Device Owner Attribute
draft-turner-deviceowner-attribute-03
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
03 | (System) | post-migration administrative database adjustment to the No Objection position for Pasi Eronen |
2012-08-22
|
03 | (System) | post-migration administrative database adjustment to the No Objection position for Alexey Melnikov |
2010-02-17
|
03 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2010-02-16
|
03 | (System) | IANA Action state changed to No IC from In Progress |
2010-02-16
|
03 | (System) | IANA Action state changed to In Progress |
2010-02-16
|
03 | Amy Vezza | IESG state changed to Approved-announcement sent |
2010-02-16
|
03 | Amy Vezza | IESG has approved the document |
2010-02-16
|
03 | Amy Vezza | Closed "Approve" ballot |
2010-02-16
|
03 | Amy Vezza | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Amy Vezza |
2010-02-16
|
03 | Pasi Eronen | [Ballot Position Update] Position for Pasi Eronen has been changed to No Objection from Discuss by Pasi Eronen |
2010-02-02
|
03 | Alexey Melnikov | [Ballot Position Update] Position for Alexey Melnikov has been changed to No Objection from Discuss by Alexey Melnikov |
2010-02-01
|
03 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2010-02-01
|
03 | (System) | New version available: draft-turner-deviceowner-attribute-03.txt |
2009-11-20
|
03 | (System) | Removed from agenda for telechat - 2009-11-19 |
2009-11-19
|
03 | Cindy Morgan | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Cindy Morgan |
2009-11-19
|
03 | Cullen Jennings | [Ballot Position Update] Position for Cullen Jennings has been changed to No Objection from Discuss by Cullen Jennings |
2009-11-19
|
03 | Cullen Jennings | [Ballot comment] I understand how the OID works though this moves it so operators that own devices need oids instead of just vendors that build … [Ballot comment] I understand how the OID works though this moves it so operators that own devices need oids instead of just vendors that build devices needing one. If lots of enterprises want to use this, I doubt the current EN approach is the best. I don't understand when a country code is used or what it means in terms of authorization decisions. It seems problematic to have multiple ways of specifying the same country given the matching rules would not cause them to match. |
2009-11-19
|
03 | Cullen Jennings | [Ballot Position Update] Position for Cullen Jennings has been changed to Discuss from No Objection by Cullen Jennings |
2009-11-19
|
03 | Magnus Westerlund | [Ballot comment] I think this document is clearly confusing and I hope it will be reworked in significant fashion to clearly state what it specifies … [Ballot comment] I think this document is clearly confusing and I hope it will be reworked in significant fashion to clearly state what it specifies and what it is useful and how. |
2009-11-19
|
03 | Magnus Westerlund | [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund |
2009-11-19
|
03 | Dan Romascanu | [Ballot comment] 1. I support two of the points raised by Pasi's DISCUSS: the concept of 'ownership' needs clarification and especially what meas for a … [Ballot comment] 1. I support two of the points raised by Pasi's DISCUSS: the concept of 'ownership' needs clarification and especially what meas for a device to be 'owned' by a country, and having multiple ways of identifying country codes may lead to interoperability problems 2. Normative reference [X.680] is to the 2002 edition of the ITU-T recommendation which is seperseded by the 2008 edition. We should discuss whether such reference (which is the equivalent to a downref to an obsolete RFC) is OK. I did not enter a DISCUSS as I have already entered one for a different document, but we probably need a common approach. |
2009-11-19
|
03 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu |
2009-11-18
|
03 | Alexey Melnikov | [Ballot comment] |
2009-11-18
|
03 | Alexey Melnikov | [Ballot discuss] This is the one of the issues on Pasi's list: DeviceOwner ::= CHOICE { alpha2Country [0] PrintableString ( … [Ballot discuss] This is the one of the issues on Pasi's list: DeviceOwner ::= CHOICE { alpha2Country [0] PrintableString ( SIZE (2) ), -- ISO 3166-1 2 Letter Codes (aka diagram). alpha3Country [1] PrintableString ( SIZE (3) ), -- ISO 3166-1 3 Letter Codes (aka trigram). alpha4Country [2] PrintableString ( SIZE (4) ), -- ISO 3166-2 4 Letter Codes (ISO 3166-1 diagram and a hyphen -- followed by one alpha or numeric code). alpha5Country [3] PrintableString ( SIZE (5) ), -- ISO 3166-2 5 Letter Codes (ISO 3166-1 diagram and a hyphen -- followed by two alpha or numeric codes). alpha6Country [4] PrintableString ( SIZE (6) ), -- ISO 3166-2 6 Letter Codes (ISO 3166-1 diagram and a hyphen -- followed by three alpha or numeric codes). numericCountry INTEGER (0..999), -- ISO 3166-1 3 Digit Codes. group OBJECT IDENTIFIER } Having both 2 letter country codes, 3 letter country codes (some of which correspond to 2 letter country codes) and numeric country codes doesn't help interoperability. If you look at LTRU WG document, you can see that there is a single registry that avoids multiple representations of the same thing. My recommendation is to either remove everything but 1 choice for country codes (using 3 letter country codes seems to be the best), or add more text clarifying which choice is going to be used in which case and how interoperability is to be achieved. |
