-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zlint coverage of the new SMIME BRs #710
Comments
Definitely interest from our side. |
@robplee thank you for you patience and bringing this to my attention 🙏 I have been under a lot of pressure from duties elsewhere.
I, at least, would be amenable to this as I believe that it would be consistent with the charter and usecases of ZLint.
Indeed reasonable at face value.
A short list would definitely be a good idea and would be appreciated (similar to a stabilization checklist or an "epic" in tracking tools such as Jira). I can set this tracking up, however I would certainly appreciate help in actually populating the short list since I am not immersed in the ecosystem on a daily, FTE, basis.
Indeed I believe that this would be one of the less invasive changes/proposals recently made (a merged infra for CRLs and a proposal for pre-sign linting). From what I can immediately see, I don't think that we're going to require too much more infrastructure (depending on)...
A lot of the "easiness" of this work is likely predicated on this notion - that there is a single, or small combination, of facts embedded within a certificate that says
We already do this within the linting infra in order to skip out on CABF/BR lints for certs that are not for server auth. Line 221 in 997ad51
...so I do not find ot to be unprecedented nor invasive. |
Hi all, thanks for the positive responses. I guess we can probably close this issue and assume the result of this discussion is a "Let's get cracking". This list is by no means conclusive but here's a bunch of lints we might want from a quick scan through section 7 of the SMIME BRs that should at least get us started:
I've finished my first scan through of the particularly zlint-y section 7 and as the list contains 40 potential new-lints I'm going to stop there as that seems enough to be getting on with! |
I think this has been a quick open and shut issue so I'm going to close it in favour of the massive to do list issue I've just opened as #712. Last thing to add in response to @christopher-henderson 's question/comment/concern about applicability of the lints. I think we can do a similar step as in the CABF BR lints. The SMIME BRs open with a comment saying :
So I think we can have a similar |
Hi all,
As there are going to be SMIME BRs coming into force in September I was wondering if:
a) there was interest in lints for SMIME certificates issued under any of the mailbox/organisation/sponsor-legacy/multipurpose/strict policy OIDs? (For the record, I am happy to participate in writing/reviewing new lints for this)
b) if there was interest it might help to have a plan for where we are going to add them (I propose lints/cabf_smime_br as the new location)
c) do we need an issue where we can make a checklist of the new lints we want? (It could be this one and I can do a bit of BR parsing into a checklist if there is positive thoughts about having these lints)
d) if there is an effort to add some new SMIME BR lints added can we expect a new zlint release before the new rules come into force in September? I'd help with this but I don't have the permissions so this is probably just a plea for some @christopher-henderson time.
The text was updated successfully, but these errors were encountered: