[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

To: Sam Hartman <hartmans-ietf@xxxxxxx>
Subject: Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
From: Stephen Kent <kent@xxxxxxx>
Date: Fri, 21 Dec 2007 15:00:24 -0500
Cc: ietf-pkix@xxxxxxx, capwap-chairs@xxxxxxxxxxxxxx, secdir@xxxxxxx
In-reply-to: <tslr6hgeqff.fsf@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <tslr6hgeqff.fsf@xxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Title: Re: [secdir] Please review draft-ietf-capwap-protocol-spec

At 9:23 PM -0500 12/20/07, Sam Hartman wrote:

Hi, folks. The capwap working group is preparing to last call their
protocol specification draft.

I'd appreciate review from the pkix community of section 2.4.4.3 and
12.6 of this draft. These sections specify certificate validation and
certificate usage for the protocol. Scott Kelly and Charles Clancy
are security advisors for the working group and have been heavily
involved.

The capwap certificate profile assumes that the CN in the certificate
has structure and contains an ethernet MAC address. The capwap
certificate profile also assumes that parts of the subject name such
as the organization and organizational unit will be important to
certificate matching.

I'd appreciate review and comments.

--Sam

It would be preferable to get an allocated name space for MAC addresses, under the OtherName or, better yet, under registeredID.

I'd argue that it is inappropriate to put a MAC address into a CN. The text from X.520 makes this clear:

The Common Name attribute type specifies an identifier of an object. A Common Name is not a directory name; it is a (possibly ambiguous) name by which the object is commonly known in some limited scope (such as an organization) and
conforms to the naming conventions of the country or culture with which it is associated.

An attribute value for common name is a string chosen either by the person or organization it describes or the organization responsible for the object it describes for devices and application entities. For example, a typical name of a

person in an English-speaking country comprises a personal title (e.g., Mr., Ms., Rd, Professor, Sir, Lord), a first name, middle name(s), last name, generation qualifier (if any, e.g., Jr.) and decorations and awards (if any e.g., QC).

Examples

CN = "Mr. Robin Lachlan McLeod BSc(Hons) CEng MIEE"

CN = "Divisional Coordination Committee"

CN = "High Speed Modem".

If there is a very strong desire to make use of an existing attribute in the X.502 space, the SerialNumber attribute makes more sense. So long as we are talking about long, term, stable MAC addresses assigned to devices by manufacturers, this is consistent with the semantics of that attribute. Moreover, we have advised folks to use SerialNumber to represent data such as employee/student IDs in the past, so one might expect to see support for this attribute in many CAs and clients.

Steve

References:
- Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Sam Hartman

Prev by Date: Re: New other certs extension I-D
Previous by thread: Please review draft-ietf-capwap-protocol-specification's use of certificates
Next by thread: I-D ACTION:draft-ietf-pkix-rfc3280bis-10.txt
Index(es):
- Date
- Thread