RE: [TLS] Re: Comments on draft-housley-tls-authz-extns-07

To: <housley at vigilsec.com>
Subject: RE: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
From: <Pasi.Eronen at nokia.com>
Date: Wed, 30 May 2007 10:58:39 +0300
Cc: tls at ietf.org
In-reply-to: <E1Ht6wS-0003h4-Au@megatron.ietf.org>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20070528183851.2E07E33C1A@delta.rtfm.com><87tztvap2h.fsf@mocca.josefsson.org> <E1Ht6wS-0003h4-Au@megatron.ietf.org>
Thread-index: AceiI8T4+lWYjDeuQUGR49801uaxgAAanxbQ
Thread-topic: [TLS] Re: Comments on draft-housley-tls-authz-extns-07

Russ Housley wrote:

> >- The size of authorization data, i.e., X.509 attribute 
> >  certs and SAML assertions, are limited to 64kb.  Is it certain 
> >  that we won't need more?
> 
> I recall responding to this the first time around.  I said that 
> I could not imagine needing 64KB for X.509 Attribute Certificates, 
> but I do not have experience with SAML Assertions.  I know they 
> are bigger, but I do not have any way to gauge the likelihood 
> that 64KB will not be enough.

One relatively simple SAML assertion example from the SAML specs 
is 3.5 KB. If it used 4096-bit RSA keys instead of 1024, and 
included holder-of-key SubjectConfirmation block, it would be 
maybe 6 KB. If it included more complex assertions or additional 
certificates, it could get over 10 KB.

IMHO the safety margin is too small for "64K ought to be enough for
everyone" :-)

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

References:
- [TLS] Comments on draft-housley-tls-authz-extns-07
  - From: Eric Rescorla
- [TLS] Re: Comments on draft-housley-tls-authz-extns-07
  - From: Simon Josefsson

Prev by Date: RE: [TLS] Comments on draft-housley-tls-authz-extns-07
Next by Date: RE: [TLS] Comments on draft-housley-tls-authz-extns-07
Previous by thread: Re: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
Next by thread: RE: [TLS] Re: Comments on draft-housley-tls-authz-extns-07
Index(es):
- Date
- Thread

RE: [TLS] Re: Comments on draft-housley-tls-authz-extns-07

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.