Device Owner Attribute
draft-turner-deviceowner-attribute-03

I understand how the OID works though this moves it so operators that own devices need oids instead of just vendors that build devices needing one. If lots of enterprises want to use this, I doubt the current EN approach is the best.  I don't understand when a country code is used or what it means in terms of authorization decisions. It seems problematic to have multiple ways of specifying the same country given the matching rules would not cause them to match.

1. I support two of the points raised by Pasi's DISCUSS: the concept of 'ownership' needs clarification and especially what meas for a device to be 'owned' by a country, and having multiple ways of identifying country codes may lead to interoperability problems

2. Normative reference [X.680] is to the 2002 edition of the ITU-T recommendation which is seperseded by the 2008 edition. We should discuss whether such reference (which is the equivalent to a downref to an obsolete RFC) is OK. I did not enter a DISCUSS as I have already entered one for a different document, but we probably need a common approach.

I would suggest that the authors re-consider this draft and try to
see if it can be written to be about cert extensions, about organizations
and about specific rules on what implementations need to do in order to 
support policy decisions regarding these attributes.

Some specific comments: 

I agree with the issues that Pasi raised in his review.

Also, the document says:

   The Device Owner attribute indicates the country or organization that
   owns the Device with which this attribute is associated.

But I do not know what it means for a device to be owned by a country.
I would argue that in most cases there is no such thing. Devices belong
to organizations, e.g., ministry of such and such, city blaah
administration, or acme corporation.

And:

   This attribute may be used in authorization decisions. For example, a
   router deciding whether to connect to another router could check that
   the device owner present in the device's certificate is on an
   "approved" list.

This is a pretty weak definition. First of all, it brings up interesting
applications for routers that you probably did not mean? (E.g., if these
certs were somehow used in BGP, we would not expect interdomain BGP to
demand that it only talks to the same domain :-) Secondly, I don't know
what to implement based on the above description.

And:

   NOTE: This document does not provide LDAP equivalent schema
   specification as this attribute is targeted at public key
   certificates [RFC5280] and attribute certificates [RFC3281bis].  This
   is left to a future specification.

I do not understand what "this" refers to in the last sentence. The
application to certs? Or LDAP schema? Please be more specific.

I think this document is clearly confusing and I hope it will be reworked in significant fashion to clearly state what it specifies and what it is useful and how.