in-line ________________________________
From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] Sent: Wed 2/21/2007 9:04 AM To: Ryan Hurst; Bernard Aboba; [email protected] Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt > If subject naming information is present only in the subject name > field and the peer identity represents a user, then the > subject name > field SHOULD contain an emailAddress RDN. If the peer identity > represents a host or device the subject name field SHOULD contain a > CN RDN or Serial Number RDN. > [rmh] If you say they can include a serialNumber (not Serial > Number) RDN then you have to specify processing symantics > when more than one are present, and discuss what sort of > value is used here, etc. > [rmh] I suggest dropping the " or Serial Number RDN" portion > of this text, we can if appropriate work on a appendix or > other RFC that discusses these issues; I suspect the right > answer will be to reference the Permanent Identifier RFC from > the PKIX working group which already deals with these problems. > [Joe] Would you not have to do the same with email address or CN? It seems it would be possible for multiple of these to be present. There should not be any semantics associated with a serial number other than it is an identifier. It should not be interpreted as a MAC address or some other value without additional knowledge outside this specification. I agree that this would not be the place to consistently find a MAC address. I would prefer to keep Serial Number as a possibility as it is at least as relevant as the other fields. I would be fine with the previous text I posted with a MAY. [rmh] Although your right that the fact that multiple RDNs can be used to make up a DN universally other RDNs are non-ambiguous while serialNumber conceptually is not, [Joe] Can you expand upon this? Why is SerialNumber different than other RDNs? [rmh] Conceptually a serial number is a exact match to a entity, for example no two tivos share the same serial number but they could all share the same common name of Tivo Series 2. [rmh] In my case case there is a actor who also shares the name Ryan Hurst (http://www.imdb.com/name/nm0403652/) but we both have unique ssns. [rmh] Since its CN is not intended to be non-ambiguous its reasonable for me to have multiple CNs in a certificate all of which are appropriate as a common name of me; for example I could have one that is just Ryan, another that is Ryan Hurst, another that is Ryan M Hurst. [rmh] Since a serial number is a exact match, what does it mean if you have multiple serial numbers? [rmh] As for the value, EAP is not 802.11 only therefore a device id should not be a MAC, also a MAC has locally administered and globally adminstered versions, you would probably want to restrict the use to the globally issued ones, then there are the privacy issues since the MAC is used as a source address a attacker can presume if a EAP authentication is succesfull the MAC used in the source address was authenticated. I think there are other issues related to it being a MAC address that should be thought through before it is added; especially if its not even common practice today which it doesnt apear to be. [Joe] I think we are in agreement here. > If subject naming information is present only in the subject name > field of a server certificate, then the subject name field MUST > contain a CN RDN or Serial Number RDN. > [rmh] See my prior statements on serialNumber RDN. > >
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
