Hi Alexey,
> -----Original Message-----
> From: Pce [mailto:[email protected]] On Behalf Of Alexey Melnikov
> Sent: 07 August 2017 16:16
> To: The IESG <[email protected]>
> Cc: [email protected]; [email protected]; [email protected];
> [email protected]
> Subject: [Pce] Alexey Melnikov's Yes on draft-ietf-pce-pceps-15: (with
> COMMENT)
>
> Alexey Melnikov has entered the following ballot position for
> draft-ietf-pce-pceps-15: Yes
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-pce-pceps/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you for addressing my DISCUSS points and comments.
>
> I think the text about use of RFC 6125 should use RFC 6125 terminology
> like DNS-ID and CN-ID, because they have a bit more semantics associated
> with them other than just subjectAltName:DNS. I think you should also
> clarify whether you want to allow wildcards in DNS-ID/CN-ID (RFC 6125
> talks about that).
>
[[[Dhruv Dhody]]] Ack, updated to -
+ Implementations MUST follow the rules and guidelines for
peer validation as defined in [RFC6125]. If an expected
DNS name or IP address for the peer is configured, then the
implementations MUST check them against the values in the
presented certificate. The DNS names and the IP addresses
can be contained in the CN-ID [RFC6125] (Common Name
Identifier) or the subjectAltName entries. For
verification, only one of these entries is considered. The
following precedence applies: for DNS name validation, DNS-
ID [RFC6125] has precedence over CN-ID; for IP address
validation, subjectAltName:iPAddr has precedence over CN-
ID.
+ Implementations MAY allow the configuration of a set of
additional properties of the certificate to check for a
peer's authorization to communicate (e.g., a set of allowed
values in URI-ID [RFC6125] or a set of allowed X509v3
Certificate Policies). The definition of these properties
are out of scope of this document.
Regards,
Dhruv
>
> _______________________________________________
> Pce mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/pce
_______________________________________________
Pce mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/pce
