Ryan Sleevi
Ryan Sleevi
This is a top-level issue to capture overall progress towards having acceptable ZLint coverage for the [Microsoft PKI policy requirements](https://aka.ms/rootcert). It replaces the more general discussion from #277. The list...
See https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#4-program-technical-requirements , Item A.5 > All end-entity server authentication certificates must contain an AIA extension with a valid OCSP URL. These certificates may also contain a CDP extension that...
[Section 9.2.3](https://secureservercdn.net/45.40.150.47/273.6a1.myftpupload.com/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.2.pdf) of the EV Guidelines states, for the Subject Business Category Field: > **Certificate field**: subject:businessCategory (OID: 2.5.4.15) > **Required/Optional**: Required > **Contents**: This field MUST contain one of...
[Section 5.2](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#52-forbidden-and-required-practices) of Mozilla Root Store Policy v2.7 states: > Effective for certificates with a notBefore date of July 1, 2020 or later, end-entity certificates MUST include an EKU extension...
The lint `lint_qcstatem_mandatory_etsi_statems.go` incorrectly assumes that the presence of an ETSI ESI-defined QCStatements implies that the certificate is qualified, and thus subject to ETSI EN 319 412-2 This is captured...
Similar to #354 and #363 , this top-level issue captures overall progress towards having acceptable ZLint coverage for [ETSI ESI](https://portal.etsi.org/tb.aspx?tbid=607&SubTB=607) developed [documents](https://portal.etsi.org/TB-SiteMap/esi/esi-activities) ## Required data/tooling: * [ ] Lists of...
Similar to the discussion on https://github.com/zmap/zlint/issues/352 , it would be good to be able to apply lints to the set of Microsoft-trusted CAs. There are several ways this can be...
@jsha raised this on the ct-policy [mailing list](https://groups.google.com/a/chromium.org/g/ct-policy/c/gjcdzPE1FlI/m/jSyukaZzCQAJ) , highlighting how TLS allows certificates up to 2^24 bytes (16.7 MB), while it's likely that logs may have a much smaller...
Right now, the Inclusion Request bug is not linked in the table on the main page, only the revision in which the Log was first Qualified. For CAs that wish...
The Chromium implementation of CT is limited in support of public keys to the set of public keys it accepts for the Web PKI: * RSA (nominally, 2048, 3072, 4096)...