From 393671e5cbc78ba2cce1ca28c569b4c4358aec17 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:25:03 -0400 Subject: [PATCH 01/23] reference 9525, say subjectDN for EE should be null, close #35 --- draft-ietf-uta-tls13-iot-profile.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 5214e56..27000a9 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -489,8 +489,9 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -The Subject field MUST be present and MUST contain the commonName, the organizationName, -and the countryName attribute and MAY contain an organizationalUnitName attribute. +However, {{RFC9525, Section 2.9}} now recommends that the SubjectDN be empty (null) for all End Entity certificates. + +Root CA and Subordinate CAs must have a non-null SubjectDN as that value must match the IssuerDN of subordinate certificates. ### Authority Key Identifier From 0e2ba0dbdb3110220abf1297b1184325dc11bd24 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:26:16 -0400 Subject: [PATCH 02/23] fix to be normative reference --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 27000a9..26bb05f 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -489,7 +489,7 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -However, {{RFC9525, Section 2.9}} now recommends that the SubjectDN be empty (null) for all End Entity certificates. +However, {{!RFC9525, Section 2.9}} now recommends that the SubjectDN be empty (null) for all End Entity certificates. Root CA and Subordinate CAs must have a non-null SubjectDN as that value must match the IssuerDN of subordinate certificates. From 316a48c91ab9d3fdbd82588c66bae13aa75ffbb2 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:32:38 -0400 Subject: [PATCH 03/23] be more precise in subject contents --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 26bb05f..f366dc4 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -489,7 +489,7 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -However, {{!RFC9525, Section 2.9}} now recommends that the SubjectDN be empty (null) for all End Entity certificates. +However, as {{!RFC9525, Section 2}} mandates that the subjectDN not be be used to identify a service, for IoT purposes, an empty SubjectDN avoids all confusion for End Entity certificates. Root CA and Subordinate CAs must have a non-null SubjectDN as that value must match the IssuerDN of subordinate certificates. From 258dee82276863bfb6894663bb49634a07b036df Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:33:24 -0400 Subject: [PATCH 04/23] fix certificate subject criteria Co-authored-by: Hannes Tschofenig --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index f366dc4..66d7424 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -491,7 +491,7 @@ issuer field in all certificates issued by the subject CA." However, as {{!RFC9525, Section 2}} mandates that the subjectDN not be be used to identify a service, for IoT purposes, an empty SubjectDN avoids all confusion for End Entity certificates. -Root CA and Subordinate CAs must have a non-null SubjectDN as that value must match the IssuerDN of subordinate certificates. +Root CA certificates and Subordinate CA certificates MUST have a non-empty SubjectDN, as the value MUST match the DN of the Issuer. ### Authority Key Identifier From 2bc415f5ad83ec70f956a503e270ac44ea0f4d61 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:36:50 -0400 Subject: [PATCH 05/23] move rfc9525 to EE section --- draft-ietf-uta-tls13-iot-profile.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 66d7424..e20694c 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -394,9 +394,9 @@ to {{!RFC5280}}. In IoT deployment scenarios it is often expected that the IDevIDs have no maximum validity period. For this purpose the use of a special value for the notAfter date field, the GeneralizedTime value of 99991231235959Z, -is utilized. If this is done, then CA certificates and certificates of -subordinate CAs cannot have a maximum validity period either. Hence, -it requires careful consideration whether it is appropriate to issue +is utilized. +If this is done, then the CA certificates and the certificates of subordinate CAs cannot have a maximum validity period either. +Hence, it requires careful consideration whether it is appropriate to issue IDevID certificates with no maximum validity period. LDevID certificates are, however, issued by the operator or owner, @@ -489,10 +489,11 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -However, as {{!RFC9525, Section 2}} mandates that the subjectDN not be be used to identify a service, for IoT purposes, an empty SubjectDN avoids all confusion for End Entity certificates. - Root CA certificates and Subordinate CA certificates MUST have a non-empty SubjectDN, as the value MUST match the DN of the Issuer. +The Subject field MUST be set and MUST contain the commonName, the organizationName, +and the countryName attribute and MAY contain an