2009-11-18
|
03 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2009-11-18
|
03 | Lisa Dusseault | [Ballot comment] I dislike that this attribute is not defined on anything in particular, and thus unlikely to lead to interoperability unless referenced from elsewhere. … [Ballot comment] I dislike that this attribute is not defined on anything in particular, and thus unlikely to lead to interoperability unless referenced from elsewhere. However, this was already covered by other DISCUSS positions so I won't add mine. It would also be good to better understand the requirements for identifying owners. In particular, having different options for country codes plus different options for non-countries makes it really hard for me to figure out what the owner is. I wonder if it will be too likely for the same owner to be represented in multiple different ways, which might make the comparison fail if not all those options are known to the comparison-making party. |
2009-11-18
|
03 | Alexey Melnikov | [Ballot comment] Should "numericCountry" and "group" be marked as choices as well? ("[5]" and "[6]") |
2009-11-18
|
03 | Alexey Melnikov | [Ballot discuss] This is the one of the issues on Pasi's list: DeviceOwner ::= CHOICE { alpha2Country [0] PrintableString ( … [Ballot discuss] This is the one of the issues on Pasi's list: DeviceOwner ::= CHOICE { alpha2Country [0] PrintableString ( SIZE (2) ), -- ISO 3166-1 2 Letter Codes (aka diagram). alpha3Country [1] PrintableString ( SIZE (3) ), -- ISO 3166-1 3 Letter Codes (aka trigram). alpha4Country [2] PrintableString ( SIZE (4) ), -- ISO 3166-2 4 Letter Codes (ISO 3166-1 diagram and a hyphen -- followed by one alpha or numeric code). alpha5Country [3] PrintableString ( SIZE (5) ), -- ISO 3166-2 5 Letter Codes (ISO 3166-1 diagram and a hyphen -- followed by two alpha or numeric codes). alpha6Country [4] PrintableString ( SIZE (6) ), -- ISO 3166-2 6 Letter Codes (ISO 3166-1 diagram and a hyphen -- followed by three alpha or numeric codes). numericCountry INTEGER (0..999), -- ISO 3166-1 3 Digit Codes. group OBJECT IDENTIFIER } Having both 2 letter country codes, 3 letter country codes (some of which correspond to 2 letter country codes) and numeric country codes doesn't help interoperability. If you look at LTRU WG document, you can see that there is a single registry that avoids multiple representations of the same thing. |
2009-11-18
|
03 | Ron Bonica | [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica |
2009-11-18
|
03 | Alexey Melnikov | [Ballot Position Update] New position, Discuss, has been recorded by Alexey Melnikov |
2009-11-18
|
03 | Cullen Jennings | [Ballot Position Update] New position, No Objection, has been recorded by Cullen Jennings |
2009-11-18
|
03 | Cullen Jennings | [Ballot comment] I'm wondering why you did not just use a domain name for the owner? So the owner could be cisco.com or something like … [Ballot comment] I'm wondering why you did not just use a domain name for the owner? So the owner could be cisco.com or something like that. |
2009-11-18
|
03 | Tim Polk | State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Tim Polk |
2009-11-18
|
03 | Ralph Droms | [Ballot Position Update] New position, No Objection, has been recorded by Ralph Droms |
2009-11-18
|
03 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded by Jari Arkko |
2009-11-18
|
03 | Jari Arkko | [Ballot comment] I would suggest that the authors re-consider this draft and try to see if it can be written to be about cert extensions, … [Ballot comment] I would suggest that the authors re-consider this draft and try to see if it can be written to be about cert extensions, about organizations and about specific rules on what implementations need to do in order to support policy decisions regarding these attributes. Some specific comments: I agree with the issues that Pasi raised in his review. Also, the document says: The Device Owner attribute indicates the country or organization that owns the Device with which this attribute is associated. But I do not know what it means for a device to be owned by a country. I would argue that in most cases there is no such thing. Devices belong to organizations, e.g., ministry of such and such, city blaah administration, or acme corporation. And: This attribute may be used in authorization decisions. For example, a router deciding whether to connect to another router could check that