Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Peter Saint-Andre <> Tue, 24 January 2012 16:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1144021F8636; Tue, 24 Jan 2012 08:45:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.65
X-Spam-Status: No, score=-102.65 tagged_above=-999 required=5 tests=[AWL=-0.051, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0IGjmaiWP+9A; Tue, 24 Jan 2012 08:45:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 3C4E421F8613; Tue, 24 Jan 2012 08:45:32 -0800 (PST)
Received: from (unknown []) (Authenticated sender: stpeter) by (Postfix) with ESMTPSA id 7FABC40058; Tue, 24 Jan 2012 09:55:13 -0700 (MST)
Message-ID: <>
Date: Tue, 24 Jan 2012 09:45:30 -0700
From: Peter Saint-Andre <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.5; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Brian Trammell <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.3.4
OpenPGP: url=
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc:, Kathleen Moriarty <>, The IESG <>
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Jan 2012 16:45:33 -0000

On 1/24/12 2:25 AM, Brian Trammell wrote:
> Hi, Alexey,
> So far only one voice on the WG list, stating no need for CN-ID. However, on thinking about it a bit further, if you happen to have an older PKI built out, and you're still using it, you've probably got a large investment in it, and it probably makes sense to allow you to use it for RID too...
> So, I'd suggest the following language to grudgingly allow such a thing:
> The use of CN-ID identifiers in certificates identifying RID systems
> is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI
> implementations which can use DNS-ID identifiers. However, CN-ID 
> identifiers MAY be used when the RID consortium to which the system 
> belongs uses an older, existing PKI implementation. 

Brian, first of all, thanks for working with us on this topic. As you
can see from the length of RFC 6125 (which didn't start out that big!),
there's more complexity here than meets the eye.

I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be
used by others" might be a bit confusing to those who implement and
deploy RID. Also, RFC 6125 makes a distinction between cert generation
and cert checking, which gets obscured by the word "use". Thus I might
make the following suggestion:

   The inclusion of Common Names (CN-IDs) in certificates identifying
   RID systems is NOT RECOMMENDED.  A PKI implementation that
   understands DNS-IDs SHOULD ignore CN-IDs when checking server
   certificates. However, because many existing PKI implementations
   still include CN-IDs when generating certificates, RID consortiums
   might want to continue supporting them during certificate checking.

This removes the normative force from the text about existing PKI
implementations, while still encouraging use of DNS-IDs.

Let us know what you think.


Peter Saint-Andre