mcpherrinm
commented
1 year ago I may be interested in contributing this lint, but can't make any timeline promises.
Open mcpherrinm opened 1 year ago
mcpherrinm
commented
1 year ago I may be interested in contributing this lint, but can't make any timeline promises.
defacto64
commented
5 months ago This issue is addressed by https://github.com/zmap/zlint/pull/837
In https://bugzilla.mozilla.org/show_bug.cgi?id=1852404, certificates were issues with an SCT extension that was empty.
The extension shouldn't be present if it is empty. The incident report mentions that zlint and other linters didn't catch it. This seems like an easy mistake to make and worth adding a lint for.
I believe this should be a rfc error lint per reference: https://datatracker.ietf.org/doc/html/rfc6962#section-3.3 which says
At least one SCT MUST be included.Baseline Requirements
7.1.2.11.3 Signed Certificate Timestamp Listreferences the above RFC so it could reasonably be a cabf_br lint as well, but that seems more indirect than needed to me.