Re: [secdir] Please review draft-ietf-capwap-protocol-specification's use of certificates

[Sam Hartman <hartmans-ietf@xxxxxxx>]

>>>>> "Scott" == Scott G Kelly <s.kelly@xxxxxxxxxxxxx> writes:

    Scott> Hi Joe,
    Scott> jsalowey wrote:
    >> It seems that stating that the identifier used in a certificate
    >> MUST be a MAC address may be overly restrictive.  It seems you
    >> would want to allow for MAC address, but not require it.  Is
    >> there a reason why the identifier needs to be a MAC address (if
    >> I understand correctly the AC and WTP may not be directly L2
    >> connected and may not have direct knowledge of each others MAC
    >> address)?
    >> 
    >> Why wouldn't another identifier string be acceptable?
    >> 
    >> Is the MAC address interpreted by the peer or is it just an
    >> identifier string?
    >> 
    >> If there are multiple MAC addresses which one is used?

Joe, I proposed a text change to the WG that implementations must
support certs with MAC addresses, but not that all capwap certs had to
use mac address.