RE: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Stephen Kent <kent@xxxxxxx> writes:

>If the DOCSIS and PacketCable specs preceded the X.520 publication, this
>would have been a good argument. But these specs came along much later. The
>folks at Cable Labs who decided to put the MAC address in the CN  made a poor
>choice.

Only in the eyes of X.500 theologists.  As a pragmatic decision it's perfectly
appropriate.  If you're identifying a CC holder, the CN is your credit card
number.  If you're identifying a taxpayer, the CN is the taxpayer ID.  If
you're identifying a web server, the CN is the server's URL/FQDN.  If you're
identifying a piece of hardware addressed by MAC address, the CN is the MAC
address.

>If one looks at ALL of the text associated with the definition of CN, it is
>clear what sorts of names are envisioned

Yup, something that works with the global X.500 directory.  Just as soon as
that appears we can start requiring people to choose names compliant with it.

Peter.