RE: [TLS] Re: Comments on draft-housley-tls-authz-extns-07

[Russ Housley <housley at vigilsec.com>]

I'm okay with increasing the size as long as others agree with your assessment.

The current version of tls-authz says:

      struct{
         AuthorizationDataEntry authz_data_list<1..2^16-1>;
      } AuthorizationData;

It is easy to change "2^16" to "2^24"

The current version also says:

      opaque X509AttrCert<1..2^16-1>;

      opaque SAMLAssertion<1..2^16-1>;

I have not heard anyone suggest that a single X.509 Attribute 
Certificate or a single SAML Assertion will exceed 64KB, but this 
could be increased as well if there is consensus to do so.

Russ

At 03:58 AM 5/30/2007, Pasi.Eronen at nokia.com wrote:
> Russ Housley wrote:
>
> > >- The size of authorization data, i.e., X.509 attribute
> > >  certs and SAML assertions, are limited to 64kb.  Is it certain
> > >  that we won't need more?
> >
> > I recall responding to this the first time around.  I said that
> > I could not imagine needing 64KB for X.509 Attribute Certificates,
> > but I do not have experience with SAML Assertions.  I know they
> > are bigger, but I do not have any way to gauge the likelihood
> > that 64KB will not be enough.
>
> One relatively simple SAML assertion example from the SAML specs
> is 3.5 KB. If it used 4096-bit RSA keys instead of 1024, and
> included holder-of-key SubjectConfirmation block, it would be
> maybe 6 KB. If it included more complex assertions or additional
> certificates, it could get over 10 KB.
>
> IMHO the safety margin is too small for "64K ought to be enough for
> everyone" :-)
>
> Best regards,
> Pasi


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls