Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

[Stephen Kent <kent@xxxxxxx>]

At 11:25 AM -0800 12/26/07, Bernard Aboba wrote:
>  > I'm not trying to be difficult either.Sam asked PKIX to review
> >  PKI-specific parts of the spec and I did. I expect the IESG to ignore
> >  my objection, given the deployed base you and others cite. But 
> > let's be honest and
> >  recognize that this was an error, probably based on bad advice given
> >  to by the DOCSIS folks.  Also note that PKIX RFCs have taken a strong
> >  stand against putting inappropriate values into the CN field in the
> >  past, e.g., stuffing an e-mail address there, despite the fact that
> >  lots of certs were issued tha way.
>
> If there really is a belief that this is an error, then the right 
> thing to do is for the
> IETF (and PKIX WG) to inform the organizations involved (which now include
> IEEE 802 as well as DOCSIS) of the error, as well as to suggest the correct
> way of doing things.   That way, the error might get fixed.
>
> Merely fixing the CAPWAP protocol spec is only likely to make the
> situation worse, not better, because then we'd have two ways of doing
> the same thing with more on the way.

I agree that making capwap right is problematic, given the extant 
PKIs that have been crated.

However there should be no question that use of the CN to encode a 
MAC address in an X.509 cert is inappropriate. I think the cited text 
is pretty clear on that point, not to mention the inclusion of two 
CNs in the cable model cert spec!

Who, specifically, do you suggest that we contact at each organization?


Steve