[Cryptography] Thoughts on X.509
Tushar Patel
tjpatel.tl at gmail.com
Fri Apr 9 18:30:37 EDT 2021
One of the items that amuse me is that X.509 certificates, which vary from
about 1k to 4k in size, require a chain of 3 CAs for about 4 to 16k and
considering the OCSP/CRL chains for the CAs, could be another times 4, the
authentication is usually the networking end-point service like a web
server/client on an IP/FQDN which generally is under 512 bytes.
Shouldn't it be time to improvise on this, I think it should be one of the
main initiatives at IETF? Given, the amount of new nodes, we may just be
creating a new IPv4 type problem which will taken over an eon to adapt out
from with an excessive amount of wasted keys, storage and asn.1 fields,
apart from the CVE patching for over 30+ yrs. of X.509.
Also, PKIX group was canned, however, someway this has surged with 64K
certs and about huge SAN lists of 100/200 entries.
Ponderer,
Tushar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210409/823e6d55/attachment.htm>
More information about the cryptography
mailing list