From 333ac8c1fa14bd77483eb191660da347e0acadcc Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 22 Feb 2021 10:41:12 +0100 Subject: [PATCH 1/3] Added text about the validity of certificates --- draft-ietf-uta-tls13-iot-profile.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 77b37dc..ac37f80 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -228,8 +228,15 @@ Contains the DN of the issuing CA. ### Validity -No maximum validity period is mandated. - +No maximum validity period is mandated. Validity values are expressed as UTCTime +in notBefore and notAfter fields, as mandated in {{!RFC5280}}. + +In many cases it is necessary to indicate that a certificate does not expire. +This is likely to be the case for manufacturer-provisioned certificates. +RFC 5280 provides a simple solution to convey the fact that a certificate +has no well-defined expiration date by setting the notAfter to the +GeneralizedTime value of 99991231235959Z. + ### subjectPublicKeyInfo The SubjectPublicKeyInfo structure indicates the algorithm and any associated @@ -318,6 +325,10 @@ compression? How is that negotiated? This entire document is about security. +# Acknowledgements + +We would like to thank Ben Kaduk and John Mattsson. + # IANA Considerations IANA is asked to add the Option defined in {{early-data-option}} to the CoAP From 6da9fad940bd83af07d5b964a1f9a70407307e78 Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Mon, 22 Feb 2021 11:15:29 +0100 Subject: [PATCH 2/3] Added text about devices without reliable time source --- draft-ietf-uta-tls13-iot-profile.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index ac37f80..2e4a2c1 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -236,7 +236,13 @@ This is likely to be the case for manufacturer-provisioned certificates. RFC 5280 provides a simple solution to convey the fact that a certificate has no well-defined expiration date by setting the notAfter to the GeneralizedTime value of 99991231235959Z. - + +Some devices might not have a reliable source of time and for those devices it +is also advisable to use certificates with no expiration date and to let a +device management solution manage the lifetime of all the certificates used by +the device. While this approach does not utilize certificates to its widest extend, +it is a solution that extends the capabilities offered by a raw public key approach. + ### subjectPublicKeyInfo The SubjectPublicKeyInfo structure indicates the algorithm and any associated From 610fcf5c24a40b744276a39bd9c0fe7da68e5692 Mon Sep 17 00:00:00 2001 From: Thomas Fossati Date: Mon, 22 Feb 2021 17:31:27 +0000 Subject: [PATCH 3/3] Update draft-ietf-uta-tls13-iot-profile.md --- draft-ietf-uta-tls13-iot-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-uta-tls13-iot-profile.md b/draft-ietf-uta-tls13-iot-profile.md index 2e4a2c1..e7930db 100644 --- a/draft-ietf-uta-tls13-iot-profile.md +++ b/draft-ietf-uta-tls13-iot-profile.md @@ -240,7 +240,7 @@ GeneralizedTime value of 99991231235959Z. Some devices might not have a reliable source of time and for those devices it is also advisable to use certificates with no expiration date and to let a device management solution manage the lifetime of all the certificates used by -the device. While this approach does not utilize certificates to its widest extend, +the device. While this approach does not utilize certificates to its widest extent, it is a solution that extends the capabilities offered by a raw public key approach. ### subjectPublicKeyInfo