[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

To: "Stephen Kent" <kent@xxxxxxx>, "Scott G. Kelly" <scott@xxxxxxxxxxxxxxxx>
Subject: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
From: "Ogle Ron" <ron.ogle@xxxxxxxxxxx>
Date: Thu, 27 Dec 2007 01:15:35 -0500
Cc: "Sam Hartman" <hartmans-ietf@xxxxxxx>, <capwap-chairs@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <secdir@xxxxxxx>
In-reply-to: <>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <1403446.1198274085848.JavaMail.root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AchH/ugA7lonhR9MRbOEYf4gJ7wMxQATrNzg
Thread-topic: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

Steve, there maybe a fleeting opportunity with DOCSIS in the new spec
3.0 to right the wrong.  The BPI (basic privacy) part of DOCSIS deals
with using the X.509 certs.  BPI is being altered for 3.0, and there
most manufacturers haven't fully started making 3.0 compatible modems.

If you are interested, I can help facilitate a meeting with the Cable
Labs security folks who write these specs.  Very soon all consumer
electronics products with a network connection will probably end up with
a certificate.  I know that we are moving that direction now.  I know
that Cable Labs isn't fully using the value of the current cert because
of various problems, but they plan on making better use in the near
future.

I do think though that PKIX should pull the profile out of CAPWAP, and
define a compatible profile.  This way multiple rfcs can reference the
profile.  This way DOCSIS, Cable Home, OpenCable, PacketCable, CAPWAP,
and others could all run from the same profile for device oriented
certificates.

Ron Ogle
Thomson Product Security

> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx 
> [mailto:owner-ietf-pkix@xxxxxxxxxxxx] On Behalf Of Stephen Kent
> Sent: Wednesday, December 26, 2007 2:03 PM
> To: Scott G. Kelly
> Cc: Sam Hartman; capwap-chairs@xxxxxxxxxxxxxx; 
> ietf-pkix@xxxxxxx; secdir@xxxxxxx
> Subject: Re: [secdir] Please review 
> draft-ietf-capwap-protocol-specification's use of certificates
> 
> 
....
> 
> I'm not trying to be difficult either.Sam asked PKIX to review 
> PKI-specific parts of the spec and I did. I expect the IESG to ignore 
> my objection,
> given the deployed base you and others cite. But let's be honest and 
> recognize that this was an error, probably based on bad advice given 
> to by the DOCSIS folks.  Also note that PKIX RFCs have taken a strong 
> stand against putting inappropriate values into the CN field in the 
> past, e.g., stuffing an e-mail address there, despite the fact that 
> lots of certs were issued tha way.
> 
> Steve
> 
>

Follow-Ups:
- RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Stephen Kent

References:
- Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Scott G. Kelly
- Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Stephen Kent

Prev by Date: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Next by Date: Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Previous by thread: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Next by thread: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Index(es):
- Date
- Thread