I would agree with Scott. I have personally created over 20M (that's
million) certificates over 4 complete IEEE OUIs with the MAC address in
the CN of the certificate subject DN. Besides the US version of DOCSIS,
we use the same setup for the European equivalent. We actually have 5
different setups, US DOCSIS, EU DOCSIS, US Packet Cable, EU Packet
Cable, and Cable Home operated under Cable Labs and tComLabs.
We are also starting to expand the use to other set top boxes and other
consumer type products that have MAC addresses. I would suggest that
the CAPWAP program remove the ":" from the MAC address. I would also
suggest that this profile be moved under PKIX because as you can see
there are several systems using it. We already have cable modems and
set top boxes used as wireless access points, it would be a shame to
have yet another certificate for the exact same device.
Thanks
Ron Ogle
Product Security
Thomson Inc.