Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reference 9525, say subjectDN for EE should be null, close #35 #53

Merged
merged 25 commits into from
Sep 23, 2024
Merged
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
393671e
reference 9525, say subjectDN for EE should be null, close #35
mcr Sep 2, 2024
0e2ba0d
fix to be normative reference
mcr Sep 2, 2024
316a48c
be more precise in subject contents
mcr Sep 2, 2024
258dee8
fix certificate subject criteria
mcr Sep 2, 2024
2bc415f
move rfc9525 to EE section
mcr Sep 2, 2024
7461b8d
simplify requirements to just root CA
mcr Sep 2, 2024
5f34751
use subjectName for all uses
mcr Sep 2, 2024
bc6d2bf
one more subjectDN
mcr Sep 2, 2024
43d6647
one more subjectName
mcr Sep 2, 2024
d195217
Additional Text about Subject Name
hannestschofenig Sep 3, 2024
a74d4a1
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
b41e621
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
fb80ebc
Shortened Subject Field
hannestschofenig Sep 23, 2024
8bd2ea5
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
860b98c
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
5f96aea
Merge pull request #60 from thomas-fossati/hannestschofenig-patch-5
hannestschofenig Sep 23, 2024
34db81e
Merge pull request #55 from thomas-fossati/hannestschofenig-patch-1
thomas-fossati Sep 23, 2024
983e891
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
a25c5a3
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
03a79b3
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
41e0300
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
4430438
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
62b3777
Update draft-ietf-uta-tls13-iot-profile.md
hannestschofenig Sep 23, 2024
4a5cafc
make it the same as for Root CA certs
thomas-fossati Sep 23, 2024
92e1fd3
grammar + split at full stop
thomas-fossati Sep 23, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 11 additions & 15 deletions draft-ietf-uta-tls13-iot-profile.md
Original file line number Diff line number Diff line change
Expand Up @@ -394,9 +394,9 @@ to {{!RFC5280}}.
In IoT deployment scenarios it is often expected that the IDevIDs have
no maximum validity period. For this purpose the use of a special value
for the notAfter date field, the GeneralizedTime value of 99991231235959Z,
is utilized. If this is done, then CA certificates and certificates of
subordinate CAs cannot have a maximum validity period either. Hence,
it requires careful consideration whether it is appropriate to issue
is utilized.
If this is done, then the CA certificates and the certificates of subordinate CAs cannot have a maximum validity period either.
Hence, it requires careful consideration whether it is appropriate to issue
IDevID certificates with no maximum validity period.

LDevID certificates are, however, issued by the operator or owner,
Expand Down Expand Up @@ -483,14 +483,7 @@ This section outlines the requirements for root CA certificates.

### Subject

{{!RFC5280}} defines the Subject field as follows: "The subject field identifies
the entity associated with the public key stored in the subject public key
field." RFC 5280 adds "If the subject is a CA then the subject field MUST be
populated with a non-empty distinguished name matching the contents of the
issuer field in all certificates issued by the subject CA."

The Subject field MUST be present and MUST contain the commonName, the organizationName,
and the countryName attribute and MAY contain an organizationalUnitName attribute.
{{!RFC5280}} mandates that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute.

### Authority Key Identifier

Expand Down Expand Up @@ -567,7 +560,7 @@ This section outlines the requirements for subordinate CA certificates.

### Subject

The Subject field MUST be set and MUST contain the commonName, the organizationName,
The subject field MUST be set and MUST contain the commonName, the organizationName,
and the countryName attribute and MAY contain an organizationalUnitName attribute.


Expand Down Expand Up @@ -617,16 +610,19 @@ This section outlines the requirements for end entity certificates.

### Subject

{{!RFC9525, Section 2}} mandates that the subject field not be used to identify a service.
For IoT purposes, an empty subject field avoids all confusion for End Entity certificates.

The requirement in Section 4.4.2 of {{!RFC7925}} to only use EUI-64 for end
entity certificates as a Subject name is lifted.
entity certificates as a subject field is lifted.

Two fields are typically used to encode a device identifer, namely the
Subject and the subjectAltName fields. Protocol specifications tend to offer
recommendations what identifiers to use and the deployment situation is
fragmented.

The Subject field MAY include a unique device serial number. If the serial
number is included, it MUST be encoded in the serialNumber attribute.
The subject field MAY include a unique device serial number. If the serial
number is included, it MUST be encoded in the X520SerialNumber attribute.

{{!RFC5280}} defines: "The subject alternative name extension allows identities
to be bound to the subject of the certificate. These identities may be included
Expand Down
Loading