Re: Upper Bounds for X.509

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Hoyt L Kesterson II <hoytkesterson@xxxxxxxxxxxxx> writes:

>Does certificate generating software enforce the bounds?
>
>Does relying party software validate the bounds in received certificate?

Yes.  I think there should be some reasonable upper bound (1K perhaps) as a
safety feature to prevent MPEG-of-cat certificates.  People are going to stuff
anything they feel like into certs, aided and abetted by software that hides
the details of what they're doing (dragging an icon to a drop target doesn't
convey the fact that adding a 20MB Flash animation at that location isn't very
sensible).  So making it unbounded is asking for trouble.  Setting a
reasonable upper bound (does anyone really have a common name more than a
thousand characters long?) is a good safety setting.

(Oh, and an aside: When I created the MPEG-of-cat cert, with a (by current
standards) relatively small ~1MB MPEG in there, neither Windows nor Netscape
(the two main cert apps at the time) complained about finding over a million
characters in what should be a short field.  However, both of them performed
very erratically, and in the case of Netscape I had to delete the browser cert
database after a couple of days to restore proper operation to the browser.
So current apps will quite readily accept stupid sizes for these fields, and
nicely DoS themselves in the process.  Another argument for setting upper
limits).

Peter.