Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
"Erik Andersen" <era@x500.eu> Wed, 25 February 2015 08:25 UTC
Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 435C11A6EE0 for <pkix@ietfa.amsl.com>; Wed, 25 Feb 2015 00:25:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.809
X-Spam-Level: *
X-Spam-Status: No, score=1.809 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PNagFtZzmIw6 for <pkix@ietfa.amsl.com>; Wed, 25 Feb 2015 00:25:06 -0800 (PST)
Received: from mail03.dandomain.dk (mail03.dandomain.dk [194.150.112.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 194091A1A80 for <pkix@ietf.org>; Wed, 25 Feb 2015 00:25:05 -0800 (PST)
Received: from Morten ([62.44.134.150]) by mail03.dandomain.dk (DanDomain Mailserver) with ASMTP id 3201502250925037638 for <pkix@ietf.org>; Wed, 25 Feb 2015 09:25:03 +0100
From: Erik Andersen <era@x500.eu>
To: PKIX <pkix@ietf.org>
References: <D10C4A99.A78CB%stefan@aaa-sec.com> <20150220160318.094B11B1C3@ld9781.wdf.sap.corp>
In-Reply-To: <20150220160318.094B11B1C3@ld9781.wdf.sap.corp>
Date: Wed, 25 Feb 2015 09:25:02 +0100
Message-ID: <000c01d050d4$8e611400$ab233c00$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQKjqYL94SiDrP34k6Q99s38HAsOMptXp2Vg
Content-Language: da
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/RN6M0B_f66rBhD3n0qmvMRKOdpQ>
Subject: Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Feb 2015 08:25:08 -0000
The upper bound was removed from X.520 from 2008. The upper bound were added to X.520 already in the first edition from 1988, despite quite strong opposition. Hard coded upper band could impair future use of the attribute types. The major reason for removing the upper bounds was compatibility with LDAP, which does not have such upper bounds. There was no opposition to the change within the X.500 community, as X.500 vendors typically also have LDAP implementations. If there is a need to refer to a specification without upper bounds, then refer to X.509 instead of RFC 5280. Erik -----Oprindelig meddelelse----- Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Martin Rex Sendt: 20. februar 2015 17:03 Til: Stefan Santesson Cc: stefans@microsoft.com; i.matveychikov@securitycode.ru; pkix@ietf.org; RFC Errata System Emne: Re: [pkix] [Editorial Errata Reported] RFC5280 (4274) Stefan Santesson wrote: > > These size limitations are gone in the current edition of X.520 > > In X.520 2001 edition, surname as example was defined as: > > Where Directory string is size limited by the upper bound ub-surname > > ub-surname > INTEGER ::= 64 > > In the current edition of X.520 (102012) the definition is instead: > > Where UnboundedDirectoryString no longer is bounded to the old > ub-surname size limit. > > The same is true for all attributes listed in this errata. This change in X.520 (2012) seems to be entirely irrelevant to PKIX. PKIX (rfc5280, 2008) is based on X.509 (2005). I remember when I asked for a correction of an obvious flaw in PKIX that was based on the same flaw in X.509 (2005) in the same fashion that this flaw had already been fixed in X.509 (2008), but there was pretty violent opposition to "fixing" it -- potentially because this would make implementations of this flaw retroactively incompliant with PKIX. -Martin _______________________________________________ pkix mailing list pkix@ietf.org https://www.ietf.org/mailman/listinfo/pkix
- [pkix] [Errata Held for Document Update] RFC5280 … RFC Errata System
- [pkix] [Editorial Errata Reported] RFC5280 (4274) RFC Errata System
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stefan Santesson
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Martin Rex
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stefan Santesson
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Erik Andersen
- [pkix] FW: [Editorial Errata Reported] RFC5280 (4… Sharon Boeyen
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stephen Kent
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Jeremy Rowley
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Jeremy Rowley