| Re: Issue 36: Trust Anchor text missing | <– Date –> <– Thread –> |
From: Pat Calhoun (pacalhou) (pcalhoun cisco.com)
|
|
| Date: Tue, 11 Mar 2008 07:56:22 -0700 (PDT) | |
All,
The proposed text that I just sent to the list on issue 37 addresses
this problem. By including the trust anchor during the pre-provisioning
process, it ensures that the trust anchor is known on both the WTP and
AC.
<text>
12.5. CAPWAP Pre-Provisioning
[...]
When using certificates, the following items need to be pre-
provisioned:
o Device Certificate: The local device's certificate (see
Section 12.7 for more information)
o Trust Anchor: Trusted root certificate chain used to validate any
certificate received from CAPWAP peers. Note that one or more
root certificate MAY be configured on a given device.
</text>
Comments?
PatC
-----Original Message-----
From: Pat Calhoun (pacalhou)
Sent: Tuesday, February 12, 2008 9:16 PM
To: Pat Calhoun (pacalhou); capwap [at] frascone.com
Cc: Sam Hartman
Subject: RE: [Capwap] Issue 36: Trust Anchor text missing
Scott and Sam,
Could we get a resolution on this issue?
PatC
-----Original Message-----
From: Pat Calhoun (pacalhou)
Sent: Friday, December 21, 2007 8:41 AM
To: capwap [at] frascone.com
Cc: Sam Hartman
Subject: [Capwap] Issue 36: Trust Anchor text missing
Sam,
You seem to be talking about two separate issues below. The first is how
the trust anchor is known. If we are talking about manufacturing certs,
the root certificate is typically embedded in the device, or it can be
fetched using <insert favorite cert fetching protocol here>. Would
adding this specific text address your issue?
The second one you seem to talk about is how a WTP is deployed. Are you
asking how a certificate is provisioned on the WTP, or are you asking
more about how the access control list is configured? The text in
section 2.4.4.3 discusses the concept of the ACL, but doesn't actually
describe the use case (e.g., receive box, open box, read MAC address,
add MAC address to access control list).
Could you provide more clarity?
Thanks,
PatC
> 4) I expected to find some discussion of trust anchors in the document
> and was surprised not to see any. Also, I expected to find some
> reference to the certificate validation algorithm in RFC 3280. The
> second point is minor; there is certificate validation text and it
> may well be good enough. The point about discussing trust anchors
> is bigger.
>
> I do realize that trust anchors are a difficult topic. If I get a WTP
> that has never been configured and arrives in a box from some
> manufacturer, how exactly is it supposed to know who to trust at my
> cite. You should say something though or have an explanation of why
> you couldn't say anything.
_________________________________________________________________
To unsubscribe or modify your subscription options, please visit:
http://lists.frascone.com/mailman/listinfo/capwap
Archives: http://lists.frascone.com/pipermail/capwap
-
Issue 36: Trust Anchor text missing Pat Calhoun (pacalhou), December 21 2007
-
Re: Issue 36: Trust Anchor text missing Pat Calhoun (pacalhou), February 12 2008
- Re: Issue 36: Trust Anchor text missing Pat Calhoun (pacalhou), March 11 2008
-
Re: Issue 36: Trust Anchor text missing Pat Calhoun (pacalhou), February 12 2008
Results generated by Tiger Technologies using MHonArc.