organizationalUnitName attribute. + ### Authority Key Identifier Section 4.2.1.1 of {{!RFC5280}} defines the Authority Key Identifier as follows: @@ -618,6 +619,8 @@ This section outlines the requirements for end entity certificates. ### Subject +{{!RFC9525, Section 2}} mandates that the subjectDN not be be used to identify a service, for IoT purposes, an empty SubjectDN avoids all confusion for End Entity certificates. + The requirement in Section 4.4.2 of {{!RFC7925}} to only use EUI-64 for end entity certificates as a Subject name is lifted. From 7461b8ddd1416f2c20a7c0f3a710f25b92942cb5 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:40:01 -0400 Subject: [PATCH 06/23] simplify requirements to just root CA --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index e20694c..d82d366 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -489,7 +489,7 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -Root CA certificates and Subordinate CA certificates MUST have a non-empty SubjectDN, as the value MUST match the DN of the Issuer. +Root CA certificates MUST have a non-empty SubjectDN. The Subject field MUST be set and MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From 5f34751af615be53b14d4fa41af600827ef29e54 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:49:35 -0400 Subject: [PATCH 07/23] use subjectName for all uses --- draft-ietf-uta-tls13-iot-profile.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index d82d366..552e9b2 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -481,9 +481,9 @@ MUST NOT be marked critical. This section outlines the requirements for root CA certificates. -### Subject +## subjectName -{{!RFC5280}} defines the Subject field as follows: "The subject field identifies +{{!RFC5280}} defines the subjectName field as follows: "The subject field identifies the entity associated with the public key stored in the subject public key field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the @@ -491,8 +491,7 @@ issuer field in all certificates issued by the subject CA." Root CA certificates MUST have a non-empty SubjectDN. -The Subject field MUST be set and MUST contain the commonName, the organizationName, -and the countryName attribute and MAY contain an organizationalUnitName attribute. +The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier @@ -567,9 +566,9 @@ be set to true and the pathLenConstraint MUST be omitted. This section outlines the requirements for subordinate CA certificates. -### Subject +### subjectName -The Subject field MUST be set and MUST contain the commonName, the organizationName, +The subjectName field MUST be set and MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. @@ -617,12 +616,12 @@ status service (OCSP). This section outlines the requirements for end entity certificates. -### Subject +### subjectName -{{!RFC9525, Section 2}} mandates that the subjectDN not be be used to identify a service, for IoT purposes, an empty SubjectDN avoids all confusion for End Entity certificates. +{{!RFC9525, Section 2}} mandates that the subjectName not be be used to identify a service, for IoT purposes, an empty subjectName avoids all confusion for End Entity certificates. The requirement in Section 4.4.2 of {{!RFC7925}} to only use EUI-64 for end -entity certificates as a Subject name is lifted. +entity certificates as a subjectName is lifted. Two fields are typically used to encode a device identifer, namely the Subject and the subjectAltName fields. Protocol specifications tend to offer From bc6d2bf26caf55e0d720fcef137488886b5d0db4 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:51:08 -0400 Subject: [PATCH 08/23] one more subjectDN --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 552e9b2..69a11bd 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -489,7 +489,7 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -Root CA certificates MUST have a non-empty SubjectDN. +Root CA certificates MUST have a non-empty subjectName. The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From 43d6647fecc14383102bf1f6840a8f4b4e20024a Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:54:20 -0400 Subject: [PATCH 09/23] one more subjectName --- draft-ietf-uta-tls13-iot-profile.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 69a11bd..42044dd 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -628,8 +628,8 @@ Subject and the subjectAltName fields. Protocol specifications tend to offer recommendations what identifiers to use and the deployment situation is fragmented. -The Subject field MAY include a unique device serial number. If the serial -number is included, it MUST be encoded in the serialNumber attribute. +The subjectName field MAY include a unique device serial number. If the serial +number is included, it MUST be encoded in the X520SerialNumber attribute. {{!RFC5280}} defines: "The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included From d195217c30ea4758d9c98133c312eeeae2bda407 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Tue, 3 Sep 2024 13:41:50 +0200 Subject: [PATCH 10/23] Additional Text about Subject Name The problem is that RFC 5280 says that the subject name is contained in the subject field and/or the subjectAltName extension. The ASN.1 does not seem to support the case that the subject field is optional --- draft-ietf-uta-tls13-iot-profile.