Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

<> Tue, 24 January 2012 18:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AAE2121F865A; Tue, 24 Jan 2012 10:00:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -9.522
X-Spam-Status: No, score=-9.522 tagged_above=-999 required=5 tests=[AWL=1.077, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PoFx8e3a6DlS; Tue, 24 Jan 2012 10:00:21 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B886621F864D; Tue, 24 Jan 2012 10:00:21 -0800 (PST)
Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0OI088v019990 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 24 Jan 2012 13:00:18 -0500
Received: from ( []) by (RSA Interceptor); Tue, 24 Jan 2012 12:59:58 -0500
Received: from ( []) by (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0OHxvoG029232; Tue, 24 Jan 2012 12:59:57 -0500
Received: from ([]) by ([]) with mapi; Tue, 24 Jan 2012 12:59:57 -0500
Date: Tue, 24 Jan 2012 12:59:55 -0500
Thread-Topic: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
Thread-Index: AczauZWrTlHZwpEGQJmRsNEooCM0SAAB2R5w
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Jan 2012 18:00:22 -0000

I agree, the guidance in RFC6125 Section 2.4 is pretty clear and should just be referenced if we go this route.  I do have a question out to a practitioner to see if we need to allow anything other than DNS-IDs.  She did say support is good in CAs, maybe it is OK to require DNS-IDs.  She will be posting to MILE later today.  Are there any CAs that do not support this yet?  RFC6125 says this is to support older CAs, but has this changed?  RFC6125 was only published in March, so it may still be important.  


-----Original Message-----
From: [] On Behalf Of Alexey Melnikov
Sent: Tuesday, January 24, 2012 12:00 PM
To: Peter Saint-Andre
Cc:; Moriarty, Kathleen; The IESG; Brian Trammell
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

On 24/01/2012 16:45, Peter Saint-Andre wrote:
> On 1/24/12 2:25 AM, Brian Trammell wrote:
>> Hi, Alexey,
>> So far only one voice on the WG list, stating no need for CN-ID. However, on thinking about it a bit further, if you happen to have an older PKI built out, and you're still using it, you've probably got a large investment in it, and it probably makes sense to allow you to use it for RID too...
>> So, I'd suggest the following language to grudgingly allow such a thing:
>> The use of CN-ID identifiers in certificates identifying RID systems
>> is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI
>> implementations which can use DNS-ID identifiers. However, CN-ID
>> identifiers MAY be used when the RID consortium to which the system
>> belongs uses an older, existing PKI implementation.
> Brian, first of all, thanks for working with us on this topic. As you
> can see from the length of RFC 6125 (which didn't start out that big!),
> there's more complexity here than meets the eye.
> I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be
> used by others" might be a bit confusing to those who implement and
> deploy RID. Also, RFC 6125 makes a distinction between cert generation
> and cert checking, which gets obscured by the word "use". Thus I might
> make the following suggestion:
>     The inclusion of Common Names (CN-IDs) in certificates identifying
>     RID systems is NOT RECOMMENDED.  A PKI implementation that
>     understands DNS-IDs SHOULD ignore CN-IDs when checking server
>     certificates.
I thought RFC 6125 has a rule saying that CN-IDs are ignored in presence 
of DNS-IDs? I would just rather reference RFC 6125, or at least be clear 
that this is defined there (using "as specified in RFC 6125").

The rest of your proposal looks fine.
> However, because many existing PKI implementations
>     still include CN-IDs when generating certificates, RID consortiums
>     might want to continue supporting them during certificate checking.
> This removes the normative force from the text about existing PKI
> implementations, while still encouraging use of DNS-IDs.
> Let us know what you think.
> Peter

Gen-art mailing list