Hi, Peter, Alexey, all,
Thanks for the suggestion on fixing the ambiguity in "use" -- that was
bothering me a bit, too...
Okay, so how about straight NOT RECOMMENDED, which would make the whole
paragraph:
<t>RID systems MUST verify the identity of their peers against that stored
in the certificate presented. All RID systems MUST be identified by a
certificate containing a <xref target="RFC5280">DNS-ID identifier</xref>
as in section 6.4 of <xref target="RFC6125"/>. The inclusion of Common
Names (CN-IDs) in certificates identifying RID systems is NOT RECOMMENDED.
Wildcards MUST NOT appear in the DNS-ID or CN-ID of a certificate
identifying a RID system. Additional general information on the use of PKI
with RID systems is detailed in Section 9.3 of <xref
target="I-D.ietf-mile-rfc6045-bis"/>.</t>
And we let people who really, really need to support CN-ID read between the
lines. Thoughts?
Cheers,
Brian
On Jan 24, 2012, at 6:10 PM, Peter Saint-Andre wrote:
> On 1/24/12 9:59 AM, Alexey Melnikov wrote:
>> On 24/01/2012 16:45, Peter Saint-Andre wrote:
>>> On 1/24/12 2:25 AM, Brian Trammell wrote:
>>>> Hi, Alexey,
>>>>
>>>> So far only one voice on the WG list, stating no need for CN-ID.
>>>> However, on thinking about it a bit further, if you happen to have an
>>>> older PKI built out, and you're still using it, you've probably got a
>>>> large investment in it, and it probably makes sense to allow you to
>>>> use it for RID too...
>>>>
>>>> So, I'd suggest the following language to grudgingly allow such a thing:
>>>>
>>>> The use of CN-ID identifiers in certificates identifying RID systems
>>>> is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI
>>>> implementations which can use DNS-ID identifiers. However, CN-ID
>>>> identifiers MAY be used when the RID consortium to which the system
>>>> belongs uses an older, existing PKI implementation.
>>> Brian, first of all, thanks for working with us on this topic. As you
>>> can see from the length of RFC 6125 (which didn't start out that big!),
>>> there's more complexity here than meets the eye.
>>>
>>> I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be
>>> used by others" might be a bit confusing to those who implement and
>>> deploy RID. Also, RFC 6125 makes a distinction between cert generation
>>> and cert checking, which gets obscured by the word "use". Thus I might
>>> make the following suggestion:
>>>
>>> The inclusion of Common Names (CN-IDs) in certificates identifying
>>> RID systems is NOT RECOMMENDED. A PKI implementation that
>>> understands DNS-IDs SHOULD ignore CN-IDs when checking server
>>> certificates.
>> I thought RFC 6125 has a rule saying that CN-IDs are ignored in presence
>> of DNS-IDs? I would just rather reference RFC 6125, or at least be clear
>> that this is defined there (using "as specified in RFC 6125").
>
> Yes, so you're right: just reference the rules from RFC 6125.
>
> Peter
>
> --
> Peter Saint-Andre
> https://stpeter.im/
>
_______________________________________________
Gen-art mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/gen-art
