[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

To: "Stephen Farrell" <stephen.farrell@xxxxxxxxx>
Subject: RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
From: "Kemp, David P." <DPKemp@xxxxxxxxxxxxxx>
Date: Tue, 9 Oct 2007 13:09:52 -0400
Cc: "Hallam-Baker, Phillip" <pbaker@xxxxxxxxxxxx>, "Russ Housley" <housley@xxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>
In-reply-to: <470BB253.3030703@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <4707E6DA.1070703@xxxxxxxxx> <2788466ED3E31C418E9ACC5C316615570536E1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <FA998122A677CF4390C1E291BFCF59890849839E@xxxxxxxxxxxxxxxxxxx> <470BB253.3030703@xxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcgKlSVBt3S9FikzTIOZTsOC3fA3EAAAEW+g
Thread-topic: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

Then I suppose I misunderstand the meaning of compliance
with a normative value contained in an ASN.1 module.

If PKIX specifies
    ub-common-name INTEGER ::= 64

as normative, and profile X specifies
    ub-common-name INTEGER ::= 65

as normative, is an application (e.g. a browser or a CA)
compiled to profile X compliant with PKIX or not?

In particular, under what theory of compliance can a CA that
issues a 65 character common name be called non-PKIX-compliant
while a relying application that accepts a 65 character common
name be called PKIX-compliant while both are operating in
"profile X mode"?

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxx] 
Sent: Tuesday, October 09, 2007 12:55 PM
To: Kemp, David P.
Cc: Hallam-Baker, Phillip; Russ Housley; ietf-pkix@xxxxxxx
Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of
upper bound in X.509"

Kemp, David P. wrote:
> A normative upper bound has the undesirable effect of requiring
> implementations to be less liberal in what they accept.  

No it doesn't. An application can, if it so chooses, support
a broader profile than PKIX.

 > An informative
> upper bound provides guidance to CAs on maximizing interoperability,

An informative upper bound allows CAs to issue certs that won't be
accepted by implementations that enforce those upper bounds, which
hinders interop.

I would think that if there is real demand for a profile with larger,
or no, uppper bounds, then that'd be a simple I-D to write.

So, I still don't want to see 3280bis change in this respect at this
time.

S.

Follow-Ups:
- Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Steven Legg

References:
- Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Stephen Farrell
- RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Hallam-Baker, Phillip
- RE: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Kemp, David P.
- Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
  - From: Stephen Farrell

Prev by Date: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Next by Date: RE: OCSP Algorithm Agility
Previous by thread: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Next by thread: Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"
Index(es):
- Date
- Thread