Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subject Key Identifiers in Subscriber TLS Certificates #749

Closed
robstradling opened this issue Oct 9, 2023 · 1 comment · Fixed by #790
Closed

Subject Key Identifiers in Subscriber TLS Certificates #749

robstradling opened this issue Oct 9, 2023 · 1 comment · Fixed by #790

Comments

@robstradling
Copy link
Member

RFC5280 4.2.1.2 says "this extension SHOULD be included in all end entity certificates", hence

zlint/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go

Line 48 in 386a8dc

Description: "Sub certificates SHOULD include Subject Key Identifier in end entity certs",

However, TLS BRs v2 section 7.1.2.7.6 (Subscriber Certificate Extensions) says the opposite:
"subjectKeyIdentifier NOT RECOMMENDED"

I think ZLint should implement a new cabf_br lint that emits a Warning if SKI is present, and that (when enabled) this new lint should override the existing RFC5280 lint in rfc/lint_ext_subject_key_identifier_missing_sub_cert.go. Does that sound right?
@robstradling
Copy link
Member Author

The discussion in #762 is relevant here.

@XolphinMartijn XolphinMartijn mentioned this issue Jan 22, 2024
Closed
baloo added a commit to baloo/zlint that referenced this issue Jan 23, 2024
@baloo
Subject Key Identifier is not recommended by CABF BR v2
646fb7e 
With SC62, the CABF BR now lists SKI as not recommended.

Per discussion in zmap#762, zlint should provide two lints, one for rfc5280
behavior and one for CABF BR.

Both lint will conflict with each other, users are expected to select
(or ignore) which behavior they mean to follow.

Fixes zmap#749
@baloo baloo mentioned this issue Jan 23, 2024
Merged
baloo added a commit to baloo/zlint that referenced this issue Jan 29, 2024
@baloo
Subject Key Identifier is not recommended by CABF BR v2
9dab885 
With SC62, the CABF BR now lists SKI as not recommended.

Per discussion in zmap#762, zlint should provide two lints, one for rfc5280
behavior and one for CABF BR.

Both lint will conflict with each other, users are expected to select
(or ignore) which behavior they mean to follow.

Fixes zmap#749
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Subject Key Identifier is not recommended by CABF BR v2 baloo/zlint
1 participant
@robstradling