On 1/6/25, 2:32 PM, "Michael Richardson" <mcr+i...@sandelman.ca
<mailto:mcr+i...@sandelman.ca>> wrote:
In https://github.com/thomas-fossati/draft-tls13-iot/issues/65
<https://github.com/thomas-fossati/draft-tls13-iot/issues/65> I ask why
draft-ietf-uta-tls13-iot-profile suggests that IoT devices that have
certificates (probably IDevID) whose primary identity is an EUI64 are using
dNSName with a fabricated ascii representation of hex EUI64. (An EUI64 identity
is
often common on 802.15.4 networks, which use 8-byte EUIs)
This seems to violate RFC 9525.
> When the server identity is given by an EUI-64 format, then it MUST be
> encoded in a subjectAltName of type DNS-ID {{RFC9525, Section 1.5}}, as a
> string of the form `HH-HH-HH-HH-HH-HH-HH-HH` where 'H' is one of the
> symbols '0'-'9' or 'A'-'F'.
Er, bogus.
They should define a new URI scheme -- it's not hard -- and use that.
Jamming things to "look like" they are DNS names are a really bad idea. The SAN
field is typed so that we don't have to play guessing games with the content.
The obvious analogy defining TXT record semantics in DNS. We don't do that any
more. I commented on the GH issue.
_______________________________________________
Uta mailing list -- uta@ietf.org
To unsubscribe send an email to uta-le...@ietf.org
