[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Upper Bounds for X.509

To: Russ Housley <housley@xxxxxxxxxxxx>
Subject: Re: Upper Bounds for X.509
From: Steven Legg <steven.legg@xxxxxxxxxxx>
Date: Mon, 22 Oct 2007 13:32:21 +1000
Cc: PKIX <ietf-pkix@xxxxxxx>
In-reply-to: <200710191707.l9JH7bYE004435@xxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <> <200710191707.l9JH7bYE004435@xxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.6 (Windows/20070728)



Russ,

Russ Housley wrote:

I understand that an unbounded directory string may be useful in manycontexts, but is it going to help interoperability to remove the boundson naming attributes?


As I recall, it was an upper bound on a naming attribute that we first
bumped up against, and which prompted us to ignore all the upper bounds.
Ignoring the upper bounds also allows us to claim conformance with LDAP,
which imposes no upper bounds. Clearly there is the potential for
interoperability problems if we interwork with an implementation that
imposes upper bounds. To the best of my knowledge such problems haven't
arisen with respect to our implementation. I assume that in each instance
of interworking the other system also ignores the upper bounds, or else
the shared data happen to be within that other system's upper bounds.
Nonetheless, the potential for interoperability problems diminishes if
the upper bounds are discarded.

Regards,
Steven

Russ

At 10:19 AM 10/19/2007, Erik Andersen wrote:
Hi Folks,
As mentioned in a liaison statement from the directory meeting,September 2007 in Geneva, we have decided to remove the Upper Boundsfrom any occurrence. A majority of those are on DirectoryString, whichis also specified for many attribute types.At one type we were considering removing the Upper Bound by the DefectReport procedure, but found the change to heavy for that procedure. Bythe Defect Report procedure we corrected a inconsistency in the UpperBounds and expressed that Upper Bounds are only provided as examples.It is our intention to remove the Upper Bound from the sixth editionof the Directory Specification. We gave a possible approach in theliaison statement, but that may not be the final solution. Be assuredthat whatever we do, it will be valid ASN.1. The example we came upwith is actual valid ASN.1 by using parameterized specification.However, we are faced with the problem that directory object classdefinitions will be parameterized. This does not change the definitionas such, but only the ASN.1 appearance. This could be a problem forimplementations parsing such object class definitions to set-up thedirectory schema.Our fall-back solution is to define a new variant of DirectoryStringthat is unbounded.Erik Andersen
Andersen's L-Service
Mobile: +45 20 97 14 90
e-mail: era@xxxxxxxxxx <mailto:era@xxxxxxxxxx>
http://www.x500standard.com/
http://home20.inet.tele.dk/era/me

References:
- Upper Bounds for X.509
  - From: Erik Andersen
- Re: Upper Bounds for X.509
  - From: Russ Housley

Prev by Date: Re: New Liaison Statement, "Liaison to IETF on the resolution of DR320"
Next by Date: Re: Upper Bounds for X.509
Previous by thread: Re: Upper Bounds for X.509
Next by thread: Re: Upper Bounds for X.509
Index(es):
- Date
- Thread