Open sleevi opened 4 years ago
sleevi
commented
4 years ago @mtgag I was having trouble parsing out which lints went to which requirements, so I attempted to try and distill some of them here. I'm not sure I matched the PRs to the right bits, but hopefully you can double check and make sure this looks correct?
I thought this might be easier to figure out prioritization as well as to figure out where/how to break stuff up discretely, in the event there are multiple requirements.
mtgag
commented
4 years ago Back from the RSA conference... Yes, I will double check.
mtgag
commented
4 years ago A proposal for this one:
* [ ] #379 - Validate that the PSD2 QCStatement conforms to the ASN.1 module (**Ref**: [ETSI TS 119 495 v1.4.1, GEN-5.1-1, GEN-5.2.3-1, GEN-5.2.3-4, Appendix A](https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.04.01_60/ts_119495v010401p.pdf#page=19))
Reference only to Appendix A. There are other positions (e.g. GEN-5.1-3) that may be relevant and need to be listed or the question may arise why is for example GEN-5.2.3-1 listed but GEN-5.1-3 not. Referencing only the appendix should be sufficient.
Also
* [ ] #388 - If the certificate is qualified for website authentication or electronic seals, validate that the `PSD2 QCStatement` is present and the `organizationIdentifier` is present (**Ref**: [ETSI TS 119 495, v1.4.1, GEN-5.3-2, GEN-5.3-3, GEN-5.4-2, GEN-5.4-3](https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.04.01_60/ts_119495v010401p.pdf#page=15))
This is not explicitly checked by #388. This probably needs to be an independent lint.
sleevi
commented
4 years ago A proposal for this one: Reference only to Appendix A. There are other positions (e.g. GEN-5.1-3) that may be relevant and need to be listed or the question may arise why is for example GEN-5.2.3-1 listed but GEN-5.1-3 not. Referencing only the appendix should be sufficient.
Good point! The fact that GEN-5.3.1 says all other requirements in prose are superseded by the ASN.1 module in Annex A should be a sufficient reference!
* [ ] #388 - If the certificate is qualified for website authentication or electronic seals, validate that the `PSD2 QCStatement` is present and the `organizationIdentifier` is present (**Ref**: [ETSI TS 119 495, v1.4.1, GEN-5.3-2, GEN-5.3-3, GEN-5.4-2, GEN-5.4-3](https://www.etsi.org/deliver/etsi_ts/119400_119499/119495/01.04.01_60/ts_119495v010401p.pdf#page=15))This is not explicitly checked by #388. This probably needs to be an independent lint.
Thanks. This caused me a little confusion, so I want to make sure I understood:
Execute method seems to be checking this - https://github.com/zmap/zlint/pull/388/files#diff-fce640e2443336bd5313f417352d4bc7R41-R58 CheckApplies is only true when both are present, #388 doesn't actually test to make sure that both are present, just that when both are present, they're semi-consistent.Is that right? I agree, it sounds like we probably need a lint to ensure that
Similar to #354 and #363 , this top-level issue captures overall progress towards having acceptable ZLint coverage for ETSI ESI developed documents
Required data/tooling:
Required lints (Incomplete):
TS 119 495 ("PSD2 certificates")
organizationIdentifierfield (Ref: ETSI TS 119 495 v1.4.1, GEN-5.2.1-1)roleOfPspNameis the one associated with theroleOfPspOid(Ref: ETSI TS 119 495, v1.4.1, REG-5.2.2-5)NCAIdmeets the format requirements of Clause 5.2.3 (Ref: ETSI TS 119 495, v1.4.1, GEN-5.2.3-2)NCAIdcontains a valid NCA identifier as defined in Annex D (Ref: ETSI TS 119 495, v1.4.1, GEN-5.2.3-2)NCAIdcontains the same values as the equivalent fields in theorganizationIdentifier(Ref: ETSI TS 119 495, v1.4.1, GEN-5.2.3-4)PSD2 QCStatementis present and theorganizationIdentifieris present (Ref: ETSI TS 119 495, v1.4.1, GEN-5.3-2, GEN-5.3-3, GEN-5.4-2, GEN-5.4-3)