Re: New Liaison Statement, "Liaison to IETF on the removal of upper bound in X.509"

[Steven Legg <steven.legg@xxxxxxxxxxx>]

Paul,

Paul Hoffman wrote:
> At 10:26 AM +1000 10/10/07, Steven Legg wrote:
> > The way out of this dilemma is for PKIX, LDAP and X.500 to agree
> > on the upper bounds. The consensus in the X.500 working group is
> > to completely remove the (non-normative) upper bounds, rather than
> > rejigging them.
>
> Has the X.500 working group communicated that to the PKIX WG, or the IETF?

Yes, in the liaison statement where it says "We plan to remove the
upper bounds specified in the standard". The example change to X.520
suggests that "the standard" means more than just X.509.

> At 10:41 AM +1000 10/10/07, Steven Legg wrote:
> > > - Do we object to the ITU making the upper bound on DirectoryString 
> > > optional
> >
> > They've been optional since the second edition of X.500. The defect
> > resolution will make that clearer, as well as steering away from
> > any specific suggestions for the upper bounds.
>
> We disagree that this DR "will make it clearer". What was sent to the 
> PKIX WG said:
>
> In relation to resolve a Defect Report, it appears to majority within 
> the X.500 community to remove hard-coded length restriction whenever a 
> DirectoryString is used.
> . . .
> We plan to remove the upper bounds specified in the standard. In 
> particular we intend to eliminate the Upper Bounds for DirectoryString.
>
> That does not sound anything like "They've been optional since the 
> second edition of X.500."

It has been established on this list that the upper bounds in X.500
have been non-normative since the second edition. If they are
non-normative, then an implementation can set the upper bounds to
whatever it wants, including the largest number anyone has ever thought
of, effectively making the upper bounds optional.

> Could you get the X.500 working group to make it clear if they are 
> considering, or have already, removed the upper bounds on all the 
> X.500-related strings that Russ listed?

I had a closer look at RFC 3280. Some of the upper bounds originate
from X.500, but there is a bunch of upper bounds constraining
component parts of ORAddress that come from X.400, primarily the
upper bounds with names ending with "-length". The former are in
scope for the change contemplated by the X.500 working group, but
the latter are not.

I've prodded some ITU-T folks to publicly confirm the situation.

> > > - Should we do anything to draft-ietf-pkix-rfc3280bis to reflect that
> > >
> > > The answer to the first should be "no, we don't". Russ gave a list 
> > > that shows the the ITU has a *long* way to go before it gets rid of 
> > > the silly maximum lengths in X.509.
> >
> > The defect resolution will throw them all out at the same time.
>
> Where does it say that? The DR listed exactly one string type, 
> DirectoryString. Again, having this be clearer would help us out a lot.

The liaison statement said "We plan to remove the upper bounds specified
in the standard". The following sentence beginning "In particular"
suggests to me that DirectoryString is a pertinent case, but by no means
the only case.

By the way, the liaison statement is not the defect resolution, and in any
case I've been informed there has been a change in strategy. The upper bounds
will be removed via an extension to X.500 rather than through a defect
resolution. I will leave it to someone from the ITU-T to confirm.

Regards,
Steven

> --Paul Hoffman, Director
> --VPN Consortium