| Re: Issue 34: keyPurposeID needs clarification | <– Date –> <– Thread –> |
From: Pat Calhoun (pacalhou) (pcalhoun cisco.com)
|
|
| Date: Fri, 15 Feb 2008 07:10:07 -0800 (PST) | |
All, I have adopted the last sentence in the following paragraph: For an AC, the id-kp-capwapAC EKU MUST be present in the certificate. For a WTP, the id-kp-capwapWTP EKU MUST be present in the certificate. The id-kp-anyExtendedKeyUsage, if present, SHOULD be ignored. PatC -----Original Message----- From: Pat Calhoun (pacalhou) Sent: Tuesday, February 12, 2008 9:15 PM To: Sam Hartman Cc: capwap Subject: Re: [Capwap] Issue 34: keyPurposeID needs clarification Sam, Would you accept some text that simply states that the Any KeyPurposeID SHOULD be ignored? PatC -----Original Message----- From: Sam Hartman [mailto:hartmans-ietf [at] mit.edu] Sent: Thursday, January 03, 2008 5:12 AM To: Pat Calhoun (pacalhou) Cc: capwap Subject: Re: [Capwap] Issue 34: keyPurposeID needs clarification >>>>> "Pat" == Pat Calhoun (pacalhou) <pcalhoun [at] cisco.com> writes: Pat> The particulars of authorization filter construction are Pat> implementation details which are, for the most part, not Pat> within the scope of this specification. However, at minimum, Pat> all devices MUST verify that the appropriate EKU bit is set Pat> according to the role of the peer device (AC vs. WTP), and Pat> that the issuer of the certificate is appropriate for the Pat> domain in question. </existing text> Pat> However, if Sam felt this was not sufficient, I have added a Pat> sentence to an existing paragraph (the last sentence below): Returning from vacation. I thought the existing text was very close to clear. The problem is that there is a special key purpose ID that means that a particular certificate can be used for any purpose for which the any purpose ID is permitted. There are some applications that are so sensitive that the any purpose ID is not acceptable. So, when you define a new key purpose ID, you need to say whether the any purpose ID can be used instead of this new key purpose ID. Capwap defines two key purpose IDs but does not discuss the any purpose ID. _________________________________________________________________ To unsubscribe or modify your subscription options, please visit: http://lists.frascone.com/mailman/listinfo/capwap Archives: http://lists.frascone.com/pipermail/capwap
-
Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), December 21 2007
-
Re: Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), December 21 2007
- Message not available
- Re: Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), February 12 2008
- Re: Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), February 15 2008
- Re: Issue 34: keyPurposeID needs clarification Sam Hartman, March 10 2008
- Re: Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), March 10 2008
- Re: Issue 34: keyPurposeID needs clarification Sam Hartman, March 10 2008
- Re: Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), March 10 2008
- Message not available
-
Re: Issue 34: keyPurposeID needs clarification Pat Calhoun (pacalhou), December 21 2007
Results generated by Tiger Technologies using MHonArc.