[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] WGLC on domain-certs and eku - Comments on eku

To: "DRAGE, Keith (Keith)" <drage at alcatel-lucent.com>, IETF SIP List <sip at ietf.org>
Subject: Re: [Sip] WGLC on domain-certs and eku - Comments on eku
From: "Elwell, John" <john.elwell at siemens.com>
Date: Thu, 28 Feb 2008 16:52:41 +0000
Cc: slawrence at bluesocket.com
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <5D1A7985295922448D5550C94DE2918001C68A17 at DEEXC1U01.de.lucent.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <5D1A7985295922448D5550C94DE2918001C68A17 at DEEXC1U01.de.lucent.com>
Sender: sip-bounces at ietf.org
Thread-index: Ach1I47x4nFLQ/r9Sf6PE1fK5hI8NAE+dr3A
Thread-topic: [Sip] WGLC on domain-certs and eku - Comments on eku

1. "Certificates whose purpose is to
   bind a SIP domain identity without binding other non-SIP identities
   MUST include an id-kp-SIPdomain attribute."
I have several comments on this statement.
a) It seems premature to make this statement prior to the explanation
that occurs in 3.1.
b) Is "MUST" appropriate at this stage, or would it be more appropriate
to include such normative language later in the document, e.g., in
section 5?
c) It looks like it might be in conflict with the later statement:
"Whether or not to include this restriction is
   up to the certificate issuer"

2. "but if it is included, it MUST be
   marked as critical"
Wouldn't this be more appropriate in section 5?

3. "3.  If any EKU is present and contains both
id-kp-anyExtendedKeyUsage
       and id-kp-sipDomain, accept the certificate."
This may be my lack of expertise in this area, but isn't there another
case where id-kp-sipDomain is present but id-kp-anyExtendedKeyUsage is
not present? If so, how is this handled. Similarly in the normative text
that precedes this descriptive flow.

John
 

> -----Original Message-----
> From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On 
> Behalf Of DRAGE, Keith (Keith)
> Sent: 22 February 2008 07:22
> To: IETF SIP List
> Cc: Jeffrey, Alan S A (Alan); slawrence at bluesocket.com
> Subject: [Sip] WGLC on domain-certs and eku
> 
> (As WG chair)
> 
> This is to announce a WG last call on BOTH
> 
> http://www.ietf.org/internet-drafts/draft-ietf-sip-domain-certs-00.txt
> 
> and
> 
> http://www.ietf.org/internet-drafts/draft-ietf-sip-eku-01.txt
> 
> Comments should be submitted to both the list, and to the authors, by
> Friday 7th March 2008. This will give the opportunity for 
> discussion of
> major issues at the SIP WG meeting in Philadelphia.
> 
> Please clearly identify the position of any issue in the 
> internet draft,
> and if possible identify what you would like to see as a correction.
> Please also indicate the nature or severity of the error or 
> correction,
> e.g. Major technical, minor technical, NIT, so that we can 
> quickly judge
> the extent of problems with the document.
> 
> Note that both these documents are used by:
> 
> http://www.ietf.org/internet-drafts/draft-ietf-sip-connect-reu
> se-09.txt
> 
> This particular document is finished and ready for the publication
> request, but if you feel your comment also addresses the usage by this
> document, please clearly indicate and get the comment in.
> 
> Regards
> 
> Keith
> _______________________________________________
> Sip mailing list  http://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors at cs.columbia.edu for questions on current sip
> Use sipping at ietf.org for new developments on the application of sip
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

References:
- [Sip] WGLC on domain-certs and eku
  - From: DRAGE, Keith \(Keith\)

Prev by Date: Re: [Sip] WGLC on domain-certs and eku - comments on domain-certs
Next by Date: Re: [Sip] Comments to the TOTE draft
Previous by thread: Re: [Sip] WGLC on domain-certs and eku - comments on domain-certs
Next by thread: Re: [Sip] WGLC on domain-certs and eku
Index(es):
- Date
- Thread