W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

RE: Limit public keys and SAN entries? (was Re: Updated IdP to new spec.)

From: Andrei Sambra <andrei@fcns.eu>
Date: Tue, 29 Nov 2011 09:52:19 +0100
Message-ID: <4ED49D43.2020607@fcns.eu>
To: WebID XG <public-xg-webid@w3.org>
On 11/29/2011 12:43 AM, Mo McRoberts wrote:
>  > How many keys can we have in a single profile, so that it will not look
>  > like a DoS attack?
> Anything fewer than about a hundred would strike me as needlessly limiting.

Yes, I agree with you there, given the fact that there's a higher 
probability that one will have multiple certificates tied to a single 
profile (multiple browsers, etc.).

> Extracting the modulus and exponent from a key and then iterating the
> cert:modulus and cert:exponent triples in the profile and comparing them
> shouldn’t really be a slow operation (not to the point of ~30 keys
> timing out) — how are you going about it?

That's exactly how I do it. I extract the public key components from the 
client's certificate, then compare it with all the public keys described 
in the profile. I don't really understand why Kingsley thought the 
system would timeout, especially since the real problem comes when 
fetching the foaf profile (which I have limited to 3).

> M.
Received on Tuesday, 29 November 2011 08:56:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:48 UTC