Summary
The SPIFFE specification §2.3 requires that a SPIFFE ID SHOULD NOT exceed 2048 bytes. ZeroID does not enforce this limit; a sufficiently long `external_id` or other path component could produce a SPIFFE ID longer than 2048 bytes, which is invalid per spec and may cause interoperability failures with conformant validators.
Location
SPIFFE URI construction — wherever the final `spiffe://...` string is assembled before storage or embedding in a JWT.
Fix
After assembling the full SPIFFE URI string, check `len([]byte(uri)) <= 2048` and return an error if exceeded.
Reference
Summary
The SPIFFE specification §2.3 requires that a SPIFFE ID SHOULD NOT exceed 2048 bytes. ZeroID does not enforce this limit; a sufficiently long `external_id` or other path component could produce a SPIFFE ID longer than 2048 bytes, which is invalid per spec and may cause interoperability failures with conformant validators.
Location
SPIFFE URI construction — wherever the final `spiffe://...` string is assembled before storage or embedding in a JWT.
Fix
After assembling the full SPIFFE URI string, check `len([]byte(uri)) <= 2048` and return an error if exceeded.
Reference