w_qcstatem_qctype_web generates false positives for qualified certificates

[AEtherC0r3]

If a qualified certificate is not a QWAC (Qualified Web Authentication Certificate) w_qcstatem_qctype_web will be triggered. This lint should not be applicable to certificates that can't be used for TLS server authentication.

[sleevi]

Could you provide an example certificate you believe this is a false-positive for? This would help diagnose.

I "suspect" this is because the early lints from @mtgag unconditionally assume TLS certs (i.e. do not restrict via their CheckApplies function), as I suspect some assumption that this would only be run on TLS hierarchies. I suspect we can resolve this through liberally updating CheckApplies, although there are certainly more fundamental issues with the ETSI specifications in situations trying to figure out if something was "misissued" or not.

[AEtherC0r3]

The attached certificate is an example of a qualified certificate for qualified eSignatures John Doe.pem

[cpu]

Is this something that should be considered a blocker for https://github.com/zmap/zlint/issues/559 ? My instinct is to revert anything ETSI related that seems buggy but I'll defer to others for this case.

[sleevi]

@cpu I don't think so. This particular lint comes from v1 (that is, before lints were shuffled and split). Specifically, https://github.com/zmap/zlint/pull/250 from 2019. So this is long-standing, (un?)fortunately, and mostly a result of several of the existing ETSI lints assuming they'll only be run in the context of Web PKI hierarchies.

[cpu]

SGTM. I also feel better these days knowing that users can exclude certain lint categories.

[mtgag]

It is true that the assumption made was that only TLS certificates are involved. If the scope of zlint is beyond this use case then this lint is not correct. Two suggestions are to either remove the lint or change the warning to a notice. What is your opinion on this? We could then implement this.