After a few back and forths, we agreed on the following text:
<proposed text>
2.4.4.3. Certificate Usage
[...]
CAPWAP implementations MUST support certificates where the common
name (CN) for both the WTP and AC is the MAC address of that device.
The MAC address MUST be encoded in the PrintableString format, using
the well recognized MAC address format of 01:23:45:67:89:ab. The CN
field MAY contain either of the EUI-48 [EUI-48] or EUI-64 [EUI-64]
MAC Address formats. This seemingly unconventional use of the CN
field is consistent with other standards that rely on device
certificates that are provisioned during the manufacturing process,
such as Packet Cable [PacketCable], Cable Labs [CableLabs] and WiMAX
[WiMAX]. See Section 12.8 for more information on the use of the MAC
Address in the CN field.
12.8. Use of MAC Address in CN Field
The CAPWAP protocol is an evolution of an existing protocol
[I-D.ohara-capwap-lwapp] which is implemented on a large number of
already deployed ACs and WTPs. Everyone of these devices have an
existing X.509 certificate, which is provisioned at manufacturing
time. These X.509 certificates use the device's MAC Address in the
Common Name (CN) field. It is well understood that encoding the MAC
Address in the CN field is less than optimal, and using the
SubjectAltName field would be preferable. However, at the time of
publication, there is no URN specification that allows for the MAC
Address to be used in the SubjectAltName field. As such a
specification is published by the IETG, future versions of the CAPWAP
protocol MAY require support for the new URN scheme.
17.2. Informational References
[...]
[PacketCable]
"PacketCable Security Specification PKT-SP-SEC-I12-
050812", August 2005, <PacketCable>.
[CableLabs]
"OpenCable System Security Specification OC-SP-SEC-I07-
061031", October 2006, <CableLabs>.
[WiMAX] "WiMAX Forum X.509 Device Certificate Profile Approved
Specification V1.0.1", April 2008, <WiMAX>.
</proposed text> |