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 42044dd..9be41a1 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -481,17 +481,19 @@ MUST NOT be marked critical. This section outlines the requirements for root CA certificates. -## subjectName +## Subject -{{!RFC5280}} defines the subjectName field as follows: "The subject field identifies -the entity associated with the public key stored in the subject public key -field." RFC 5280 adds "If the subject is a CA then the subject field MUST be +Section 4.1.2.6 of {{!RFC5280}} defines the subject field as follows: "The subject field identifies +the entity associated with the public key stored in the subject public key field. The subject name +MAY be carried in the subject field and/or the subjectAltName extension." + +RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." Root CA certificates MUST have a non-empty subjectName. -The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From a74d4a17a02c730ef0f9c6da5978c9c228f85979 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:53:02 +0200 Subject: [PATCH 11/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 9be41a1..5b692f2 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -493,7 +493,7 @@ issuer field in all certificates issued by the subject CA." Root CA certificates MUST have a non-empty subjectName. -The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From b41e621ef8e8f4d6850da77175b60f1e39897e69 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:53:13 +0200 Subject: [PATCH 12/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 5b692f2..ac177e5 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -491,7 +491,7 @@ RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -Root CA certificates MUST have a non-empty subjectName. +Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From fb80ebc18890f22cdbf856ae429e9ab81ebb340a Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:54:01 +0200 Subject: [PATCH 13/23] Shortened Subject Field --- draft-ietf-uta-tls13-iot-profile.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index ac177e5..a7e88bd 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -483,17 +483,7 @@ This section outlines the requirements for root CA certificates. ## Subject -Section 4.1.2.6 of {{!RFC5280}} defines the subject field as follows: "The subject field identifies -the entity associated with the public key stored in the subject public key field. The subject name -MAY be carried in the subject field and/or the subjectAltName extension." - -RFC 5280 adds "If the subject is a CA then the subject field MUST be -populated with a non-empty distinguished name matching the contents of the -issuer field in all certificates issued by the subject CA." - -Root CA certificates MUST have a non-empty subject field. - -The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From 8bd2ea56bb14708e1f3966b069ef38673370b23c Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:55:07 +0200 Subject: [PATCH 14/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index a7e88bd..4d20ef3 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -483,7 +483,7 @@ This section outlines the requirements for root CA certificates. ## Subject -Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +{{!RFC5280}} says that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From 860b98cb93a5c189c3362b3d59aca88b77ad192f Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:55:49 +0200 Subject: [PATCH 15/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 4d20ef3..9255c3a 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -483,7 +483,7 @@ This section outlines the requirements for root CA certificates. ## Subject -{{!RFC5280}} says that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +{{!RFC5280}} mandates that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From 983e8913116402d847e9f2e2331519a16469077f Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 17:02:04 +0200 Subject: [PATCH 16/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 9255c3a..8d8e09c 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -558,7 +558,7 @@ be set to true and the pathLenConstraint MUST be omitted. This section outlines the requirements for subordinate CA certificates. -### subjectName +### Subject The subjectName field MUST be set and MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From a25c5a3335b375cc25ebcdf882af7a8beb9be3a0 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 17:02:19 +0200 Subject: [PATCH 17/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 