Skip to content

Commit

Permalink
edits from TF
Browse files Browse the repository at this point in the history 
Co-authored-by: Thomas Fossati <[email protected]>
  • Loading branch information
@mcr @thomas-fossati
mcr and thomas-fossati authored Sep 18, 2024
1 parent cf5bf99 commit 112dbfa
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions draft-ietf-uta-tls13-iot-profile.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -402,7 +402,7 @@ Root CAs are trust anchors, and their validity period can be considered irreleva

For subordinate certification authorities, the question of the validity period of the subordinate certificate does arise.

One solution is for the certificate authorizing the subordinate certification authority to have no expiry date either: a notAfter of 99991231235959Z.
One solution is for the certificate authorizing the subordinate certification authority to have no expiry date either: a notAfter of 99991231235959Z, as defined in {{Section 4.1.2.5 of RFC5280}}.

Another solution is for the subordinate certification authority's certificate to be resigned regularly by the root CA, extending the notAfter time each time.
As the IDevID End-Entity certificates are not replaced, nor are any certificate chains in the device replaced when the certificates are renewed, this implies:
Expand All @@ -412,8 +412,8 @@ As the IDevID End-Entity certificates are not replaced, nor are any certificate
* it must be possible for verifiers to retrieve the updated subordinate CA certificate in some way

The last point is the most difficult to arrange in general.
In many specific cases, such as when devices from the same manufacturer (IDevID) are involved, or when LDevID certificates are use, it may be possible for updates to the trust anchor to include updates to the subordinate CAs.
For example, the /cacerts mechanism defined in {{RFC7030}} can be used to get new sets of trust anchors.
In many specific cases, such as when devices from the same manufacturer (IDevID) are involved, or when LDevID certificates are used, it may be possible for updates to the trust anchor to include updates to the subordinate CAs.
For example, the /cacerts mechanism defined in {{?RFC7030}} can be used to get new sets of trust anchors.

LDevID certificates are, however, issued by the operator or owner,
and may be renewed at a regular interval using protocols, such
Expand Down

0 comments on commit 112dbfa

Please sign in to comment.