On Mon, Nov 10, 2003 at 05:18:34PM +0200, Kostas Kalevras wrote: > Probably with small enough certificates to not worry about fragmentation.
..a bit off topic - but "large" certificates in general seem to be a problem with all sorts of SSL apps. We are running a full-blown internal CA, and so have "done it right" (IMHO) and have details such as what division a user is in, along with their email address, company name, city, country, etc. Apparently this makes our certs "large", and as such we've hit every bug there is to hit with a variety of SSL/PKI products (not referring to FreeRADIUS here actually - more VPN related). We get comments back from vendors like "your certs are too big - make them smaller and the problem will go away" - as if that is even an option! Once you have decided *how* you want to run a PKI - down to what level of detail is within each cert - it's pretty bl**dy hard to change your mind later. Oh yeah - and we got a certain vendor whose name rhymes with "ISCO" whose routers won't use our certs as they are signed with a CA whose serial number is "0" - apparently zero isn't an integer (see RFCxxx). PKI still has a way to go before it's as useful as the hype makes it out to be. The technology is fine - but I get the feeling that quality control is limited due to the lack of implementations... Yup - waaay off topic :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html