Among other things, it means that Dilithium signature would require fragmentation, or fail to transfer. If 253-octets limitation applies - then no PQ signature can work (without fragmentation)...
ο»ΏOn 10/12/22, 13:41, "OPSAWG on behalf of Alan DeKok" <[email protected] on behalf of [email protected]> wrote: On Oct 12, 2022, at 1:32 PM, Ben Schwartz <[email protected]> wrote: > > The Encrypted-DNS-SvcParams TLV seems to be limited to 253 octets. This is a problem, since it is meant to hold a SvcParams object that is allowed to be much larger (up to ~65000 octets in principle). The length is less than 253 octets, as it is encapsulated inside of another attribute "wrapper". So the practical limit is probably 250 or less. RADIUS provides for encoding more than 253 octets in an attribute. See https://www.rfc-editor.org/rfc/rfc8044#section-3.16 However, this capability exists only for "top level" attributes, and cannot be used here. Further, RADIUS packets are generally limited to 4K octets total. So even if the limits on this attribute are removed, then there's still a practical limit of around 4000 octets. Alan DeKok. _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
