Capwap Mailing List: Re: Issue 34: keyPurposeID needs clarification

[Pat Calhoun (pacalhou) (pcalhoun]

Sam,

Would you accept some text that simply states that the Any KeyPurposeID
SHOULD be ignored?

PatC 

-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf [at] mit.edu] 
Sent: Thursday, January 03, 2008 5:12 AM
To: Pat Calhoun (pacalhou)
Cc: capwap
Subject: Re: [Capwap] Issue 34: keyPurposeID needs clarification

>>>>> "Pat" == Pat Calhoun (pacalhou) <pcalhoun [at] cisco.com> writes:

    Pat>    The particulars of authorization filter construction are
    Pat> implementation details which are, for the most part, not
    Pat> within the scope of this specification.  However, at minimum,
    Pat> all devices MUST verify that the appropriate EKU bit is set
    Pat> according to the role of the peer device (AC vs. WTP), and
    Pat> that the issuer of the certificate is appropriate for the
    Pat> domain in question.  </existing text>

    Pat> However, if Sam felt this was not sufficient, I have added a
    Pat> sentence to an existing paragraph (the last sentence below):

Returning from vacation.

I thought the existing text was very close to clear.  The problem is
that there is a special key purpose ID that means that a particular
certificate can be used for any purpose for which the any purpose ID is
permitted.

There are some applications that are so sensitive that the any purpose
ID is not acceptable.  So, when you define a new key purpose ID, you
need to say whether the any purpose ID can be used instead of this new
key purpose ID.

Capwap defines two key purpose IDs but does not discuss the any purpose
ID.