proposed text to deal with subordinate CA validity

.github/workflows/archive.yml

@@ -5,30 +5,38 @@ on:
     - cron: '0 0 * * 0,2,4'
   repository_dispatch:
     types: [archive]
+  workflow_dispatch:
+    inputs:
+      archive_full:
+        description: 'Recreate the archive from scratch'
+        default: false
+        type: boolean
 
 jobs:
   build:
     name: "Archive Issues and Pull Requests"
     runs-on: ubuntu-latest
     steps:
     - name: "Checkout"
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
+
+    # Note: No caching for this build!
 
     - name: "Update Archive"
       uses: martinthomson/i-d-template@v1
+      env:
+        ARCHIVE_FULL: ${{ inputs.archive_full }}
       with:
         make: archive
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        token: ${{ github.token }}
 
     - name: "Update GitHub Pages"
       uses: martinthomson/i-d-template@v1
       with:
         make: gh-archive
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        token: ${{ github.token }}
 
     - name: "Save Archive"
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v4
       with:
         path: archive.json

.github/workflows/ghpages.yml

@@ -20,41 +20,39 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: "Checkout"
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
-    - name: "Cache Setup"
-      id: cache-setup
-      run: |
-        mkdir -p "$HOME"/.cache/xml2rfc
-        echo "::set-output name=path::$HOME/.cache/xml2rfc"
-        date -u "+::set-output name=date::%FT%T"
+    - name: "Setup"
+      id: setup
+      run: date -u "+date=%FT%T" >>"$GITHUB_OUTPUT"
 
-    - name: "Cache References"
-      uses: actions/cache@v2
+    - name: "Caching"
+      uses: actions/cache@v4
       with:
-        path: ${{ steps.cache-setup.outputs.path }}
-        key: refcache-${{ steps.cache-setup.outputs.date }}
-        restore-keys: |
-          refcache-${{ steps.cache-setup.outputs.date }}
-          refcache-
+        path: |
+          .refcache
+          .venv
+          .gems
+          node_modules
+          .targets.mk
+        key: i-d-${{ steps.setup.outputs.date }}
+        restore-keys: i-d-
 
     - name: "Build Drafts"
       uses: martinthomson/i-d-template@v1
+      with:
+        token: ${{ github.token }}
 
     - name: "Update GitHub Pages"
       uses: martinthomson/i-d-template@v1
       if: ${{ github.event_name == 'push' }}
       with:
         make: gh-pages
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: "Save HTML"
-      uses: actions/upload-artifact@v2
-      with:
-        path: "*.html"
+        token: ${{ github.token }}
 
-    - name: "Save Text"
-      uses: actions/upload-artifact@v2
+    - name: "Archive Built Drafts"
+      uses: actions/upload-artifact@v4
       with:
-        path: "*.txt"
+        path: |
+          draft-*.html
+          draft-*.txt

.github/workflows/publish.yml

@@ -4,36 +4,54 @@ on:
   push:
     tags:
       - "draft-*"
+  workflow_dispatch:
+    inputs:
+      email:
+        description: "Submitter email"
+        default: ""
+        type: string
 
 jobs:
   build:
     name: "Publish New Draft Version"
     runs-on: ubuntu-latest
     steps:
     - name: "Checkout"
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
 
     # See https://github.com/actions/checkout/issues/290
     - name: "Get Tag Annotations"
       run: git fetch -f origin ${{ github.ref }}:${{ github.ref }}
 
-    - name: "Cache Setup"
-      id: cache-setup
-      run: |
-        mkdir -p "$HOME"/.cache/xml2rfc
-        echo "::set-output name=path::$HOME/.cache/xml2rfc"
-        date -u "+::set-output name=date::%FT%T"
+    - name: "Setup"
+      id: setup
+      run: date -u "+date=%FT%T" >>"$GITHUB_OUTPUT"
 
