IETF Logo Mail Archive

RE: Upper Bounds for X.509

"Erik Andersen" <era@tdcadsl.dk> Fri, 26 October 2007 10:32 UTC

Return-path: <owner-ietf-pkix@mail.imc.org>
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IlMUU-0007vE-Eu for pkix-archive@lists.ietf.org; Fri, 26 Oct 2007 06:32:34 -0400
Received: from balder-227.proper.com ([192.245.12.227]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IlMUG-0007J6-U7 for pkix-archive@lists.ietf.org; Fri, 26 Oct 2007 06:32:32 -0400
Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9Q9RrXF045874 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 26 Oct 2007 02:27:53 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.13.5/8.13.5/Submit) id l9Q9Rrhu045873; Fri, 26 Oct 2007 02:27:53 -0700 (MST) (envelope-from owner-ietf-pkix@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-pkix@mail.imc.org using -f
Received: from pfepa.post.tele.dk (pfepa.post.tele.dk [195.41.46.235]) by balder-227.proper.com (8.13.5/8.13.5) with ESMTP id l9Q9RpO7045864 for <ietf-pkix@imc.org>; Fri, 26 Oct 2007 02:27:52 -0700 (MST) (envelope-from era@tdcadsl.dk)
Received: from morten (0x503ff080.albnxx10.adsl-dhcp.tele.dk [80.63.240.128]) by pfepa.post.tele.dk (Postfix) with ESMTP id 87826FAC04E; Fri, 26 Oct 2007 11:27:48 +0200 (CEST)
From: Erik Andersen <era@tdcadsl.dk>
To: 'Russ Housley' <housley@vigilsec.com>, 'Hoyt L Kesterson II' <hoytkesterson@earthlink.net>, ietf-pkix@imc.org
Subject: RE: Upper Bounds for X.509
Date: Fri, 26 Oct 2007 11:28:41 +0200
Message-ID: <000101c817b2$99ff1db0$0100a8c0@morten>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.6822
In-Reply-To: <200710221034.l9MAYKwt097035@balder-227.proper.com>
Importance: Normal
Thread-Index: AcgUofmawl/U3apHTzSftthhyN1X/gDEF5dg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Sender: owner-ietf-pkix@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-ID: <ietf-pkix.imc.org>
List-Unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3

PKIX could impose upper bounds on anything they want without this being
reflected in the ASN.1, but in English text.

Erik Andersen
Andersen's L-Service
Mobile: +45 20 97 14 90
e-mail: era@tdcadsl.dk
http://www.x500standard.com/
http://home20.inet.tele.dk/era/me
 

> -----Original Message-----
> From: owner-ietf-pkix@mail.imc.org [mailto:owner-ietf-pkix@mail.imc.org]
> On Behalf Of Russ Housley
> Sent: 22. oktober 2007 11:34
> To: Hoyt L Kesterson II; ietf-pkix@imc.org
> Subject: Re: Upper Bounds for X.509
> 
> 
> Hoyt:
> 
> One never knows which non-critical extensions might be put in a
> certificate.  Remember when Bob Jueneman was advocating pictures in
> certificates....
> 
> Russ
> 
> 
> At 04:30 AM 10/22/2007, Hoyt L Kesterson II wrote:
> 
> >Steven, I didn't say it was an attractive option. I have always been
> >against these limits.
> >
> >Peter Gutmann recommended that "reasonable" upper bounds be set,
> >e.g. thousand characters for a common name. But it appears his
> >concern is about erratic operation when the certificate itself it huge.
> >
> >It may be more reasonable to set a max size on the entire
> >certificate than on the individual components that comprise it.
> >
> >    hoyt
> >
> > >Hoyt,
> > >
> > >Hoyt L Kesterson II wrote:
> > >>Another option is to keep the bounds as we have them and have the
> > IETF standard mandate the bounds, choosing any values you like.
> > >
> > >Then directory deployments would have to choose between being nice
> > >to PKIX applications by imposing PKIX's upper bounds, or being
> > >nice to other LDAP applications by not imposing upper bounds.
> > >
> > >Regards,
> > >Steven

v2.23.0 | Report a Bug | By Email