[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CRLNumber definition and MAX
Peter -
I think you're confusing the ASN1 definition of "long integers" with the C language definition of a long int.
4.1.2.2 constrains the serial number INTEGER (CertificateSerialNumber) into the range [0..2^159] - NOT [0..2^31].
Mike
At 07:19 AM 6/9/2009, Peter Sylvester wrote:
>Hi,
>
>RFC 5280 contains the following definitions for a CRLNumber
>
>CRLNumber ::= INTEGER (0..MAX)
>
>I think that as an analogy with CertficateSerialNumber the
>constraint (0..MAX) should be removed, cf also appendix B:
>
> "As noted in Section 4.1.2.2, serial numbers can be expected to
> contain long integers. Certificate users MUST be able to handle
> serialNumber values up to 20 octets in length. Conforming CAs MUST
> NOT use serialNumber values longer than 20 octets.
>
> As noted in Section 5.2.3, CRL numbers can be expected to contain
> long integers. CRL validators MUST be able to handle cRLNumber
> values up to 20 octets in length. Conforming CRL issuers MUST NOT
> use cRLNumber values longer than 20 octets."
>
>
>The ASN.1 appendix (B) also ontains
>
> "The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
> constructs. A valid ASN.1 sequence will have zero or more entries.
> The SIZE (1..MAX) construct constrains the sequence to have at least
> one entry. MAX indicates that the upper bound is unspecified.
> Implementations are free to choose an upper bound that suits their
> environment."
>
>but nothing similar concerning INTEGER (0..MAX)
>
>Is there someone who sees an important problem if we would require
>that MAX MUST be smaller that 2**31 in order to be conformant
>to the profile.
>
>The construct occurs in 4 types, the three others being
> pathLenConstraints
> BaseDistance
> SkipCerts
>I haven't checked other Extensions defined in X.509.
>
>Peter Sylvester
>
>