-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question regarding cabf_br/lint_subject_contains_malformed_arpa_ip #343
Comments
👋 @cardonator Thanks for the question. I wrote this lint myself before I had much experience with ZLint and when the guidance on what status to return for different cases was a little bit less established. I suspect I might have been too strict here but I'll have to rebuild the context. I have a memory of an RFC that indicated reverse IPv6 addrs should always be fully expanded. I'll get back to you later today and update the lint if required. |
I was thinking of RFC 3596, specifically §2.5 "IP6.ARPA Domain". That section seems to me to be fairly explicit that each nibble of the IPv6 address is represented by a hex digit, like shown in the example address conversion:
That's how I arrived at the value of 32 expected labels for each IPv6.ARPA domain used by the lint: zlint/lints/cabf_br/lint_subject_contains_reserved_arpa_ip.go Lines 43 to 47 in 9bba7b7
In my mind based on RFC 3596 I think the related @cardonator @zakird @sleevi Does my evaluation match up with what you folks think? Is there a qualification of the BRs I'm missing that would merit keeping this lint as-is? |
While I'm fine with moving it The 3.2.2.6 argument is that So So if it's fine, it's on a technicality and oversight, and while I'd be curious how @cardonator validated it, I entirely suspect that's a conversation for the CABF to see about making more explicit. |
One correction: I had more coffee and realized the existing lint already treats this case as a warning and not an error. The only change would be to move it to community. Edit: I also think warn (vs info) is the correct response in this case since the deviation from RFC seems fairly clear zlint/lints/cabf_br/lint_subject_contains_malformed_arpa_ip.go Lines 73 to 76 in 9bba7b7
@sleevi Thanks for weighing in. That makes sense to me. I agree with you that this feels like a technicality that should be clarified in the BRs and raises questions about the validation. Ultimately moving the lint to the |
This doesn't strike me as something worth moving offhand, at least until this is resolved in CA/B Forum. The error case seems to match the CABF BRs, and a warn doesn't seem inappropriate since it would be against community expectations to issue a wildcard like that. |
Thanks for the feedback all. @sleevi The common root of I agree that arpa SANs are left vague in the current BRs and it's not entirely clear how arpa reverse names should be treated in general. I do think BCP49 makes a good case that they should be treated as if they are IP addresses. Would you suggest spinning up a conversation on this topic in SCWG or MDSP? @cpu given the lack of clarity around this, I would agree that leaving it where it is makes the most sense. RFC 3596 does seem to suggest this should be considered a malformed SAN. I do think it might be helpful to add referenced to RFC 3596 and BCP49 in the lint itself somewhere, even if just in the description. |
I'll put it on next week's Validation WG agenda. |
@cardonator This is good feedback, thanks! I made a clumsy attempt at improving the situation with |
) Section 7.1.4.2.1 of the BRs is a good citation for `e_subject_contains_reserved_arpa_ip` but isn't a great choice for `w_subject_contains_malformed_arpa_ip`. When the `.arpa` address doesn't have enough labels, or can't be parsed as an IP address it's clear that it isn't an internal IP address and so 7.1.4.2.1 isn't a good citation. Section 3.2.2.6 talks about wildcard domains for "registry controlled" zones, and `.arpa` is one of those (based on BCP49). A wildcard label is one way the `.arpa` domain wouldn't parse as an IP. While the larger discussion on how `.arpa` domains that aren't formatted per RFC 3596 unfolds we can ref 3.2.2.6 and add a bit more context to the lint and description. It isn't perfect, but I think less confusing than ref'ing 7.1.4.2.1, which clearly doesn't apply. See also #343
We're coming up on a year since this issue was created. @sleevi @timfromdigicert was this resolved in CABF? |
It has not been resolved, but only because we've been discussing other things. I can put it on next Thursday's agenda again if there's interest in discussing it. |
Co-authored-by: GitHub <noreply@github.com>
We got a hit on this lint for a cert that has a SAN in the format of:
Looking at this lint, it is producing a warning and I just want to make sure this lint is being helpful in this case.
The extended warning I'm getting is
The rule this references is BR 7.1.4.2.1 which doesn't really seem to reference anything other than reserved IP address blocks. I don't think this is problematic according to the BRs because it doesn't say anything I can see about treating IPv6 addresses in the ARPA domain as something other than normal domain names unless I'm missing something.
Can anyone provide any clarity on this lint, purpose, reasoning behind resulting in WARN vs. NOTICE? Is this a community a lint possibly from cablint that is misclassified?
The text was updated successfully, but these errors were encountered: