Re: Upper Bounds for X.509

[Russ Housley <housley@xxxxxxxxxxxx>]

Hoyt:

One never knows which non-critical extensions might be put in a 
certificate.  Remember when Bob Jueneman was advocating pictures in 
certificates....

Russ


At 04:30 AM 10/22/2007, Hoyt L Kesterson II wrote:

> Steven, I didn't say it was an attractive option. I have always been 
> against these limits.
>
> Peter Gutmann recommended that "reasonable" upper bounds be set, 
> e.g. thousand characters for a common name. But it appears his 
> concern is about erratic operation when the certificate itself it huge.
>
> It may be more reasonable to set a max size on the entire 
> certificate than on the individual components that comprise it.
>
>    hoyt
>
> >Hoyt,
> >
> >Hoyt L Kesterson II wrote:
> >>Another option is to keep the bounds as we have them and have the 
> IETF standard mandate the bounds, choosing any values you like.
> >
> >Then directory deployments would have to choose between being nice
> >to PKIX applications by imposing PKIX's upper bounds, or being
> >nice to other LDAP applications by not imposing upper bounds.
> >
> >Regards,
> >Steven