Re: IETF 53 SASL bar BoF minutes
Laurence Lundblade <lgl@qualcomm.com> Fri, 29 March 2002 20:52 UTC
Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g2TKqSG03224 for ietf-sasl-bks; Fri, 29 Mar 2002 12:52:28 -0800 (PST)
Received: from numenor.qualcomm.com (numenor.qualcomm.com [129.46.51.58]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2TKqRm03218 for <ietf-sasl@imc.org>; Fri, 29 Mar 2002 12:52:27 -0800 (PST)
Received: from neophyte.qualcomm.com (neophyte.qualcomm.com [129.46.61.149]) by numenor.qualcomm.com (8.12.1/8.12.1/1.0) with ESMTP id g2TKqNRU000998; Fri, 29 Mar 2002 12:52:24 -0800 (PST)
Received: from LLUNDBLA2.qualcomm.com (llundbla2.qualcomm.com [129.46.158.82]) by neophyte.qualcomm.com (8.12.1/8.12.1/1.0) with ESMTP id g2TKqMea006409; Fri, 29 Mar 2002 12:52:22 -0800 (PST)
Message-Id: <5.1.0.14.2.20020329123034.03438ab8@jittlov.qualcomm.com>
X-Sender: llundbla@jittlov.qualcomm.com
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 29 Mar 2002 12:52:14 -0800
To: RL 'Bob' Morgan <rlmorgan@washington.edu>
From: Laurence Lundblade <lgl@qualcomm.com>
Subject: Re: IETF 53 SASL bar BoF minutes
Cc: SASL list <ietf-sasl@imc.org>
In-Reply-To: <Pine.LNX.4.44.0203291042400.26572-100000@perx.cac.washingt on.edu>
References: <5.1.0.14.2.20020328155118.03496d48@jittlov.qualcomm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>
At 10:56 AM 3/29/2002 -0800, RL 'Bob' Morgan wrote: >On Thu, 28 Mar 2002, Laurence Lundblade wrote: > > > Seems like you could put 10 or 20 certs in a 16Kb buffer. Are you > expecting > > chains longer than that? Seems that would be approaching meaningless in > > terms of any real-world trust. > >Depends on how big a cert is. X.509 certs today are pretty minimal, but >if you look in draft-ietf-pkix-new-part1-12.txt you'll see a whole pile of >extensions that exist presumably so authorities can start using them, and >other pkix docs specify yet more extensions. There will presumably be >struggle between PKI deployers wanting to jam lotsa stuff into their certs >(some of which, like name constraints, are arguably essential to the >overall security of the scheme) and small-device folks saying hey these >things won't fit. How big a typical cert will be 5 years from now is >pretty hard to say, seems to me. Doing the math, we'd have certs of 3Kb for a chain of length 5, which I'd expect is about the long cert chain that would ever be useful. Actually I'd agree with you that this is probably too small for a hard limit for all of time and space. > > Also, if the certs are ordered leaf to root and the whole record > > containing is not signed, you can process them with a smaller buffer. > > The only thing about SSL that requires the large buffer is that you have > > to verify the MAC/hash before passing the data along to the next layer. > >Umm, I think you're talking about buffer management inside your >implementation. The issue at hand is, I think, the size of objects that >SASL-profiled application protocols have to be able to handle to support >an acceptable set of security mechanisms. Well, yes I'm talking about buffer management inside an app, and the implications for that imposed by the protocol. In my implementation experience with large parts POP, MIME, 2822, SMTP, HTML, HTTP and SSL, the largest buffer absolutely required is 16Kb. That requirement comes from having to process *signed* SSL records. The rest of all of it you can be clever about and process in small chunks. If SSL had chosen to allow 64Kb records of *signed* data, we would have been dead trying to implement it on small devices. Those of us that want to do native protocols on small devices would have been forced to an alternate protocol like WSSL. So are the certs lists signed as a whole? If they're not signed then there's no issue and the horse is dead :-) LL
- IETF 53 SASL bar BoF minutes RL 'Bob' Morgan
- Re: IETF 53 SASL bar BoF minutes Alexey Melnikov
- Re: IETF 53 SASL bar BoF minutes Marshall Rose
- Re: IETF 53 SASL bar BoF minutes Tony Hansen
- Re: IETF 53 SASL bar BoF minutes Raif S. Naffah
- Re: IETF 53 SASL bar BoF minutes Alexey Melnikov
- Re: IETF 53 SASL bar BoF minutes Alexey Melnikov
- Re: IETF 53 SASL bar BoF minutes Alexey Melnikov
- Re: IETF 53 SASL bar BoF minutes Laurence Lundblade
- Re: IETF 53 SASL bar BoF minutes Lawrence Greenfield
- Re: IETF 53 SASL bar BoF minutes Laurence Lundblade
- Re: IETF 53 SASL bar BoF minutes Lawrence Greenfield
- Re: IETF 53 SASL bar BoF minutes Laurence Lundblade
- Re: IETF 53 SASL bar BoF minutes RL 'Bob' Morgan
- Re: IETF 53 SASL bar BoF minutes Laurence Lundblade
- Re: IETF 53 SASL bar BoF minutes RL 'Bob' Morgan
- maximum token size John Gardiner Myers
- Re: IETF 53 SASL bar BoF minutes Laurence Lundblade