I think a better example is what does a TLS client (or IKE initiator/responder) do when it receives a certificate chain (OK, it’s a certificate pile that the receiver is supposed to sort) with 17 certificates? It’s fair to assume that most normal chains will have a root CA, one or two intermediaries and an EE certificate, so a chain of three because the root does not need to be transmitted. Setting an application limit of 5 or 7 or 10 seems reasonable, because reasonable senders don’t have longer chains. AFAICT the only limit set by RFC 5246 is 16 MB for the entire chain, enough for thousands of certificates. Thousands of certificates is either a bug or a DoS attack, but a shorter chain, like 17 certs is not. By the Postel principle, the receiver should accept this chain. In practice I might limit it to a lower number, because I assume nobody does that. I think it’s best for the specification to say that “MUST support a chain of at least 7 and MUST NOT send a chain longer than 7”, and of course you’d have to say that profiles may further reduce this number (for IoT). Yoav
Attachment:
signature.asc
Description: Message signed with OpenPGP