| Re: Issue 35: MAC Address in Certificate CN field | <– Date –> <– Thread –> |
From: Pat Calhoun (pacalhou) (pcalhoun cisco.com)
|
|
| Date: Tue, 12 Feb 2008 21:15:38 -0800 (PST) | |
Sam, May I simply adopt your proposed text below and close this issue? PatC -----Original Message----- From: Sam Hartman [mailto:hartmans-ietf [at] mit.edu] Sent: Thursday, January 03, 2008 5:19 AM To: Pat Calhoun (pacalhou) Cc: capwap Subject: Re: [Capwap] Issue 35: MAC Address in Certificate CN field >>>>> "Pat" == Pat Calhoun (pacalhou) <pcalhoun [at] cisco.com> writes: Pat> The intention is the for AC and WTPs to validate the CN Pat> through an access control list. This could be done via a Pat> RADIUS request, a locally stored MAC address list, etc. As Pat> long as the certificate is valid, and authorized, it really Pat> doesn't matter whether the device in question is actually Pat> using the MAC address encoded in the CN field, and as you Pat> state, this is not possible to do if a router is present. Ah. This was not obvious to me. If the intent is to validate against an ACL, then I think the following requirement does not rise to the level needed for an RFC 2119 MUST: > The certificate common name (CN) for both the WTP and AC MUST be the > MAC address of that device. The MAC address MUST be formatted as > ASCII HEX, e.g. 01:23:45:67:89:ab. In particular, that's a requirement on operational deployments rather than a requirement on implementations and if all you are going to do is to check against an ACL then I don't see a need for that requirement. Perhaps something more like the following would be an appropriate requirement to meet interoperability: > Capwap implementations MUST support certificates where the common name (CN) for both the WTP and AC is the > MAC address of that device. The MAC address MUST be formatted as > ASCII HEX, e.g. 01:23:45:67:89:ab. You should be aware that there is a raging debate in the security directorate about whether storing MAC addresses in a CN field is appropriate for a mandatory to implement solution. I have not read that debate so I don't know if there is a consensus there one way or another.
-
Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), December 21 2007
-
Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), December 21 2007
- Message not available
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), January 3 2008
- Message not available
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), February 12 2008
- Re: Issue 35: MAC Address in Certificate CN field Michael.G.Williams, February 12 2008
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), February 15 2008
- Re: Issue 35: MAC Address in Certificate CN field Michael.G.Williams, March 12 2008
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), March 12 2008
- Message not available
-
Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), December 21 2007
Results generated by Tiger Technologies using MHonArc.