IETF Logo Mail Archive

Re: IETF 53 SASL bar BoF minutes

"RL 'Bob' Morgan" <rlmorgan@washington.edu> Fri, 29 March 2002 18:55 UTC

Received: from localhost (localhost [[UNIX: localhost]]) by above.proper.com (8.11.6/8.11.3) id g2TItKE26540 for ietf-sasl-bks; Fri, 29 Mar 2002 10:55:20 -0800 (PST)
Received: from mxout3.cac.washington.edu (mxout3.cac.washington.edu [140.142.32.19]) by above.proper.com (8.11.6/8.11.3) with ESMTP id g2TItIm26536 for <ietf-sasl@imc.org>; Fri, 29 Mar 2002 10:55:18 -0800 (PST)
Received: from mailscan-out1.cac.washington.edu (mailscan-out1.cac.washington.edu [140.142.32.17]) by mxout3.cac.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with SMTP id g2TItJ8J010416 for <ietf-sasl@imc.org>; Fri, 29 Mar 2002 10:55:20 -0800
Received: FROM smtp.washington.edu BY mailscan-out1.cac.washington.edu ; Fri Mar 29 10:55:13 2002 -0800
Received: from D-140-142-21-42.dhcp2.washington.edu (D-140-142-21-42.dhcp2.washington.edu [140.142.21.42]) (authenticated bits=0) by smtp.washington.edu (8.12.1+UW01.12/8.12.1+UW02.01) with ESMTP id g2TItCkx014529 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Fri, 29 Mar 2002 10:55:12 -0800
Date: Fri, 29 Mar 2002 10:56:52 -0800
From: RL 'Bob' Morgan <rlmorgan@washington.edu>
X-X-Sender: rlmorgan@perx.cac.washington.edu
To: Laurence Lundblade <lgl@qualcomm.com>
cc: SASL list <ietf-sasl@imc.org>
Subject: Re: IETF 53 SASL bar BoF minutes
In-Reply-To: <5.1.0.14.2.20020328155118.03496d48@jittlov.qualcomm.com>
Message-ID: <Pine.LNX.4.44.0203291042400.26572-100000@perx.cac.washington.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: owner-ietf-sasl@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-sasl/mail-archive/>
List-ID: <ietf-sasl.imc.org>
List-Unsubscribe: <mailto:ietf-sasl-request@imc.org?body=unsubscribe>


On Thu, 28 Mar 2002, Laurence Lundblade wrote:

> Seems like you could put 10 or 20 certs in a 16Kb buffer. Are you expecting 
> chains longer than that? Seems that would be approaching meaningless in 
> terms of any real-world trust.

Depends on how big a cert is.  X.509 certs today are pretty minimal, but 
if you look in draft-ietf-pkix-new-part1-12.txt you'll see a whole pile of 
extensions that exist presumably so authorities can start using them, and 
other pkix docs specify yet more extensions.  There will presumably be 
struggle between PKI deployers wanting to jam lotsa stuff into their certs 
(some of which, like name constraints, are arguably essential to the 
overall security of the scheme) and small-device folks saying hey these 
things won't fit.  How big a typical cert will be 5 years from now is 
pretty hard to say, seems to me.

> Also, if the certs are ordered leaf to root and the whole record
> containing is not signed, you can process them with a smaller buffer.
> The only thing about SSL that requires the large buffer is that you have
> to verify the MAC/hash before passing the data along to the next layer.

Umm, I think you're talking about buffer management inside your 
implementation.  The issue at hand is, I think, the size of objects that 
SASL-profiled application protocols have to be able to handle to support 
an acceptable set of security mechanisms.

 - RL "Bob"

v2.23.0 | Report a Bug | By Email