Re: Moving PIC forwards

[Markus Stenberg <mstenber@xxxxxxx>]

aboba@xxxxxxxxxxxxx (Bernard Aboba) writes:
> The fragmentation I've observed is already intentional. If people aren't
> up for TCP, then another alternative would be support of a
> "continuation" mechanism to spread the cert payload across multiple UDP
> packets. 

What MTU should we use then? 576? Doesn't this triple+ number of packets in
normal case and it'd happen only thanks to braindead routers?
[ one can argue that 1500-byte packets are de facto, but one can also argue
that <some poor fellow out there> is using ADSL+PPPoE with low MTU.. ]

(Secondary alternative, own PMTU-detection scheme by trial-and-error, I
 won't even go to.. nor user configuration :P)

Is the problem _really_ out there? I personally haven't encountered it
much, but my cert chains have been mostly on short side.

 - If the problem is broken configuration of a firewall (i.e. I know of
 firewalls that have been configured with insanely low number of fragments
 to keep / time to keep them), then it can be amended (hopefully) by cluebrick.

 - If it's matter of product, we should just embrace some form of 'IPsec
 compatible' term to differentiate between broken and working firewalls.

Admittedly, I know firsthand the pain of "we do not want to change <X>" in
organizations, but still, I find it interesting that some parties in IETF
push for weird (and of course useful) stuff like IPv6 which requires total
change of hardware et al, and others (like us, it seems) are mostly
concerned in getting SOMETHING working by kludging around existing crap out
there.

(and to be politically correct, no offense, for the humor impaired that
 happen to have/work on firewall which is broken)

-Markus