For greater clarity, I'd change "as in section 6.4" to "as defined in section 6.4" -- "as in" sounds like section 6.4 is one possible way you'd define the term. :)
Thanks! Peter On 1/24/12 12:17 PM, Brian Trammell wrote: > Hi, Peter, Alexey, all, > > Thanks for the suggestion on fixing the ambiguity in "use" -- that was > bothering me a bit, too... > > Okay, so how about straight NOT RECOMMENDED, which would make the whole > paragraph: > > <t>RID systems MUST verify the identity of their peers against that stored > in the certificate presented. All RID systems MUST be identified by a > certificate containing a <xref target="RFC5280">DNS-ID identifier</xref> > as in section 6.4 of <xref target="RFC6125"/>. The inclusion of Common > Names (CN-IDs) in certificates identifying RID systems is NOT RECOMMENDED. > Wildcards MUST NOT appear in the DNS-ID or CN-ID of a certificate > identifying a RID system. Additional general information on the use of PKI > with RID systems is detailed in Section 9.3 of <xref > target="I-D.ietf-mile-rfc6045-bis"/>.</t> > > And we let people who really, really need to support CN-ID read between the > lines. Thoughts? > > Cheers, > > Brian > > On Jan 24, 2012, at 6:10 PM, Peter Saint-Andre wrote: > >> On 1/24/12 9:59 AM, Alexey Melnikov wrote: >>> On 24/01/2012 16:45, Peter Saint-Andre wrote: >>>> On 1/24/12 2:25 AM, Brian Trammell wrote: >>>>> Hi, Alexey, >>>>> >>>>> So far only one voice on the WG list, stating no need for CN-ID. >>>>> However, on thinking about it a bit further, if you happen to have an >>>>> older PKI built out, and you're still using it, you've probably got a >>>>> large investment in it, and it probably makes sense to allow you to >>>>> use it for RID too... >>>>> >>>>> So, I'd suggest the following language to grudgingly allow such a thing: >>>>> >>>>> The use of CN-ID identifiers in certificates identifying RID systems >>>>> is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI >>>>> implementations which can use DNS-ID identifiers. However, CN-ID >>>>> identifiers MAY be used when the RID consortium to which the system >>>>> belongs uses an older, existing PKI implementation. >>>> Brian, first of all, thanks for working with us on this topic. As you >>>> can see from the length of RFC 6125 (which didn't start out that big!), >>>> there's more complexity here than meets the eye. >>>> >>>> I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be >>>> used by others" might be a bit confusing to those who implement and >>>> deploy RID. Also, RFC 6125 makes a distinction between cert generation >>>> and cert checking, which gets obscured by the word "use". Thus I might >>>> make the following suggestion: >>>> >>>> The inclusion of Common Names (CN-IDs) in certificates identifying >>>> RID systems is NOT RECOMMENDED. A PKI implementation that >>>> understands DNS-IDs SHOULD ignore CN-IDs when checking server >>>> certificates. >>> I thought RFC 6125 has a rule saying that CN-IDs are ignored in presence >>> of DNS-IDs? I would just rather reference RFC 6125, or at least be clear >>> that this is defined there (using "as specified in RFC 6125"). _______________________________________________ Gen-art mailing list [email protected] https://www.ietf.org/mailman/listinfo/gen-art