-    - name: "Cache References"
-      uses: actions/cache@v2
+    - name: "Caching"
+      uses: actions/cache@v4
       with:
-        path: ${{ steps.cache-setup.outputs.path }}
-        key: refcache-${{ steps.date.outputs.date }}
-        restore-keys: |
-          refcache-${{ steps.date.outputs.date }}
-          refcache-
+        path: |
+          .refcache
+          .venv
+          .gems
+          node_modules
+          .targets.mk
+        key: i-d-${{ steps.setup.outputs.date }}
+        restore-keys: i-d-
+
+    - name: "Build Drafts"
+      uses: martinthomson/i-d-template@v1
+      with:
+        token: ${{ github.token }}
 
     - name: "Upload to Datatracker"
       uses: martinthomson/i-d-template@v1
       with:
         make: upload
+      env:
+        UPLOAD_EMAIL: ${{ inputs.email }}
+
+    - name: "Archive Submitted Drafts"
+      uses: actions/upload-artifact@v4
+      with:
+        path: "versioned/draft-*-[0-9][0-9].*"

.github/workflows/update.yml

@@ -0,0 +1,36 @@
+name: "Update Generated Files"
+# This rule is not run automatically.
+# It can be run manually to update all of the files that are part
+# of the template, specifically:
+#  - README.md
+#  - CONTRIBUTING.md
+#  - .note.xml
+#  - .github/CODEOWNERS
+#  - Makefile
+#
+#
+# This might be useful if you have:
+#  - added, removed, or renamed drafts (including after adoption)
+#  - added, removed, or changed draft editors
+#  - changed the title of drafts
+#
+# Note that this removes any customizations you have made to
+# the affected files.
+on: workflow_dispatch
+
+jobs:
+  build:
+    name: "Update Files"
+    runs-on: ubuntu-latest
+    steps:
+    - name: "Checkout"
+      uses: actions/checkout@v4
+
+    - name: "Update Generated Files"
+      uses: martinthomson/i-d-template@v1
+      with:
+        make: update-files
+        token: ${{ github.token }}
+
+    - name: "Push Update"
+      run: git push

draft-ietf-uta-tls13-iot-profile.md

@@ -394,10 +394,26 @@ to {{!RFC5280}}.
 In IoT deployment scenarios it is often expected that the IDevIDs have
 no maximum validity period. For this purpose the use of a special value
 for the notAfter date field, the GeneralizedTime value of 99991231235959Z,
-is utilized. If this is done, then CA certificates and certificates of
-subordinate CAs cannot have a maximum validity period either. Hence,
-it requires careful consideration whether it is appropriate to issue
-IDevID certificates with no maximum validity period.
+is utilized.
+This is consistent with the {{8021AR}} specification.
+
+{{8021AR}} does not provide any advice on validity periods for certification authorities that sign the certificates.
+Root CAs are trust anchors, and their validity period can be considered irrelevant as they are never evaluated.
+
+For subordinate certification authorities, the question of the validity period of the subordinate certificate does arise.
+
+One solution is for the certificate authorizing the subordinate certification authority to have no expiry date either: a notAfter of 99991231235959Z, as defined in {{Section 4.1.2.5 of RFC5280}}.
+
+Another solution is for the subordinate certification authority's certificate to be resigned regularly by the root CA, extending the notAfter time each time.
+As the IDevID End-Entity certificates are not replaced, nor are any certificate chains in the device replaced when the certificates are renewed, this implies:
+
+* the subordinate CA must use the same public/private key pair.
+* the SubjectKeyInfo value must not change, as it must match the AuthorityKeyIdentifier in the End-Entity certificates
+* it must be possible for verifiers to retrieve the updated subordinate CA certificate in some way
+
+The last point is the most difficult to arrange in general.
+In many specific cases, such as when devices from the same manufacturer (IDevID) are involved, or when LDevID certificates are used, it may be possible for updates to the trust anchor to include updates to the subordinate CAs.
+For example, the /cacerts mechanism defined in {{?RFC7030}} can be used to get new sets of trust anchors.
 
 LDevID certificates are, however, issued by the operator or owner,
 and may be renewed at a regular interval using protocols, such