| Re: Issue 35: MAC Address in Certificate CN field | <– Date –> <– Thread –> |
From: Pat Calhoun (pacalhou) (pcalhoun cisco.com)
|
|
| Date: Fri, 15 Feb 2008 07:14:07 -0800 (PST) | |
All, The new text reads: CAPWAP implementations MUST support certificates where the common name (CN) for both the WTP and AC is the MAC address of that device. The MAC address MUST be formatted as ASCII HEX, e.g. 01:23:45:67:89:ab. Note that the CN field MAY contain either of the EUI-48 [22] or EUI-64 [23] MAC Address formats. PatC -----Original Message----- From: Pat Calhoun (pacalhou) Sent: Tuesday, February 12, 2008 9:16 PM To: Sam Hartman Cc: capwap Subject: Re: [Capwap] Issue 35: MAC Address in Certificate CN field Sam, May I simply adopt your proposed text below and close this issue? PatC -----Original Message----- From: Sam Hartman [mailto:hartmans-ietf [at] mit.edu] Sent: Thursday, January 03, 2008 5:19 AM To: Pat Calhoun (pacalhou) Cc: capwap Subject: Re: [Capwap] Issue 35: MAC Address in Certificate CN field >>>>> "Pat" == Pat Calhoun (pacalhou) <pcalhoun [at] cisco.com> writes: Pat> The intention is the for AC and WTPs to validate the CN Pat> through an access control list. This could be done via a Pat> RADIUS request, a locally stored MAC address list, etc. As Pat> long as the certificate is valid, and authorized, it really Pat> doesn't matter whether the device in question is actually Pat> using the MAC address encoded in the CN field, and as you Pat> state, this is not possible to do if a router is present. Ah. This was not obvious to me. If the intent is to validate against an ACL, then I think the following requirement does not rise to the level needed for an RFC 2119 MUST: > The certificate common name (CN) for both the WTP and AC MUST be the > MAC address of that device. The MAC address MUST be formatted as > ASCII HEX, e.g. 01:23:45:67:89:ab. In particular, that's a requirement on operational deployments rather than a requirement on implementations and if all you are going to do is to check against an ACL then I don't see a need for that requirement. Perhaps something more like the following would be an appropriate requirement to meet interoperability: > Capwap implementations MUST support certificates where the common name (CN) for both the WTP and AC is the > MAC address of that device. The MAC address MUST be formatted as > ASCII HEX, e.g. 01:23:45:67:89:ab. You should be aware that there is a raging debate in the security directorate about whether storing MAC addresses in a CN field is appropriate for a mandatory to implement solution. I have not read that debate so I don't know if there is a consensus there one way or another. _________________________________________________________________ To unsubscribe or modify your subscription options, please visit: http://lists.frascone.com/mailman/listinfo/capwap Archives: http://lists.frascone.com/pipermail/capwap
- Re: Issue 35: MAC Address in Certificate CN field, (continued)
-
Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), December 21 2007
- Message not available
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), January 3 2008
- Message not available
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), February 12 2008
- Re: Issue 35: MAC Address in Certificate CN field Michael.G.Williams, February 12 2008
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), February 15 2008
- Re: Issue 35: MAC Address in Certificate CN field Michael.G.Williams, March 12 2008
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), March 12 2008
- Message not available
- Re: Issue 35: MAC Address in Certificate CN field Sam Hartman, March 10 2008
- Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), March 10 2008
-
Re: Issue 35: MAC Address in Certificate CN field Pat Calhoun (pacalhou), December 21 2007
Results generated by Tiger Technologies using MHonArc.