zlint icon indicating copy to clipboard operation
zlint copied to clipboard
verified publisher icon zmap

lint_ev_organization_id_missing incorrectly flags CA certificates without cabfOrganizationIdentifier

Open om226 opened this issue 1 month ago • 2 comments

Summary
The lint lint_ev_organization_id_missing (which sets error e_ev_organization_id_missing) is being raised on EV CA certificates that do not include the cabfOrganizationIdentifier extension, even though per the CAB Forum Extended Validation Guidelines, that extension is not required for CA certificates unless the subject has an organizationIdentifier.

Details

  • In the CAB Forum EV Guidelines v2.0.1, section 7.1.2.2 (“CA/Browser Forum Organization Identifier Extension”), the cabfOrganizationIdentifier extension is marked as Optional. :contentReference[oaicite:7]{index=7}
  • The guideline states: “If the subject:organizationIdentifier is present, this field MUST be present.” :contentReference[oaicite:8]{index=8}
  • There is no requirement in the EV Guidelines that all CA certificates must have cabfOrganizationIdentifier — only when the subject has an organizationIdentifier. Also, the guidelines explicitly note that no extension is mandatory on a CA unless it is stated as “Required” in the relevant subsection. :contentReference[oaicite:9]{index=9}
  • I have identified at least two EV CA certificates where zlint currently reports e_ev_organization_id_missing, despite the absence of organizationIdentifier in the subject:
    • Certificate 1: https://crt.sh/?id=10305004920&opt=pkimetal
    • Certificate 2: https://crt.sh/?id=21408224858&opt=pkimetal
  • In both cases, the behavior seems to be a false positive.

Impact

  • This lint produces incorrect error reports for legitimate CA certificates, which can lead to confusion, misdiagnosis, or unnecessary CA configuration changes.
  • Users of zlint depending on strict EV compliance checks may be incorrectly blocked or misinformed.

Proposed fix / change

  • Update lint_ev_organization_id_missing to skip CA certificates (i.e., certificates with cA=true in BASIC_CONSTRAINTS) when the subject does not have organizationIdentifier.

References

  • CAB Forum EV Guidelines v2.0.1, section 7.1.2.2.

om226 avatar Nov 17 '25 11:11 om226

@om226 I'm not sure I follow these examples. Both of these certificates do appear to contain the organizationIdentifier subject attribute?

XolphinMartijn avatar Nov 17 '25 11:11 XolphinMartijn

Both certificates have organizationIdentifier in the subject, but they are CA certificates. In my interpretation of the CAB Forum EV Guidelines, the cabfOrganizationIdentifier extension is not mandatory for CA certificates, so the lint is producing a false positive.

om226 avatar Nov 17 '25 12:11 om226