the device owner present in the device's certificate is on an "approved" list. This is a pretty weak definition. First of all, it brings up interesting applications for routers that you probably did not mean? (E.g., if these certs were somehow used in BGP, we would not expect interdomain BGP to demand that it only talks to the same domain :-) Secondly, I don't know what to implement based on the above description. And: NOTE: This document does not provide LDAP equivalent schema specification as this attribute is targeted at public key certificates [RFC5280] and attribute certificates [RFC3281bis]. This is left to a future specification. I do not understand what "this" refers to in the last sentence. The application to certs? Or LDAP schema? Please be more specific. |
2009-11-18
|
03 | Jari Arkko | [Ballot comment] I agree with the issues that Pasi raised in his review. Also, the document says: The Device Owner attribute indicates the country … [Ballot comment] I agree with the issues that Pasi raised in his review. Also, the document says: The Device Owner attribute indicates the country or organization that owns the Device with which this attribute is associated. But I do not know what it means for a device to be owned by a country. I would argue that in most cases there is no such thing. Devices belong to organizations, e.g., ministry of such and such, city blaah administration, or acme corporation. And: This attribute may be used in authorization decisions. For example, a router deciding whether to connect to another router could check that the device owner present in the device's certificate is on an "approved" list. This is a pretty weak definition. First of all, it brings up interesting applications for routers that you probably did not mean? (E.g., if these certs were somehow used in BGP, we would not expect interdomain BGP to demand that it only talks to the same domain :-) Secondly, I don't know what to implement based on the above description. And: NOTE: This document does not provide LDAP equivalent schema specification as this attribute is targeted at public key certificates [RFC5280] and attribute certificates [RFC3281bis]. This is left to a future specification. I do not understand what "this" refers to in the last sentence. The application to certs? Or LDAP schema? Please be more specific. |
2009-11-18
|
03 | Jari Arkko | [Ballot comment] I agree with the issues that Pasi raised in his review. Also, the document says: This attribute may be used in authorization … [Ballot comment] I agree with the issues that Pasi raised in his review. Also, the document says: This attribute may be used in authorization decisions. For example, a router deciding whether to connect to another router could check that the device owner present in the device's certificate is on an "approved" list. This is a pretty weak definition. First of all, it brings up interesting applications for routers that you probably did not mean? (E.g., if these certs were somehow used in BGP, we would not expect interdomain BGP to demand that it only talks to the same domain :-) Secondly, I don't know what to implement based on the above description. And: NOTE: This document does not provide LDAP equivalent schema specification as this attribute is targeted at public key certificates [RFC5280] and attribute certificates [RFC3281bis]. This is left to a future specification. I do not understand what "this" refers to in the last sentence. The application to certs? Or LDAP schema? Please be more specific. |
2009-11-18
|
03 | Jari Arkko | [Ballot comment] I agree with the issues that Pasi raised in his review. |
2009-11-18
|
03 | Lars Eggert | [Ballot Position Update] New position, Abstain, has been recorded by Lars Eggert |
2009-11-16
|
03 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded by Russ Housley |
2009-11-03
|
03 | Pasi Eronen | [Ballot discuss] I have reviewed draft-turner-deviceowner-attribute-02, and have a couple of questions/concerns that I'd like to discuss before recommending approval of the document: - … [Ballot discuss] I have reviewed draft-turner-deviceowner-attribute-02, and have a couple of questions/concerns that I'd like to discuss before recommending approval of the document: - Abstract/Section 1: talking about "protocols that support ASN.1 attributes" is really vague, and unlikely to lead to any kind of interoperability (e.g. Kerberos uses ASN.1 and has some concept of attributes, but it doesn't look like this spec as-is would allow using this attribute in Kerberos -- and probably that was not the intent, either). If the intent is PKCs and ACs, I'd suggest something like "This attribute may be included in attribute certificates [RFC3281bis] and in the Subject Directory Attributes extension in public key certificates [RFC5280]" (or is it intended to be used in DNs, too?) The document title should be slightly more specific, too. - I was surprised to find "IMPORTS