[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

To: "Ogle Ron" <ron.ogle@xxxxxxxxxxx>
Subject: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
From: Stephen Kent <kent@xxxxxxx>
Date: Thu, 27 Dec 2007 09:54:11 -0500
Cc: "Scott G. Kelly" <scott@xxxxxxxxxxxxxxxx>, "Sam Hartman" <hartmans-ietf@xxxxxxx>, <capwap-chairs@xxxxxxxxxxxxxx>, <ietf-pkix@xxxxxxx>, <secdir@xxxxxxx>
In-reply-to: <08AD20EDD5C44148842571F730597F8402360806@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <1403446.1198274085848.JavaMail.root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <> <08AD20EDD5C44148842571F730597F8402360806@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 1:15 AM -0500 12/27/07, Ogle Ron wrote:

Steve, there maybe a fleeting opportunity with DOCSIS in the new spec
3.0 to right the wrong.  The BPI (basic privacy) part of DOCSIS deals
with using the X.509 certs.  BPI is being altered for 3.0, and there
most manufacturers haven't fully started making 3.0 compatible modems.

If you are interested, I can help facilitate a meeting with the Cable
Labs security folks who write these specs.  Very soon all consumer
electronics products with a network connection will probably end up with
a certificate.  I know that we are moving that direction now.  I know
that Cable Labs isn't fully using the value of the current cert because
of various problems, but they plan on making better use in the near
future.

I do think though that PKIX should pull the profile out of CAPWAP, and
define a compatible profile.  This way multiple rfcs can reference the
profile.  This way DOCSIS, Cable Home, OpenCable, PacketCable, CAPWAP,
and others could all run from the same profile for device oriented
certificates.

Ron Ogle
Thomson Product Security


Ron,

Thanks for the info re the 3.0 update of DOCSIS. Also feel free topoint the Cable Labs security folks to the latest PKIX spec in thisarea, 3280bis, which has just completed IETF last call.

PKIX usually let's other WGs in the IETF develop profiles of ourprofile of X.509, when necessary for a given context. See the ongoingefforts in the SIDR WG as an example, and similar work in the SIParena too. So it would be unusual for PKIX to take on the task ofdeveloping profiles for DOCSIS, PacketCable,Cable Home, andOpenCable. However, if there is not a suitable, extant IETF WG wherethis can be done, we might make an exception (if the PKIX membershipand our cognizant AD agrees). In any case, these folks should feelfree to solicit review of their profiles if they are concerned aboutcompatibility with IETF protocols.


Steve

References:
- Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Scott G. Kelly
- Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Stephen Kent
- RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
  - From: Ogle Ron

Prev by Date: Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Previous by thread: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Next by thread: RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates
Index(es):
- Date
- Thread