Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 09 October 2007 17:34 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IfIyM-0002lg-EA for pkix-archive@lists.ietf.org; Tue, 09 Oct 2007 13:34:22 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IfIyC-0005nl-4H for pkix-archive@lists.ietf.org; Tue, 09 Oct 2007 13:34:13 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l99Gt6rh087443 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Oct 2007 09:55:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l99Gt6O3087442; Tue, 9 Oct 2007 09:55:06 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from mail.globalsuite.net (mail.globalsuite.net [69.46.103.200]) by balder-227.proper.com (8.13.5/8.13.5) with SMTP id l99Gt5dK087433 for <ietf-pkix@imc.org>; Tue, 9 Oct 2007 09:55:05 -0700 (MST) (envelope-from stephen.farrell@cs.tcd.ie)
X-AuditID: c0a8013c-a58ebbb000005df2-b1-470bb2600c23
Received: from [127.0.0.1] (unknown [66.173.75.2]) by mail.globalsuite.net (Symantec Mail Security) with ESMTP id 1679F4DC020; Tue, 9 Oct 2007 10:54:52 -0600 (MDT)
Message-ID: <470BB253.3030703@cs.tcd.ie>
Date: Tue, 09 Oct 2007 17:54:43 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: "Kemp, David P." <DPKemp@missi.ncsc.mil>
CC: "Hallam-Baker, Phillip" <pbaker@verisign.com>, Russ Housley <housley@vigilsec.com>, ietf-pkix@imc.org
Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
References: <4707E6DA.1070703@cs.tcd.ie> <2788466ED3E31C418E9ACC5C316615570536E1@mou1wnexmb09.vcorp.ad.vrsn.com> <FA998122A677CF4390C1E291BFCF59890849839E@EXCH.missi.ncsc.mil>
In-Reply-To: <FA998122A677CF4390C1E291BFCF59890849839E@EXCH.missi.ncsc.mil>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9182cfff02fae4f1b6e9349e01d62f32


Kemp, David P. wrote:
> A normative upper bound has the undesirable effect of requiring
> implementations to be less liberal in what they accept.  

No it doesn't. An application can, if it so chooses, support
a broader profile than PKIX.

 > An informative
> upper bound provides guidance to CAs on maximizing interoperability,

An informative upper bound allows CAs to issue certs that won't be
accepted by implementations that enforce those upper bounds, which
hinders interop.

I would think that if there is real demand for a profile with larger,
or no, uppper bounds, then that'd be a simple I-D to write.

So, I still don't want to see 3280bis change in this respect at this
time.

S.