New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Checks for Mozilla and Microsoft Root program requiremnts #277
Comments
This has come up repeatedly with different folks and we'd be happy to see these lints in ZLint. We'll need to add a slightly more complex interface to check certificates, but that shouldn't be an issue. There's also an open issue for adding checks for CT compliance for Chrome and Apple. |
That sounds like a good plan. When do you think you'd have this "more
complex" interface designed? Is there anything I can do to start defining
some of the checks for this (in the Google doc that is a summary of all
checks?) and then perhaps have one of our developers build a few of them?
…On Wed, Apr 3, 2019 at 10:33 AM Zakir Durumeric ***@***.***> wrote:
This has come up repeatedly with different folks and we'd be happy to see
these lints in ZLint. We'll need to add a slightly more complex interface
to check certificates, but that shouldn't be an issue. There's also an open
issue for adding checks for CT compliance for Chrome and Apple.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#277 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMqYexWXx_Zsr3zp3Q_K_quBpN8EB9YAks5vdLucgaJpZM4camMh>
.
|
This should fit into the current interface for writing lints just fine, unless you actually want to build chains. I'd just start writing some lints and see what happens. |
I agree with @dadrian, the interface shouldn't be a big issue right now compared to getting the new lints created. If you can make a list and start to implement them that would be helpful. I'd just make sure that they all have the appropriate |
@dougbeattie Are any of your developers working on this issue? |
Yes, we're working on the one at the moment:
Also, I received this input from Wayne at Mozilla on a couple of others that might be useful:
I haven't heard from Microsoft. We might also tackle the first two of those. |
We're indeed looking into this. Just looking into clarifying some final points, but should have these added fairly quickly after that. |
We're having some trouble with defining when a lint should apply. |
There isn't a beautiful solution to this. I think that the right thing to do here is to create a lint, but set the source to be Mozilla. We can then change the runner to choose which corpus of tests to run. |
Closing in favour of #354 - There's been work done in master to split up lints by source and I'd favour seeing smaller issues created off of one larger tracking issue. Thanks! |
I neglected to consider that this issue also requested lints for Microsoft root program reqs. I think it makes sense to consider applying the same process as I've started for #354 for the Microsoft requirements. I don't have the bandwidth to pick that up in addition to managing the Moz. reqs so I'll re-open this issue for now as a marker. |
Thanks @sleevi ! Much appreciated. |
I'm curious if anyone else would like to use these checks and have them cover Mozilla and Microsoft specific root program requirements.
Mozilla: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Example: Root certificates in our root program, and any certificate which chains up to them, MUST use only algorithms and key sizes from the following set:
Microsoft: https://aka.ms/RootCert
Example: Effective February 1, 2017, all end-entity certificates MUST contain the EKU for the purpose that the CA issued the certificate to the customer, and the end-entity certificate may not use "any EKU."
Do these belong in this zlint, or do they belong in their own standalone set of checks (zlint-mozilla, zlint-ms) so they can be applied by those that want to be compliant with those root programs?
The text was updated successfully, but these errors were encountered: