKemp@missi.ncsc.mil>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: "Hallam-Baker, Phillip" <pbaker@verisign.com>, "Russ Housley" <housley@vigilsec.com>, <ietf-pkix@imc.org>
X-OriginalArrivalTime: 09 Oct 2007 17:09:52.0778 (UTC) FILETIME=[352166A0:01C80A97]
X-TM-AS-Product-Ver: : ISVW-6.0.0.1396-3.6.0.1039-15474000
X-TM-AS-Result: : Yes--7.131000-0-31-1
X-TM-AS-Category-Info: : 31:0.000000
X-TM-AS-MatchedID: : =?us-ascii?B?MTUwNTY3LTcwODkxNS03MDQz?= =?us-ascii?B?MzItNzAwOTE4LTcwMTU3Ni03MDI0ODUtNzAwMjg3LTcwMzQwNS03?= =?us-ascii?B?MDIxMTMtNzAzNTI5LTEzOTAwNi03MDA0NzMtNzAxMTc1LTcwNDQy?= =?us-ascii?B?NS03MDA2MDQtNzAwMDc1LTEzOTAxMC03MDI3MjYtNzAwMTA0LTcw?= =?us-ascii?B?ODE1OS03MDE0NjEtNzAwNjU0LTcwNDk5NC03MDU4NjEtMzkwMDc4?= =?us-ascii?B?LTcwOTU4NC03MDU4ODItNzAwMzk4LTcwMjA0NC03MDEyMzYtMTQ4?= =?us-ascii?B?MDM5LTE0ODA1MC0yMDA0MA==?=
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by balder-227.proper.com id l99H9tmU088797
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64

Then I suppose I misunderstand the meaning of compliance
with a normative value contained in an ASN.1 module.

If PKIX specifies
    ub-common-name INTEGER ::= 64

as normative, and profile X specifies
    ub-common-name INTEGER ::= 65

as normative, is an application (e.g. a browser or a CA)
compiled to profile X compliant with PKIX or not?

In particular, under what theory of compliance can a CA that
issues a 65 character common name be called non-PKIX-compliant
while a relying application that accepts a 65 character common
name be called PKIX-compliant while both are operating in
"profile X mode"?



-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sent: Tuesday, October 09, 2007 12:55 PM
To: Kemp, David P.
Cc: Hallam-Baker, Phillip; Russ Housley; ietf-pkix@imc.org
Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of
upper bound in X.509"


Kemp, David P. wrote:
> A normative upper bound has the undesirable effect of requiring
> implementations to be less liberal in what they accept.  

No it doesn't. An application can, if it so chooses, support
a broader profile than PKIX.

 > An informative
> upper bound provides guidance to CAs on maximizing interoperability,

An informative upper bound allows CAs to issue certs that won't be
accepted by implementations that enforce those upper bounds, which
hinders interop.

I would think that if there is real demand for a profile with larger,
or no, uppper bounds, then that'd be a simple I-D to write.

So, I still don't want to see 3280bis change in this respect at this
time.

S.