Device Owner Attribute
RFC 5916

Note: This ballot was opened for revision 03 and is now closed.

(Tim Polk) Yes

(Jari Arkko) No Objection

Comment (2009-11-18 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I would suggest that the authors re-consider this draft and try to
see if it can be written to be about cert extensions, about organizations
and about specific rules on what implementations need to do in order to 
support policy decisions regarding these attributes.

Some specific comments: 

I agree with the issues that Pasi raised in his review.

Also, the document says:

   The Device Owner attribute indicates the country or organization that
   owns the Device with which this attribute is associated.

But I do not know what it means for a device to be owned by a country.
I would argue that in most cases there is no such thing. Devices belong
to organizations, e.g., ministry of such and such, city blaah
administration, or acme corporation.

And:

   This attribute may be used in authorization decisions. For example, a
   router deciding whether to connect to another router could check that
   the device owner present in the device's certificate is on an
   "approved" list.

This is a pretty weak definition. First of all, it brings up interesting
applications for routers that you probably did not mean? (E.g., if these
certs were somehow used in BGP, we would not expect interdomain BGP to
demand that it only talks to the same domain :-) Secondly, I don't know
what to implement based on the above description.

And:

   NOTE: This document does not provide LDAP equivalent schema
   specification as this attribute is targeted at public key
   certificates [RFC5280] and attribute certificates [RFC3281bis].  This
   is left to a future specification.

I do not understand what "this" refers to in the last sentence. The
application to certs? Or LDAP schema? Please be more specific.

(Ron Bonica) No Objection

(Ross Callon) No Objection

(Ralph Droms) No Objection

(Pasi Eronen) (was Discuss) No Objection

(Russ Housley) No Objection

(Cullen Jennings) (was Discuss, No Objection) No Objection

Comment (2009-11-19 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I understand how the OID works though this moves it so operators that own devices need oids instead of just vendors that build devices needing one. If lots of enterprises want to use this, I doubt the current EN approach is the best.  I don't understand when a country code is used or what it means in terms of authorization decisions. It seems problematic to have multiple ways of specifying the same country given the matching rules would not cause them to match.

Alexey Melnikov (was Discuss) No Objection

(Dan Romascanu) No Objection

Comment (2009-11-19 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
1. I support two of the points raised by Pasi's DISCUSS: the concept of 'ownership' needs clarification and especially what meas for a device to be 'owned' by a country, and having multiple ways of identifying country codes may lead to interoperability problems

2. Normative reference [X.680] is to the 2002 edition of the ITU-T recommendation which is seperseded by the 2008 edition. We should discuss whether such reference (which is the equivalent to a downref to an obsolete RFC) is OK. I did not enter a DISCUSS as I have already entered one for a different document, but we probably need a common approach.

Magnus Westerlund No Objection

Comment (2009-11-19 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I think this document is clearly confusing and I hope it will be reworked in significant fashion to clearly state what it specifies and what it is useful and how.

(Lars Eggert) Abstain

(Lisa Dusseault) No Record

Comment (2009-11-18 for -** No value found for 'p.get_dochistory.rev' **)
No email
send info
I dislike that this attribute is not defined on anything in particular, and thus unlikely to lead to interoperability unless referenced from elsewhere.  However, this was already covered by other DISCUSS positions so I won't add mine. 

It would also be good to better understand the requirements for identifying owners.  In particular, having different options for country codes plus different options for non-countries makes it really hard for me to figure out what the owner is.  I wonder if it will be too likely for the same owner to be represented in multiple different ways, which might make the comparison fail if not all those options are known to the comparison-making party.