in-line ________________________________
From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] Sent: Tue 2/20/2007 8:54 PM To: Ryan Hurst; Bernard Aboba; [email protected] Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt > > If subject naming information is present only in the subject name > field and the peer identity represents a user, then the > subject name > field SHOULD contain an emailAddress RDN. If the peer identity > represents a host or device the subject name field SHOULD contain a > CN RDN or Serial Number RDN. > [rmh] If you say they can include a serialNumber (not Serial > Number) RDN then you have to specify processing symantics > when more than one are present, and discuss what sort of > value is used here, etc. > [rmh] I suggest dropping the " or Serial Number RDN" portion > of this text, we can if appropriate work on a appendix or > other RFC that discusses these issues; I suspect the right > answer will be to reference the Permanent Identifier RFC from > the PKIX working group which already deals with these problems. > [Joe] Would you not have to do the same with email address or CN? It seems it would be possible for multiple of these to be present. There should not be any semantics associated with a serial number other than it is an identifier. It should not be interpreted as a MAC address or some other value without additional knowledge outside this specification. I agree that this would not be the place to consistently find a MAC address. I would prefer to keep Serial Number as a possibility as it is at least as relevant as the other fields. I would be fine with the previous text I posted with a MAY. [rmh] Although your right that the fact that multiple RDNs can be used to make up a DN universally other RDNs are non-ambiguous while serialNumber conceptually is not, [rmh] As for the value, EAP is not 802.11 only therefore a device id should not be a MAC, also a MAC has locally administered and globally adminstered versions, you would probably want to restrict the use to the globally issued ones, then there are the privacy issues since the MAC is used as a source address a attacker can presume if a EAP authentication is succesfull the MAC used in the source address was authenticated. I think there are other issues related to it being a MAC address that should be thought through before it is added; especially if its not even common practice today which it doesnt apear to be. > If subject naming information is present only in the subject name > field of a server certificate, then the subject name field MUST > contain a CN RDN or Serial Number RDN. > [rmh] See my prior statements on serialNumber RDN. > >
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
