From 316a48c91ab9d3fdbd82588c66bae13aa75ffbb2 Mon Sep 17 00:00:00 2001 From: Michael Richardson Date: Mon, 2 Sep 2024 10:32:38 -0400 Subject: [PATCH] be more precise in subject contents --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 26bb05f..f366dc4 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -489,7 +489,7 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -However, {{!RFC9525, Section 2.9}} now recommends that the SubjectDN be empty (null) for all End Entity certificates. +However, as {{!RFC9525, Section 2}} mandates that the subjectDN not be be used to identify a service, for IoT purposes, an empty SubjectDN avoids all confusion for End Entity certificates. Root CA and Subordinate CAs must have a non-null SubjectDN as that value must match the IssuerDN of subordinate certificates.