8d8e09c..f86f700 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -560,7 +560,7 @@ This section outlines the requirements for subordinate CA certificates. ### Subject -The subjectName field MUST be set and MUST contain the commonName, the organizationName, +The subject field MUST be set and MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From 03a79b3bb903ef0702fbca2d40f9134755b4630c Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 17:02:25 +0200 Subject: [PATCH 18/23] Update draft-ietf-uta-tls13-iot-profile.md Co-authored-by: Thomas Fossati --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index f86f700..f5ad2c1 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -481,7 +481,7 @@ MUST NOT be marked critical. This section outlines the requirements for root CA certificates. -## Subject +### Subject {{!RFC5280}} mandates that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From 41e03007adb32b89e3e21f4bbf704b8a5be7202b Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 17:02:34 +0200 Subject: [PATCH 19/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index f5ad2c1..c27a0c5 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -610,7 +610,7 @@ This section outlines the requirements for end entity certificates. ### subjectName -{{!RFC9525, Section 2}} mandates that the subjectName not be be used to identify a service, for IoT purposes, an empty subjectName avoids all confusion for End Entity certificates. +{{!RFC9525, Section 2}} mandates that the subject field not be be used to identify a service, for IoT purposes, an empty subjectName avoids all confusion for End Entity certificates. The requirement in Section 4.4.2 of {{!RFC7925}} to only use EUI-64 for end entity certificates as a subjectName is lifted. From 443043878f1b29f339064d92573b4d559b0d52da Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 17:02:41 +0200 Subject: [PATCH 20/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index c27a0c5..1c23713 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -613,7 +613,7 @@ This section outlines the requirements for end entity certificates. {{!RFC9525, Section 2}} mandates that the subject field not be be used to identify a service, for IoT purposes, an empty subjectName avoids all confusion for End Entity certificates. The requirement in Section 4.4.2 of {{!RFC7925}} to only use EUI-64 for end -entity certificates as a subjectName is lifted. +entity certificates as a subject field is lifted. Two fields are typically used to encode a device identifer, namely the Subject and the subjectAltName fields. Protocol specifications tend to offer From 62b3777b67467fc83dc679971f5a8187c077616d Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 17:02:48 +0200 Subject: [PATCH 21/23] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 1c23713..d4330fc 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -620,7 +620,7 @@ Subject and the subjectAltName fields. Protocol specifications tend to offer recommendations what identifiers to use and the deployment situation is fragmented. -The subjectName field MAY include a unique device serial number. If the serial +The subject field MAY include a unique device serial number. If the serial number is included, it MUST be encoded in the X520SerialNumber attribute. {{!RFC5280}} defines: "The subject alternative name extension allows identities From 4a5cafca812bed3f59795cba0a60471a1214e5b3 Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Mon, 23 Sep 2024 17:03:38 +0200 Subject: [PATCH 22/23] make it the same as for Root CA certs --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index d4330fc..a07db85 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -608,7 +608,7 @@ status service (OCSP). This section outlines the requirements for end entity certificates. -### subjectName +### Subject {{!RFC9525, Section 2}} mandates that the subject field not be be used to identify a service, for IoT purposes, an empty subjectName avoids all confusion for End Entity certificates. From 92e1fd34990675237f895a0ea6924938da45ebf4 Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Mon, 23 Sep 2024 17:05:33 +0200 Subject: [PATCH 23/23] grammar + split at full stop --- draft-ietf-uta-tls13-iot-profile.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index a07db85..8aefd62 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -610,7 +610,8 @@ This section outlines the requirements for end entity certificates. ### Subject -{{!RFC9525, Section 2}} mandates that the subject field not be be used to identify a service, for IoT purposes, an empty subjectName avoids all confusion for End Entity certificates. +{{!RFC9525, Section 2}} mandates that the subject field not be used to identify a service. +For IoT purposes, an empty subject field avoids all confusion for End Entity certificates. The requirement in Section 4.4.2 of {{!RFC7925}} to only use EUI-64 for end entity certificates as a subject field is lifted.