I recently shared with the CA/B Forum the latest draft that attempts to overhaul how the Server Certificate Working Group expresses requirements on certificates, by moving from its three section approach ("root", "subordinate", "leaf") into category-specific profiles that fully express the intersections and permitted variations.
I wanted to draw attention to it for ZLint contributors, since while it's a draft, there's opportunity to flag any approaches that may make things easier or harder to lint. That is, I'd like to avoid a situation like ETSI (mentioned in #581 (comment) ) where things are too context-dependent and subjective to be effectively linted.
To submit feedback to the CA/B Forum, questions@cabforum.org can be used (for those that aren't interested parties or employed by members), but I will also do my best to relay problems, although relaying solutions may be a bit IPR-problematic. It's open as a PR at sleevi/cabforum-docs#36 to provide easier diffing.
As a concrete example, the semantics of extensions like extendedKeyUsage or certificatePolicies can vary based on the type of CA certificate being issued, and whether the organization is an Affiliate or not of the issuing CA. The Affiliation status is not something we can know purely from the certificate alone. One option would be to signal some sort of "intended profile" (e.g. as a parameter to be passed through to lints as a context hint). Another option could just be as a warning/notice to require manual review.
I don't have strong opinions here, but did want to draw extra eyes to the work, in case folks read the profiles work and needed to say "Hold on, this will make linting much harder than it needs to be" :)
I recently shared with the CA/B Forum the latest draft that attempts to overhaul how the Server Certificate Working Group expresses requirements on certificates, by moving from its three section approach ("root", "subordinate", "leaf") into category-specific profiles that fully express the intersections and permitted variations.
I wanted to draw attention to it for ZLint contributors, since while it's a draft, there's opportunity to flag any approaches that may make things easier or harder to lint. That is, I'd like to avoid a situation like ETSI (mentioned in #581 (comment) ) where things are too context-dependent and subjective to be effectively linted.
To submit feedback to the CA/B Forum, questions@cabforum.org can be used (for those that aren't interested parties or employed by members), but I will also do my best to relay problems, although relaying solutions may be a bit IPR-problematic. It's open as a PR at sleevi/cabforum-docs#36 to provide easier diffing.
As a concrete example, the semantics of extensions like
extendedKeyUsageorcertificatePoliciescan vary based on the type of CA certificate being issued, and whether the organization is an Affiliate or not of the issuing CA. The Affiliation status is not something we can know purely from the certificate alone. One option would be to signal some sort of "intended profile" (e.g. as a parameter to be passed through to lints as a context hint). Another option could just be as a warning/notice to require manual review.I don't have strong opinions here, but did want to draw extra eyes to the work, in case folks read the profiles work and needed to say "Hold on, this will make linting much harder than it needs to be" :)