Hi! * Victor Duchovni wrote on Fri, Feb 12, 2010 at 15:03 -0500: > On Fri, Feb 12, 2010 at 08:35:09PM +0100, Steffen DETTMER wrote: > > > (So DER encoding is used, and it is allowing 128 byte long > > length fields allowing 2^1024 [a number taking four and a half > > line in xterm because 309 decimal digits long] bytes long value > > fields sufficient to enumerate every atom in the visible > > universe an unbelievable huge number of times > > - but in the end for certificates limit of 16384 [5 digit > > number] is in effect :-)) > > SSL protocol engines need sensibly sized I/O buffer size limits. > The decision to limit SSL record lengths is reasonable. 16K > is a fine choice. And yes, 5000 altName entries in a certificate > is absurd. It may be the most expedient way to overcome design > implementations in the software you are forced to use, but the > SSL protocol is not obligated to support this use-case.
Of course you are right; I guess the 5000 altName-case isn't a perfect solution (but maybe some workaround, who knows), however limits close to practical order of magnitude (I mean just 10 or 100 times more than needed) can turn out too limited during protocols lifetime, I think, such as the famous 640 KB. Maybe in future some governmental approved personal X.509 certificates have to include a passport photograpy of the owner in 640x480x24 PNG format? oki, Steffen About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
