Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

[Steven Legg <steven.legg@xxxxxxxxxxx>]

Kemp, David P. wrote:
> Then I suppose I misunderstand the meaning of compliance
> with a normative value contained in an ASN.1 module.
>
> If PKIX specifies
>     ub-common-name INTEGER ::= 64
>
> as normative, and profile X specifies
>     ub-common-name INTEGER ::= 65
>
> as normative, is an application (e.g. a browser or a CA)
> compiled to profile X compliant with PKIX or not?

In the general case, an application could not be simultaneously
compliant with both. The application cannot accept a common name
with 65 characters from a profile X compliant application if there
is any chance that it may have to send that common name to a
PKIX-compliant application.

This situation reflects a dilemma faced by directory vendors in
this issue. We already have customers for which the current upper
bounds are too low and have to be relaxed. LDAP does not impose
upper bounds, so compliance with LDAP means ignoring the upper bounds.
But if the directory is being used by a PKIX-compliant CA, then
the upper bounds of RFC 3280 need to be enforced. These incompatible
requirements mean that a directory server cannot simultaneously
satisfy all PKIX, LDAP and X.500 compliant directory clients.

The way out of this dilemma is for PKIX, LDAP and X.500 to agree
on the upper bounds. The consensus in the X.500 working group is
to completely remove the (non-normative) upper bounds, rather than
rejigging them.

Regards,
Steven

> In particular, under what theory of compliance can a CA that
> issues a 65 character common name be called non-PKIX-compliant
> while a relying application that accepts a 65 character common
> name be called PKIX-compliant while both are operating in
> "profile X mode"?
>
>
>
> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@xxxxxxxxx] 
> Sent: Tuesday, October 09, 2007 12:55 PM
> To: Kemp, David P.
> Cc: Hallam-Baker, Phillip; Russ Housley; ietf-pkix@xxxxxxx
> Subject: Re: New Liaison Statement, "Liaison to IETF on the removal of
> upper bound in X.509"
>
>
> Kemp, David P. wrote:
> > A normative upper bound has the undesirable effect of requiring
> > implementations to be less liberal in what they accept.  
>
> No it doesn't. An application can, if it so chooses, support
> a broader profile than PKIX.
>
>  > An informative
> > upper bound provides guidance to CAs on maximizing interoperability,
>
> An informative upper bound allows CAs to issue certs that won't be
> accepted by implementations that enforce those upper bounds, which
> hinders interop.
>
> I would think that if there is real demand for a profile with larger,
> or no, uppper bounds, then that'd be a simple I-D to write.
>
> So, I still don't want to see 3280bis change in this respect at this
> time.
>
> S.