Subject:     Response to ITU-T SG 17 Liaison message
Date: 	28 February 2008 
From: 	Stephen Kent <kent@bbn.com>

Gentlemen:

First let me apologize for not having replied sooner to your liaison
message of October 15, 2007. Nonetheless, this message should reach
you prior to the requested "reply by" date of March, 1, 2008.

The topic of making optional the upper bound on attributes used in
DirectoryString was discussed at the PKIX Working Group meeting that
took place during the 70th IETF meeting in Vancouver, BC. PKIX is
concerned with the possible implications of such a change on our
standards, which include upper bounds for such attributes In the
context of certificates, CRLs, etc.

All PKIX specs that refer to DNs in the context of certificates
incorporate the upper bounds we imported from the ITU X.520
recommendation many years ago. As a result, PKIX would need to change
numerous RFCs to accommodate removal of these upper bounds. There was
no support among the attendees at the PKIX WG meeting for such a
change. Later discussion on the PKIX WG mail list did not result in a
change I the consensus expressed at the WG meeting. Moreover, several
WG members raised concerns that removal of upper bounds might
introduce vulnerabilities with regards to bounds checking in deployed
software.

Thus PKIX does not, at this time, plan to modify any of its standards
to remove upper bounds on attributes.

Stephen Kent (PKIX co-chair)