[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

To: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>, "Stephen Farrell" <stephen.farrell@xxxxxxxxx>, "Russ Housley" <housley@xxxxxxxxxxxx>
Subject: RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
From: "Kemp, David P." <DPKemp@xxxxxxxxxxxxxx>
Date: Tue, 9 Oct 2007 12:24:35 -0400
Cc: <ietf-pkix@xxxxxxx>
In-reply-to: <2788466ED3E31C418E9ACC5C316615570536E1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <4707E6DA.1070703@xxxxxxxxx> <2788466ED3E31C418E9ACC5C316615570536E1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcgIXLLxS0ujp4qjR/qIFNlFODJAOwBpALCwACLZgbA=
Thread-topic: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

A normative upper bound has the undesirable effect of requiring
implementations to be less liberal in what they accept.  An informative
upper bound provides guidance to CAs on maximizing interoperability,
and does not penalize relying applications that can accept much larger
structures.  If five years from now 99% of relying applications
can accept large fields (e.g. up to available memory) and the other
1% never move beyond hard-coded limits, then a CA can *never* exceed
the old bounds without risking unexpected incompatibility.  Nonetheless,
it is desirable to permit a CA to issue oversized certs that are
accepted
by 99% of relying products rather than requiring all relying products
to reject such certs as a condition of PKIX (but not X.509) compliance.

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Hallam-Baker, Phillip
Sent: Monday, October 08, 2007 7:32 PM
To: Stephen Farrell; Russ Housley
Cc: ietf-pkix@xxxxxxx
Subject: RE: New Liaison Statement, "Liaison to IETF on the removal of
upper bound in X.509"

How long will it be before I can issue a certificate that does not
comply with the old bounds without this resulting in unexpected
incompatibilities?

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx 
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Stephen Farrell
> Sent: Saturday, October 06, 2007 3:50 PM
> To: Russ Housley
> Cc: ietf-pkix@xxxxxxx
> Subject: Re: New Liaison Statement, "Liaison to IETF on the 
> removal of upper bound in X.509"
> 
> 
> 
> 
> Russ Housley wrote:
> > Personally, I missed the subtle change from normative to 
> informative.  
> > I suspect many others did too.  If the PKIX WG to make them 
> > informative too, then it will have to be done *right now*.
> 
> I see no reason to make such a change at this stage.
> 
> S.
> 
>

Follow-Ups:
- Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Stephen Farrell

References:
- Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Stephen Farrell
- RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Hallam-Baker, Phillip

Prev by Date: RE: OCSP Algorithm Agility
Next by Date: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Previous by thread: RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Next by thread: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Index(es):
- Date
- Thread