Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

Steven Legg <> Wed, 10 October 2007 01:10 UTC

Return-path: <>
Received: from [] ( by with esmtp (Exim 4.43) id 1IfQ6D-0002m2-ES for; Tue, 09 Oct 2007 21:10:57 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1IfQ5y-00037U-EP for; Tue, 09 Oct 2007 21:10:48 -0400
Received: from (localhost []) by (8.13.5/8.13.5) with ESMTP id l9A0QZvT029019 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 9 Oct 2007 17:26:35 -0700 (MST) (envelope-from
Received: (from majordom@localhost) by (8.13.5/8.13.5/Submit) id l9A0QZTr029018; Tue, 9 Oct 2007 17:26:35 -0700 (MST) (envelope-from
X-Authentication-Warning: majordom set sender to using -f
Received: from ( []) by (8.13.5/8.13.5) with ESMTP id l9A0QXVn029007 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <>; Tue, 9 Oct 2007 17:26:34 -0700 (MST) (envelope-from
Received: from [] (helo=[]) by with esmtpa (Exim 4.68) (envelope-from <>) id 1IfPPC-0003sG-OW; Wed, 10 Oct 2007 10:26:32 +1000
Message-ID: <>
Date: Wed, 10 Oct 2007 10:26:26 +1000
From: Steven Legg <>
User-Agent: Thunderbird (Windows/20070728)
MIME-Version: 1.0
To: "Kemp, David P." <>
CC: Stephen Farrell <>,
Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
References: <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Precedence: bulk
List-Archive: <>
List-ID: <>
List-Unsubscribe: <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976

Kemp, David P. wrote:
> Then I suppose I misunderstand the meaning of compliance
> with a normative value contained in an ASN.1 module.
> If PKIX specifies
>     ub-common-name INTEGER ::= 64
> as normative, and profile X specifies
>     ub-common-name INTEGER ::= 65
> as normative, is an application (e.g. a browser or a CA)
> compiled to profile X compliant with PKIX or not?

In the general case, an application could not be simultaneously
compliant with both. The application cannot accept a common name
with 65 characters from a profile X compliant application if there
is any chance that it may have to send that common name to a
PKIX-compliant application.

This situation reflects a dilemma faced by directory vendors in
this issue. We already have customers for which the current upper
bounds are too low and have to be relaxed. LDAP does not impose
upper bounds, so compliance with LDAP means ignoring the upper bounds.
But if the directory is being used by a PKIX-compliant CA, then
the upper bounds of RFC 3280 need to be enforced. These incompatible
requirements mean that a directory server cannot simultaneously
satisfy all PKIX, LDAP and X.500 compliant directory clients.

The way out of this dilemma is for PKIX, LDAP and X.500 to agree
on the upper bounds. The consensus in the X.500 working group is
to completely remove the (non-normative) upper bounds, rather than
rejigging them.


> In particular, under what theory of compliance can a CA that
> issues a 65 character common name be called non-PKIX-compliant
> while a relying application that accepts a 65 character common
> name be called PKIX-compliant while both are operating in
> "profile X mode"?
> -----Original Message-----
> From: Stephen Farrell [] 
> Sent: Tuesday, October 09, 2007 12:55 PM
> To: Kemp, David P.
> Cc: Hallam-Baker, Phillip; Russ Housley;
> Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of
> upper bound in X.509"
> Kemp, David P. wrote:
>> A normative upper bound has the undesirable effect of requiring
>> implementations to be less liberal in what they accept.  
> No it doesn't. An application can, if it so chooses, support
> a broader profile than PKIX.
>  > An informative
>> upper bound provides guidance to CAs on maximizing interoperability,
> An informative upper bound allows CAs to issue certs that won't be
> accepted by implementations that enforce those upper bounds, which
> hinders interop.
> I would think that if there is real demand for a profile with larger,
> or no, uppper bounds, then that'd be a simple I-D to write.
> So, I still don't want to see 3280bis change in this respect at this
> time.
> S.