NOTHING" in the ASN.1 module -- it seems most of the ASN.1 is generic attribute stuff which should be imported (instead of copy-pasted) from somewhere? - Why have three different ways (2-latter, 3-letter, numeric) of representing exactly the same information? This seems unlikely to promote interoperability (e.g. if the information is an integer, we don't usually allow both little-endian, big-endian, and "middle-endian" encodings, but just pick one of them...) - Why three separate entries for 3166-2 codes, instead of SIZE(4..6)? - The concept of "ownership" may vary from one legal system to another, but IMHO it's more typical to say that a device is owned by by a legal person (e.g. "Ministry of Justice, Finland" or "IETF Trust, Virginia, USA") than by a country (which would usually have thousands/millions of different organizations). When you use the 3166 codes in the device owner attribute, is it intended to specify just the nationality of the organization (e.g. "US" for IETF Trust, "FI" for "Ministry of Justice, Finland"), or is it intended to imply that the organization is somehow part of "the government"? (which is obviously a very fuzzy definition if you have federal, state, municipal levels, different branches, government-owned companies, etc.) |
2009-11-03
|
03 | Pasi Eronen | [Ballot Position Update] New position, Discuss, has been recorded by Pasi Eronen |
2009-11-02
|
03 | Samuel Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Alan DeKok. |
2009-10-28
|
03 | Tim Polk | [Ballot Position Update] New position, Yes, has been recorded for Tim Polk |
2009-10-28
|
03 | Tim Polk | Ballot has been issued by Tim Polk |
2009-10-28
|
03 | Tim Polk | Created "Approve" ballot |
2009-10-28
|
03 | Tim Polk | Placed on agenda for telechat - 2009-11-19 by Tim Polk |
2009-10-19
|
02 | (System) | New version available: draft-turner-deviceowner-attribute-02.txt |
2009-08-28
|
03 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2009-08-14
|
03 | Amanda Baber | IANA comments: As described in the IANA Considerations section, we understand this document to have NO IANA Actions. |
2009-08-03
|
03 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Alan DeKok |
2009-08-03
|
03 | Samuel Weiler | Request for Last Call review by SECDIR is assigned to Alan DeKok |
2009-07-31
|
03 | Cindy Morgan | Last call sent |
2009-07-31
|
03 | Cindy Morgan | State Changes to In Last Call from Last Call Requested by Cindy Morgan |
2009-07-31
|
03 | Tim Polk | State Changes to Last Call Requested from AD Evaluation by Tim Polk |
2009-07-31
|
03 | Tim Polk | Last Call was requested by Tim Polk |
2009-07-31
|
03 | (System) | Ballot writeup text was added |
2009-07-31
|
03 | (System) | Last call text was added |
2009-07-31
|
03 | (System) | Ballot approval text was added |
2009-07-27
|
03 | Tim Polk | State Changes to AD Evaluation from Publication Requested by Tim Polk |
2009-03-26
|
03 | Tim Polk | 1.a - Carl Wallace is the Shepherd. I have personally reviewed the document and assert that it is ready for IESG publication. 1.b - The … 1.a - Carl Wallace is the Shepherd. I have personally reviewed the document and assert that it is ready for IESG publication. 1.b - The document has been reviewed by Russ Housley, Jim Schaad, and Kurt Zelienga, who were considered to be experts with ASN.1 and/or directories. There are no concerns about depth or breadth of the reviews. 1.c - I see no need for wider review. 1.d - There are no specific concerns of which the AD and/or IESG should be aware. 1.e - This is not a product of a WG. 1.f - This is not a product of a WG. 1.g - I have personally verified that the document satisfies all ID nits (although it does generate several spurious warnings). 1.h - The document splits it references into normative and informative as required. 1.i - The document has an IANA consideration section and it is consistent with the main body (there are no IANA considerations). 1.j - Sean Turner verified the ASN.1. 1.k - Write-up is as follows: Technical Summary This document defines the deviceOwner attribute. This attribute may be carried in a public key certificate in the Subject Directory Attributes extension, in an attribute certificate in the attribute field, in a directory as an attribute, or in protocols that support attributes. Discussion Summary The -00 version was reviewed by Kurt Zeilenga. A match rule was added to the definition to ensure a proper match can be performed between a presented attribute and a stored attribute. Document Quality This document is a short document that defines an attribute a matching rule. Personnel Carl Wallace is the shepherd. Tim Polk is the sponsoring AD. |
2009-03-26
|
03 | Tim Polk | Draft Added by Tim Polk in state Publication Requested |
2009-03-05
|
01 | (System) | New version available: draft-turner-deviceowner-attribute-01.txt |
2008-10-06
|
00 | (System) | New version available: draft-turner-deviceowner-attribute-00.txt |