Capwap Mailing List: Re: Issue 34: keyPurposeID needs clarification

[Pat Calhoun (pacalhou) (pcalhoun]

All,

The editors, security advisors, chairs and ADs met today at lunch and
discussed this topic. We agreed on an approach, which I believe is
represented in the following text:

<text>
   If a device presents its certificate which includes either the id-kp-
   capwapAC or id-kp-capwapWTP EKU, its role MUST be enforced.  For
   instance, if a certificate received during a DTLS session
   establishment includes the id-kp-capwapAC EKU, the receiving CAPWAP
   device MUST NOT allow its peer to act as a WTP.  In the absence of
   either one of these EKUs, the id-kp-anyExtendedKeyUsage EKU allows a
   device to act as either a WTP or AC.
</text>

Comments?

PatC 

-----Original Message-----
From: Sam Hartman [mailto:hartmans-ietf [at] mit.edu] 
Sent: Monday, March 10, 2008 5:28 AM
To: Pat Calhoun (pacalhou)
Cc: capwap
Subject: Re: [Capwap] Issue 34: keyPurposeID needs clarification

>>>>> "Pat" == Pat Calhoun (pacalhou) <pcalhoun [at] cisco.com> writes:

    Pat> Sam,
    Pat> Would you accept some text that simply states that the Any
KeyPurposeID
    Pat> SHOULD be ignored?

Yes, although I'd like to understand why you believe that's the right
answer.  That's sort of the opposite answer most people give.  But if
you've thought it through and believe that's the right answer that would
respond to my issue.