Re: Upper Bounds for X.509

[Hoyt L Kesterson II <hoytkesterson@xxxxxxxxxxxxx>]

Steven, I didn't say it was an attractive option. I have always been against these limits.

Peter Gutmann recommended that "reasonable" upper bounds be set, e.g. thousand characters for a common name. But it appears his concern is about erratic operation when the certificate itself it huge.

It may be more reasonable to set a max size on the entire certificate than on the individual components that comprise it.

   hoyt

>Hoyt,
>
>Hoyt L Kesterson II wrote:
>>Another option is to keep the bounds as we have them and have the IETF standard mandate the bounds, choosing any values you like.
>
>Then directory deployments would have to choose between being nice
>to PKIX applications by imposing PKIX's upper bounds, or being
>nice to other LDAP applications by not imposing upper bounds.
>
>Regards,
>Steven