robplee
commented
1 year ago - [x] SMIME certificates SHALL have cRLDistributionPoints (7.1.2.3.b)(#742 )
- [ ] Strict and Multipurpose SMIME certificates SHALL have the cRLDistributionPoints URI scheme as HTTP others are not permitted (7.1.2.3.b)
- [x] Strict and Multipurpose SMIME certificate AIA fields: OCSP Responder "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1) (#777)
- [x] Strict and Multipurpose SMIME certificate AIA fields: caIssuers "When provided, every accessMethod SHALL have the URI scheme HTTP." (7.1.2.3.c.1) (#777)
- [x] Key usage, RSA certs, strict policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment (7.1.2.3.e) (#757 )
- [x] Key usage, RSA certs, multipurpose/legacy policies: prevent all key usages other than digitalSignature, nonRepudiation, keyEncipherment and dataEncipherment (7.1.2.3.e) (#757 )
- [x] Key usage, EC certs, all: prevent all key usages other than digitalSignature, nonRepudiation, keyAgreement, encipherOnly, decipherOnly (7.1.2.3.e) (#757 )
- [x] Key usage, EC certs, all: encipherOnly/decipherOnly are permitted only when keyAgreement is set (7.1.2.3.e) (#757 )
- [x] Key usage, Edwards certs, keys defined on curve 25519: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. (#757 )
- [ ] Key usage, Edwards certs, keys defined on curve 448: Bit positions SHALL be set for digitalSignature and MAY be set for nonRepudiation. Blocked due to lack of support for curve 448 in zcrypto
- [x] Extended key usage, strict: emailProtection SHALL be present. Other values SHALL NOT BE PRESENT (7.1.2.3.f)(#747)
- [x] Extended key usage, multipurpose/legacy: emailProtection SHALL be present. Other values MAY be present (7.1.2.3.f)(#747 )
- [ ] Extended key usage, all: serverAuth, codeSigning, timeStamping, anyExtendedKeyUsage SHALL NOT BE PRESENT (7.1.2.3.f)
- [ ] authorityKeyIdentifier, all: SHALL be present, SHALL NOT be critical. keyIdentifier SHALL be present, authorityCertIssuer and authorityCertSerialNumber SHALL NOT be present (7.1.2.3.g)
- [x] subjectAlternativeName, all: SHALL be present (7.1.2.3.h)(#744)
- [x] subjectAlternativeName, all: SHOULD NOT be marked critical unless subject field is empty (7.1.2.3.h)(#746)
- [ ] subjectDirectoryAttributes, strict/multipurpose: field is Prohibited (7.1.2.3.j)
- [ ] subjectDirectoryAttributes, legacy: if present, field must not be marked Critical (7.1.2.3.j)
- [ ] qcStatements, all: if present, field must not be marked Critical (7.1.2.3.k)
- [ ] Legal Entity Identifier, mailbox-validated/individual-validated, all generations: is Prohibited (7.1.2.3.l)
- [ ] Legal Entity Identifier, organization-validated, all generations: LEI (1.3.6.1.4.1.52266.1) MAY be present and SHALL NOT be marked critical (7.1.2.3.l)
- [ ] Legal Entity Identifier, sponsor-validated, all generations: LEI (1.3.6.1.4.1.52266.1) or for role (1.3.6.1.4.1.52266.2) MAY be present and SHALL NOT be marked critical (7.1.2.3.l)
- [x] Adobe Extensions, strict: is Prohibited (7.1.2.3.m) (#763)
- [ ] extensions:subjectAltName all validations, all generations: SHALL be present, SHALL contain at least one GeneralName entry of the following types: Rfc822Name, otherName of type id-on-SmtpUTF8Mailbox (7.1.4.2.1)
- [ ] subject:commonName, mailbox-validated: if present, this attribute SHALL contain... [a] Mailbox Address (7.1.4.2.2.a)
- [ ] subject:commonName, organization-validated: if present, this attribute SHALL contain... subject:organizationName or [a] Mailbox Address (7.1.4.2.2.a)
- [ ] subject:commonName, sponsor-validated/individual-validated: if present, this attribute SHALL contain... Personal Name, subject:pseudonym, or [a] Mailbox Address. PersonalName SHOULD be presented as subject:givenName and/or subject:surname (7.1.4.2.2.a)
- [ ] subject:commonName, all: if present, the Mailbox Address SHALL contain a rfc822Name or otherName value of type id-on-smtpUTF8Mailbox from extensions:subjectAltName (7.1.4.2.2.a)
- [ ] subject:givenName, subject:surname, subject:pseudonym: The subject:givenName and/or subject:surname SHALL NOT be present if the subject:pseudonym is present. (7.1.4.2.2.e/f)
- [x] subject:emailAddress, all: if present, the subject:emailAddress SHALL contain a single Mailbox Address. (7.1.4.2.2.h)(#752 )
- [ ] subject:countryName, all: SHALL contain the two letter ISO country code or 'XX' if no ISO 3166-1 code has been assigned (7.1.4.2.2.n)
- [x] subject DN attributes for mailbox-validated profile (7.1.4.2.3)(#713 )
- [ ] subject DN attributes for organization-validated profile - Legacy (7.1.4.2.4)
- [ ] subject DN attributes for organization-validated profile - Multipurpose (7.1.4.2.4)
- [ ] subject DN attributes for organization-validated profile - Strict (7.1.4.2.4)
- [ ] subject DN attributes for sponsor-validated profile - Legacy (7.1.4.2.5)
- [ ] subject DN attributes for sponsor-validated profile - Multipurpose (7.1.4.2.5)
- [ ] subject DN attributes for sponsor-validated profile - Strict (7.1.4.2.5)
- [ ] subject DN attributes for sponsor-validated profile - Multipurpose/Strict: profiles SHALL include either subject:givenName and/or subject:surname, or the subject:pseudonym (7.1.4.2.5)
- [ ] subject DN attributes for individual-validated profile - Legacy (7.1.4.2.6)
- [ ] subject DN attributes for individual-validated profile - Multipurpose (7.1.4.2.6)
- [ ] subject DN attributes for individual-validated profile - Strict (7.1.4.2.6)
bitlux