IETF Logo Mail Archive

Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)

Carl Wallace <carl@redhoundsoftware.com> Tue, 10 March 2015 17:03 UTC

Return-Path: <carl@redhoundsoftware.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A86A1A1EF6 for <pkix@ietfa.amsl.com>; Tue, 10 Mar 2015 10:03:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u8kcPbFe9oSC for <pkix@ietfa.amsl.com>; Tue, 10 Mar 2015 10:03:19 -0700 (PDT)
Received: from mail-qc0-f170.google.com (mail-qc0-f170.google.com [209.85.216.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D93441A005B for <pkix@ietf.org>; Tue, 10 Mar 2015 10:03:18 -0700 (PDT)
Received: by qcwr17 with SMTP id r17so3453701qcw.11 for <pkix@ietf.org>; Tue, 10 Mar 2015 10:03:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version:content-type :content-transfer-encoding; bh=HcywCxD0i5BhSZOAaChfvoyhj/dAq/Bx0Y0y/5g+zT0=; b=lxJo+BYMgDN1zQtu3Vz0OoIVfp3/mCBgsrUdsvSkvoeIxNo3JqHPZ2ngYDvLeFHotz paH7hISQ7AkhqYedBSevODdB6quZjuhUfVJy1EkLp7vEIInmEhuSAUPIOc4DZpMysdG7 2IhBBKO3pFqMZlrchaie8RNgtZn2cnHOyGZMQ0u/h02cw6LksYLSxxcHG7kFJIC6Rwyp aqV1c/FTTnICkzbVH/JZs+lScUTaE01zsk0j9BoUPwdssFKx3ZLyLhPkcxwTZ0TlCjEt UwgiPAk2loscpq1K+sDAb5aRnpRqbpeikuMOgiDYlC8KatWP2BlMy183kLq1rcNNrB2x Itew==
X-Gm-Message-State: ALoCoQneOZrm+7uobiCTuUm+FWMwvSnjN+nOaGgPMUftYJ6gJTjl71MdMq0UBiOE2d6mOlFNmC0+
X-Received: by 10.55.49.197 with SMTP id x188mr9800447qkx.49.1426006997982; Tue, 10 Mar 2015 10:03:17 -0700 (PDT)
Received: from [192.168.2.27] (pool-96-241-148-223.washdc.fios.verizon.net. [96.241.148.223]) by mx.google.com with ESMTPSA id z67sm746376qge.7.2015.03.10.10.03.16 (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 10 Mar 2015 10:03:17 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.4.7.141117
Date: Tue, 10 Mar 2015 13:03:13 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Jeremy Rowley <jeremy.rowley@digicert.com>, Stefan Santesson <stefan@aaa-sec.com>, "mrex@sap.com" <mrex@sap.com>
Message-ID: <D1249B16.2FA28%carl@redhoundsoftware.com>
Thread-Topic: [pkix] [Editorial Errata Reported] RFC5280 (4274)
References: <D10C4A99.A78CB%stefan@aaa-sec.com> <20150220160318.094B11B1C3@ld9781.wdf.sap.corp> <D1116051.A7AFC%stefan@aaa-sec.com> <d22851aaeb4c4e7f85ade832165ec3df@EX2.corp.digicert.com>
In-Reply-To: <d22851aaeb4c4e7f85ade832165ec3df@EX2.corp.digicert.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/o1Xqw5kQqyI5a_QXNo_VOD9KiDU>
Cc: "pkix@ietf.org" <pkix@ietf.org>, "stefans@microsoft.com" <stefans@microsoft.com>, "i.matveychikov@securitycode.ru" <i.matveychikov@securitycode.ru>
Subject: Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 17:03:21 -0000

Many applications are built with ASN.1 encoders/decoders generated by
ASN.1 compilers that honor the constraints expressed in the ASN.1 modules.
Removing the size constraints would immediately create new
interoperability problems for these applications. You could achieve what
you are after by using one org attribute for DBA name and one org
attribute with the org name. There is no limit on how many org attributes
you express in a DN. A pair of org attributes may even be more readable
for the user than a single oversized value.

On 3/10/15, 12:57 PM, "Jeremy Rowley" <jeremy.rowley@digicert.com> wrote:

>For SSL, the indication of 5280 compliant is through use of OIDs
>asserting compliance with the CAB Forum baseline requirements, which
>requires conformity to 5280.
>
>I'd be interested in seeing the size limit for names removed.  If you
>look at the CAB Forum's EV Guidelines, the O field is used to convey both
>DBA and org name info about a subject. Squeezing in this information (or
>a Romanized version of an international name) is difficult, often
>resulting in a truncation of the name.  Including the entire name would
>provide greater insight on the certificate holder.
>
>
>-----Original Message-----
>From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Stefan Santesson
>Sent: Monday, February 23, 2015 3:05 PM
>To: mrex@sap.com
>Cc: pkix@ietf.org; stefans@microsoft.com; i.matveychikov@securitycode.ru
>Subject: Re: [pkix] [Editorial Errata Reported] RFC5280 (4274)
>
>Hi Martin,
>
>My post was just a reflection of the apparent reality.
>
>There is no sign in a certificate that declares it to be RFC 5280
>conformant.
>RFC 5280 compliance is an agreement between systems, using the profile
>for interop.
>
>The size limitations on attributes is however severely broken, and highly
>unmotivated.
>
>For these reasons they are usually ignored and replaced with common sense.
>
>We might not want to go through the pain to correct this, but the facts
>stays the same.
>
>/Stefan
>
>
>On 20/02/15 17:03, "Martin Rex" <mrex@sap.com> wrote:
>
>>Stefan Santesson wrote:
>>>
>>> These size limitations are gone in the current edition of X.520
>>> 
>>> In X.520 2001 edition, surname as example was defined as:
>>> 
>>> Where Directory string is size limited by the upper bound ub-surname
>>> 
>>> ub-surname     
>>> INTEGER      ::=       64
>>> 
>>> In the current edition of X.520 (102012) the definition is instead:
>>> 
>>> Where UnboundedDirectoryString no longer is bounded to the old
>>>ub-surname  size limit.
>>> 
>>> The same is true for all attributes listed in this errata.
>>
>>
>>This change in X.520 (2012) seems to be entirely irrelevant to PKIX.
>>PKIX (rfc5280, 2008) is based on X.509 (2005).
>>
>>I remember when I asked for a correction of an obvious flaw in PKIX
>>that was based on the same flaw in X.509 (2005) in the same fashion
>>that this flaw had already been fixed in X.509 (2008), but there was
>>pretty violent opposition to "fixing" it -- potentially because this
>>would make implementations of this flaw retroactively incompliant with
>>PKIX.
>>
>>
>>-Martin
>>
>>_______________________________________________
>>pkix mailing list
>>pkix@ietf.org
>>https://www.ietf.org/mailman/listinfo/pkix
>
>
>_______________________________________________
>pkix mailing list
>pkix@ietf.org
>https://www.ietf.org/mailman/listinfo/pkix
>
>_______________________________________________
>pkix mailing list
>pkix@ietf.org
>https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email