Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
Stefan Santesson <stefan@aaa-sec.com> Mon, 23 February 2015 22:05 UTC
Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B51A01A00B7 for <pkix@ietfa.amsl.com>; Mon, 23 Feb 2015 14:05:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImImA36caYrW for <pkix@ietfa.amsl.com>; Mon, 23 Feb 2015 14:05:56 -0800 (PST)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [194.9.95.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B46AD1A003A for <pkix@ietf.org>; Mon, 23 Feb 2015 14:05:56 -0800 (PST)
Received: from s314.loopia.se (localhost [127.0.0.1]) by s314.loopia.se (Postfix) with ESMTP id C9E451610160 for <pkix@ietf.org>; Mon, 23 Feb 2015 23:05:53 +0100 (CET)
X-Loopia-Auth: user
X-Loopia-Originating-IP: 85.235.7.89
X-Loopia-User: stefan@fiddler.nu
Received: from s498.loopia.se (unknown [172.21.200.96]) by s314.loopia.se (Postfix) with ESMTP id 8302220088F3; Mon, 23 Feb 2015 23:05:53 +0100 (CET)
Received: from s404.loopia.se (unknown [172.21.200.105]) by s498.loopia.se (Postfix) with ESMTP id 25781EE2C01; Mon, 23 Feb 2015 23:05:08 +0100 (CET)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s499.loopia.se ([172.21.200.105]) by s404.loopia.se (s404.loopia.se [172.21.200.134]) (amavisd-new, port 10024) with LMTP id JX7gyuENF7Xa; Mon, 23 Feb 2015 23:05:07 +0100 (CET)
Received: from [192.168.1.216] (gw.aaa-sec.ideon.se [85.235.7.89]) (Authenticated sender: stefan@fiddler.nu) by s499.loopia.se (Postfix) with ESMTPSA id 2B006B221C5; Mon, 23 Feb 2015 23:05:05 +0100 (CET)
User-Agent: Microsoft-MacOutlook/14.4.8.150116
Date: Mon, 23 Feb 2015 23:05:04 +0100
From: Stefan Santesson <stefan@aaa-sec.com>
To: mrex@sap.com
Message-Id: <D1116051.A7AFC%stefan@aaa-sec.com>
Thread-Topic: [pkix] [Editorial Errata Reported] RFC5280 (4274)
References: <D10C4A99.A78CB%stefan@aaa-sec.com> <20150220160318.094B11B1C3@ld9781.wdf.sap.corp>
In-Reply-To: <20150220160318.094B11B1C3@ld9781.wdf.sap.corp>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/cVKhPCQrRfRCDC6Ki2wRdQkMOtw>
Cc: pkix@ietf.org, stefans@microsoft.com, i.matveychikov@securitycode.ru
Subject: Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Feb 2015 22:05:58 -0000
Hi Martin, My post was just a reflection of the apparent reality. There is no sign in a certificate that declares it to be RFC 5280 conformant. RFC 5280 compliance is an agreement between systems, using the profile for interop. The size limitations on attributes is however severely broken, and highly unmotivated. For these reasons they are usually ignored and replaced with common sense. We might not want to go through the pain to correct this, but the facts stays the same. /Stefan On 20/02/15 17:03, "Martin Rex" <mrex@sap.com> wrote: >Stefan Santesson wrote: >> >> These size limitations are gone in the current edition of X.520 >> >> In X.520 2001 edition, surname as example was defined as: >> >> Where Directory string is size limited by the upper bound ub-surname >> >> ub-surname >> INTEGER ::= 64 >> >> In the current edition of X.520 (102012) the definition is instead: >> >> Where UnboundedDirectoryString no longer is bounded to the old >>ub-surname >> size limit. >> >> The same is true for all attributes listed in this errata. > > >This change in X.520 (2012) seems to be entirely irrelevant to PKIX. >PKIX (rfc5280, 2008) is based on X.509 (2005). > >I remember when I asked for a correction of an obvious flaw in >PKIX that was based on the same flaw in X.509 (2005) in the same >fashion that this flaw had already been fixed in X.509 (2008), >but there was pretty violent opposition to "fixing" it -- potentially >because this would make implementations of this flaw retroactively >incompliant with PKIX. > > >-Martin > >_______________________________________________ >pkix mailing list >pkix@ietf.org >https://www.ietf.org/mailman/listinfo/pkix
- [pkix] [Errata Held for Document Update] RFC5280 … RFC Errata System
- [pkix] [Editorial Errata Reported] RFC5280 (4274) RFC Errata System
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stefan Santesson
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Martin Rex
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stefan Santesson
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Erik Andersen
- [pkix] FW: [Editorial Errata Reported] RFC5280 (4… Sharon Boeyen
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Stephen Kent
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Jeremy Rowley
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Carl Wallace
- Re: [pkix] [Editorial Errata Reported] RFC5280 (4… Jeremy Rowley