CA Certs verified under BRs 7.1.6.1 use 7.1.4.2.2

[jdkasten]

BRs 7.1.6.1 states that OV certificates (with policy identifer 2.23.140.1.2.2) must include the localityName to the extent such a field is required under Section 7.1.4.2.2.

Section 7.1.4.2.2 is only applicable to Subscriber Certificates. zlint is currently enforcing this check on CA certificates. Example: https://censys.io/certificates/95c074e35902a14abd9d19afb6e7f80e669ff8e2363270539d963613f04aaa21/zlint

It also looks like problems exists with 2.23.140.1.2.3 (EV) certificates as well. I have only analyzed code related to 7.1.6.1.

Potential fix: It seems like it would be as simple as adding a cert.IsCA check to the affected code. https://github.com/zmap/zlint/blob/5899dfa3116b1f4c9f88e6a4dab18f72e5836812/lints/lint_cert_policy_ov_requires_province_or_locality.go#L36 https://github.com/zmap/zlint/blob/5899dfa3116b1f4c9f88e6a4dab18f72e5836812/lints/lint_cert_policy_iv_requires_province_or_locality.go#L36

Reference: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.5.6.pdf

[justinbastress]

Updated the relevant tests to only apply to subscriber certificates in #207.

[zakird]

I've merged #207.

[jdkasten]

Thanks for the prompt fix!