From d195217c30ea4758d9c98133c312eeeae2bda407 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Tue, 3 Sep 2024 13:41:50 +0200 Subject: [PATCH 1/6] Additional Text about Subject Name The problem is that RFC 5280 says that the subject name is contained in the subject field and/or the subjectAltName extension. The ASN.1 does not seem to support the case that the subject field is optional --- draft-ietf-uta-tls13-iot-profile.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 42044dd..9be41a1 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -481,17 +481,19 @@ MUST NOT be marked critical. This section outlines the requirements for root CA certificates. -## subjectName +## Subject -{{!RFC5280}} defines the subjectName field as follows: "The subject field identifies -the entity associated with the public key stored in the subject public key -field." RFC 5280 adds "If the subject is a CA then the subject field MUST be +Section 4.1.2.6 of {{!RFC5280}} defines the subject field as follows: "The subject field identifies +the entity associated with the public key stored in the subject public key field. The subject name +MAY be carried in the subject field and/or the subjectAltName extension." + +RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." Root CA certificates MUST have a non-empty subjectName. -The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From a74d4a17a02c730ef0f9c6da5978c9c228f85979 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:53:02 +0200 Subject: [PATCH 2/6] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 9be41a1..5b692f2 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -493,7 +493,7 @@ issuer field in all certificates issued by the subject CA." Root CA certificates MUST have a non-empty subjectName. -The subjectName MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From b41e621ef8e8f4d6850da77175b60f1e39897e69 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:53:13 +0200 Subject: [PATCH 3/6] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 5b692f2..ac177e5 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -491,7 +491,7 @@ RFC 5280 adds "If the subject is a CA then the subject field MUST be populated with a non-empty distinguished name matching the contents of the issuer field in all certificates issued by the subject CA." -Root CA certificates MUST have a non-empty subjectName. +Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. From fb80ebc18890f22cdbf856ae429e9ab81ebb340a Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:54:01 +0200 Subject: [PATCH 4/6] Shortened Subject Field --- draft-ietf-uta-tls13-iot-profile.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index ac177e5..a7e88bd 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -483,17 +483,7 @@ This section outlines the requirements for root CA certificates. ## Subject -Section 4.1.2.6 of {{!RFC5280}} defines the subject field as follows: "The subject field identifies -the entity associated with the public key stored in the subject public key field. The subject name -MAY be carried in the subject field and/or the subjectAltName extension." - -RFC 5280 adds "If the subject is a CA then the subject field MUST be -populated with a non-empty distinguished name matching the contents of the -issuer field in all certificates issued by the subject CA." - -Root CA certificates MUST have a non-empty subject field. - -The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From 8bd2ea56bb14708e1f3966b069ef38673370b23c Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:55:07 +0200 Subject: [PATCH 5/6] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index a7e88bd..4d20ef3 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -483,7 +483,7 @@ This section outlines the requirements for root CA certificates. ## Subject -Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +{{!RFC5280}} says that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier From 860b98cb93a5c189c3362b3d59aca88b77ad192f Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 23 Sep 2024 16:55:49 +0200 Subject: [PATCH 6/6] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 4d20ef3..9255c3a 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -483,7 +483,7 @@ This section outlines the requirements for root CA certificates. ## Subject -{{!RFC5280}} says that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. +{{!RFC5280}} mandates that Root CA certificates MUST have a non-empty subject field. The subject field MUST contain the commonName, the organizationName, and the countryName attribute and MAY contain an organizationalUnitName attribute. ### Authority Key Identifier