________________________________
From: Ryan Hurst [mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 21, 2007 9:15 AM
To: Joseph Salowey (jsalowey); Bernard Aboba; [email protected]
Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt
in-line
________________________________
From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED]
Sent: Wed 2/21/2007 9:04 AM
To: Ryan Hurst; Bernard Aboba; [email protected]
Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt
> If subject naming information is present only in
the subject name
> field and the peer identity represents a user, then
the
> subject name
> field SHOULD contain an emailAddress RDN. If the
peer identity
> represents a host or device the subject name field
SHOULD contain a
> CN RDN or Serial Number RDN.
> [rmh] If you say they can include a serialNumber (not
Serial
> Number) RDN then you have to specify processing
symantics
> when more than one are present, and discuss what sort
of
> value is used here, etc.
> [rmh] I suggest dropping the " or Serial Number RDN"
portion
> of this text, we can if appropriate work on a appendix
or
> other RFC that discusses these issues; I suspect the
right
> answer will be to reference the Permanent Identifier
RFC from
> the PKIX working group which already deals with these
problems.
>
[Joe] Would you not have to do the same with email
address or CN? It
seems it would be possible for multiple of these to be
present. There
should not be any semantics associated with a serial
number other than
it is an identifier. It should not be interpreted as a
MAC address or
some other value without additional knowledge outside
this
specification. I agree that this would not be the place
to consistently
find a MAC address. I would prefer to keep Serial Number
as a
possibility as it is at least as relevant as the other
fields. I would
be fine with the previous text I posted with a MAY.
[rmh] Although your right that the fact that multiple
RDNs can be used to make up a DN universally other RDNs are
non-ambiguous while serialNumber conceptually is not,
[Joe] Can you expand upon this? Why is SerialNumber
different than other RDNs?
[rmh] Conceptually a serial number is a exact match to a
entity, for example no two tivos share the same serial number but they
could all share the same common name of Tivo Series 2.
[Joe] OK.
[rmh] In my case case there is a actor who also shares
the name Ryan Hurst (http://www.imdb.com/name/nm0403652/) but we both
have unique ssns.
[Joe] OK
[rmh] Since its CN is not intended to be non-ambiguous
its reasonable for me to have multiple CNs in a certificate all of which
are appropriate as a common name of me; for example I could have one
that is just Ryan, another that is Ryan Hurst, another that is Ryan M
Hurst.
[Joe] A device could be composed of multiple parts
(such as line cards) each with its own serial number. There can also be
various formats and representations of a serial number.
[rmh] Since a serial number is a exact match, what
does it mean if you have multiple serial numbers?
[Joe] I don't see any more confusion over having
multiple serial numbers than having multiples of any other attribute.
[rmh] As for the value, EAP is not 802.11 only therefore
a device id should not be a MAC, also a MAC has locally administered and
globally adminstered versions, you would probably want to restrict the
use to the globally issued ones, then there are the privacy issues since
the MAC is used as a source address a attacker can presume if a EAP
authentication is succesfull the MAC used in the source address was
authenticated. I think there are other issues related to it being a MAC
address that should be thought through before it is added; especially if
its not even common practice today which it doesnt apear to be.
[Joe] I think we are in agreement here.
> If subject naming information is present only in
the subject name
> field of a server certificate, then the subject
name field MUST
> contain a CN RDN or Serial Number RDN.
> [rmh] See my prior statements on serialNumber RDN.
>
>
_______________________________________________
Emu mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/emu
