From 393671e5cbc78ba2cce1ca28c569b4c4358aec17 Mon Sep 17 00:00:00 2001
From: Michael Richardson <mcr@sandelman.ca>
Date: Mon, 2 Sep 2024 10:25:03 -0400
Subject: [PATCH] reference 9525, say subjectDN for EE should be null, close
 #35

---
 draft-ietf-uta-tls13-iot-profile.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md
index 5214e56..27000a9 100644
--- a/draft-ietf-uta-tls13-iot-profile.md
+++ b/draft-ietf-uta-tls13-iot-profile.md
@@ -489,8 +489,9 @@ field." RFC 5280 adds "If the subject is a CA then the subject field MUST be
 populated with a non-empty distinguished name matching the contents of the
 issuer field in all certificates issued by the subject CA."
 
-The Subject field MUST be present and MUST contain the commonName, the organizationName,
-and the countryName attribute and MAY contain an organizationalUnitName attribute.
+However, {{RFC9525, Section 2.9}} now recommends that the SubjectDN be empty (null) for all End Entity certificates.
+
+Root CA and Subordinate CAs must have a non-null SubjectDN as that value must match the IssuerDN of subordinate certificates.
 
 ### Authority Key Identifier