Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05

Alexey Melnikov <> Tue, 24 January 2012 16:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C676621F85FF; Tue, 24 Jan 2012 08:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.355
X-Spam-Status: No, score=-102.355 tagged_above=-999 required=5 tests=[AWL=0.244, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BrcPA1dvcARQ; Tue, 24 Jan 2012 08:59:40 -0800 (PST)
Received: from ( [IPv6:2a00:14f0:e000:7c::2]) by (Postfix) with ESMTP id CA0B321F84BD; Tue, 24 Jan 2012 08:59:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1327424378;; s=selector;; bh=UxBFxG/pFlKusl/JnMGg+NE6DtYSPedspYio6qYI4l0=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=tNGjekNuvO6GOz2ATocN8AQJPhwiBqzl75izTGWd9JQyuX3WEKT3LxIa5i0Cio/ueyDLcu yond2G1xDQadcXwZMMgHAWAzbelSulEXRTNORUA4CpOb8sZFamWUASgJ7D9gmwf4GktS1Y 3ElMxgpJlwJUobM/FKVyoBKilaBwTKE=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPSA id <>; Tue, 24 Jan 2012 16:59:36 +0000
Message-ID: <>
Date: Tue, 24 Jan 2012 16:59:37 +0000
From: Alexey Melnikov <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20111105 Thunderbird/8.0
To: Peter Saint-Andre <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc:, Kathleen Moriarty <>, The IESG <>, Brian Trammell <>
Subject: Re: [Gen-art] Gen-ART last call review of draft-ietf-mile-rfc6046-bis-05
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Jan 2012 16:59:40 -0000

On 24/01/2012 16:45, Peter Saint-Andre wrote:
> On 1/24/12 2:25 AM, Brian Trammell wrote:
>> Hi, Alexey,
>> So far only one voice on the WG list, stating no need for CN-ID. However, on thinking about it a bit further, if you happen to have an older PKI built out, and you're still using it, you've probably got a large investment in it, and it probably makes sense to allow you to use it for RID too...
>> So, I'd suggest the following language to grudgingly allow such a thing:
>> The use of CN-ID identifiers in certificates identifying RID systems
>> is NOT RECOMMENDED, and CN-ID identifiers MUST be ignored by PKI
>> implementations which can use DNS-ID identifiers. However, CN-ID
>> identifiers MAY be used when the RID consortium to which the system
>> belongs uses an older, existing PKI implementation.
> Brian, first of all, thanks for working with us on this topic. As you
> can see from the length of RFC 6125 (which didn't start out that big!),
> there's more complexity here than meets the eye.
> I think the mix of "NOT RECOMMENDED, MUST be ignored by some, but MAY be
> used by others" might be a bit confusing to those who implement and
> deploy RID. Also, RFC 6125 makes a distinction between cert generation
> and cert checking, which gets obscured by the word "use". Thus I might
> make the following suggestion:
>     The inclusion of Common Names (CN-IDs) in certificates identifying
>     RID systems is NOT RECOMMENDED.  A PKI implementation that
>     understands DNS-IDs SHOULD ignore CN-IDs when checking server
>     certificates.
I thought RFC 6125 has a rule saying that CN-IDs are ignored in presence 
of DNS-IDs? I would just rather reference RFC 6125, or at least be clear 
that this is defined there (using "as specified in RFC 6125").

The rest of your proposal looks fine.
> However, because many existing PKI implementations
>     still include CN-IDs when generating certificates, RID consortiums
>     might want to continue supporting them during certificate checking.
> This removes the normative force from the text about existing PKI
> implementations, while still encouraging use of DNS-IDs.
> Let us know what you think.
> Peter