Re: CRLNumber definition and MAX

[Michael StJohns <mstjohns@xxxxxxxxxxx>]

I responded to his first email which seemed to be talking about the serialNumber field - he's since clarified he's talking about path length

Basically, you should probably just look at the integer and if its bigger than fits in a local 32 bit INT treat it as if its an unlimited length path value.  if the issuer is confused enough to issue something ridiculous you shouldn't worry about treating it in a ridiculous manner.

I'm not sure it needs any additional text here as any value > about 20 is effectively infinite... :-) 

Mike



At 05:40 AM 6/11/2009, Jean-Marc Desperrier wrote:
>Michael StJohns wrote:
>>I think you're confusing the ASN1 definition of "long integers" with
>>the C language definition of a long int.
>>
>>4.1.2.2 constrains the serial number INTEGER
>>(CertificateSerialNumber) into the range [0..2^159] - NOT [0..2^31].
>
>Peter is not confusing the two, it's *implementations* that did it by allowing themselves to store a pathLen value inside a C language integer.
>
>This being said, it's a reasonable assumption for applications to think it makes no sense to allow a path length to go over 2^31 and to not even try to handle values larger than that in pathLen, BaseDistance or SkipCerts.
>
>I'd go so far as adding text to say something like application MUST handle a path length up to 20, CA MUST NOT generate a path length longer than 20, and MUST NOT insert a value larger than that in any of those three values. CRLNumber and CRLNumber would, of course, still be allowed to up to 20 octets in length.