On 24/01/2012 19:17, Brian Trammell wrote:
Hi, Peter, Alexey, all,
Hi Brian,
Thanks for the suggestion on fixing the ambiguity in "use" -- that was
bothering me a bit, too...
Okay, so how about straight NOT RECOMMENDED, which would make the whole
paragraph:
<t>RID systems MUST verify the identity of their peers against that stored
in the certificate presented. All RID systems MUST be identified by a
certificate containing a<xref target="RFC5280">DNS-ID identifier</xref>
as in section 6.4 of<xref target="RFC6125"/>. The inclusion of Common
Names (CN-IDs) in certificates identifying RID systems is NOT RECOMMENDED.
Wildcards MUST NOT appear in the DNS-ID or CN-ID of a certificate
identifying a RID system. Additional general information on the use of PKI
with RID systems is detailed in Section 9.3 of<xref
target="I-D.ietf-mile-rfc6045-bis"/>.</t>
And we let people who really, really need to support CN-ID read between the
lines. Thoughts?
Your text basically says that DNS-ID are mandatory to include and use.
RFC 6125 requires for DNS-ID to take precedence over CN-ID, if both are
present. I don't think this leave any space for older PKI systems that
only include CN-IDs. If you want to allow for them, I think you need to
make the requirement on having DNS-ID a SHOULD (for example. Other ways
might be possible.)
But otherwise I am Ok with your text.
Cheers,
Brian
On Jan 24, 2012, at 6:10 PM, Peter Saint-Andre wrote:
On 1/24/12 9:59 AM, Alexey Melnikov wrote:
On 24/01/2012 16:45, Peter Saint-Andre wrote:
On 1/24/12 2:25 AM, Brian Trammell wrote:
Hi, Alexey,
So far only one voice on the WG list, stating no need for CN-ID.
However, on thinking about it a bit further, if you happen to have an
older PKI built out, and you're still using it, you've probably got a
large investment in it, and it probably makes sense to allow you to
use it for RID too...
So, I'd suggest the following language to grudgingly allow such a thing:
The use of CN-ID identifiers in certificates identifying RID systems
is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI
implementations which can use DNS-ID identifiers. However, CN-ID
identifiers MAY be used when the RID consortium to which the system
belongs uses an older, existing PKI implementation.
Brian, first of all, thanks for working with us on this topic. As you
can see from the length of RFC 6125 (which didn't start out that big!),
there's more complexity here than meets the eye.
I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be
used by others" might be a bit confusing to those who implement and
deploy RID. Also, RFC 6125 makes a distinction between cert generation
and cert checking, which gets obscured by the word "use". Thus I might
make the following suggestion:
The inclusion of Common Names (CN-IDs) in certificates identifying
RID systems is NOT RECOMMENDED. A PKI implementation that
understands DNS-IDs SHOULD ignore CN-IDs when checking server
certificates.
I thought RFC 6125 has a rule saying that CN-IDs are ignored in presence
of DNS-IDs? I would just rather reference RFC 6125, or at least be clear
that this is defined there (using "as specified in RFC 6125").
Yes, so you're right: just reference the rules from RFC 6125.
Peter
--
Peter Saint-Andre
https://stpeter.im/
_______________________________________________
Gen-art mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/gen-art
