Checks for Mozilla and Microsoft Root program requiremnts #277
Comments
|
This has come up repeatedly with different folks and we'd be happy to see these lints in ZLint. We'll need to add a slightly more complex interface to check certificates, but that shouldn't be an issue. There's also an open issue for adding checks for CT compliance for Chrome and Apple. |
|
That sounds like a good plan. When do you think you'd have this "more
complex" interface designed? Is there anything I can do to start defining
some of the checks for this (in the Google doc that is a summary of all
checks?) and then perhaps have one of our developers build a few of them?
…On Wed, Apr 3, 2019 at 10:33 AM Zakir Durumeric ***@***.***> wrote:
This has come up repeatedly with different folks and we'd be happy to see
these lints in ZLint. We'll need to add a slightly more complex interface
to check certificates, but that shouldn't be an issue. There's also an open
issue for adding checks for CT compliance for Chrome and Apple.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#277 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AMqYexWXx_Zsr3zp3Q_K_quBpN8EB9YAks5vdLucgaJpZM4camMh>
.
|
|
This should fit into the current interface for writing lints just fine, unless you actually want to build chains. I'd just start writing some lints and see what happens. |
|
I agree with @dadrian, the interface shouldn't be a big issue right now compared to getting the new lints created. If you can make a list and start to implement them that would be helpful. I'd just make sure that they all have the appropriate |
@dougbeattie Are any of your developers working on this issue? |
|
Yes, we're working on the one at the moment:
Also, I received this input from Wayne at Mozilla on a couple of others that might be useful:
I haven't heard from Microsoft. We might also tackle the first two of those. |
|
We're indeed looking into this. Just looking into clarifying some final points, but should have these added fairly quickly after that. |
|
We're having some trouble with defining when a lint should apply. |
|
There isn't a beautiful solution to this. I think that the right thing to do here is to create a lint, but set the source to be Mozilla. We can then change the runner to choose which corpus of tests to run. |
|
Closing in favour of #354 - There's been work done in master to split up lints by source and I'd favour seeing smaller issues created off of one larger tracking issue. Thanks! |
|
I neglected to consider that this issue also requested lints for Microsoft root program reqs. I think it makes sense to consider applying the same process as I've started for #354 for the Microsoft requirements. I don't have the bandwidth to pick that up in addition to managing the Moz. reqs so I'll re-open this issue for now as a marker. |
|
Thanks @sleevi ! Much appreciated. |
I'm curious if anyone else would like to use these checks and have them cover Mozilla and Microsoft specific root program requirements.
Mozilla: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/
Example: Root certificates in our root program, and any certificate which chains up to them, MUST use only algorithms and key sizes from the following set:
Microsoft: https://aka.ms/RootCert
Example: Effective February 1, 2017, all end-entity certificates MUST contain the EKU for the purpose that the CA issued the certificate to the customer, and the end-entity certificate may not use "any EKU."
Do these belong in this zlint, or do they belong in their own standalone set of checks (zlint-mozilla, zlint-ms) so they can be applied by those that want to be compliant with those root programs?
The text was updated successfully, but these errors were encountered: