However, TLS BRs v2 section 7.1.2.7.6 (Subscriber Certificate Extensions) says the opposite:
"subjectKeyIdentifier NOT RECOMMENDED"
I think ZLint should implement a new cabf_br lint that emits a Warning if SKI is present, and that (when enabled) this new lint should override the existing RFC5280 lint in rfc/lint_ext_subject_key_identifier_missing_sub_cert.go. Does that sound right?
RFC5280 4.2.1.2 says "this extension SHOULD be included in all end entity certificates", hence https://github.com/zmap/zlint/blob/386a8dc413add9bb92d80badbb4d86f833f6a4e5/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go#L48
However, TLS BRs v2 section 7.1.2.7.6 (Subscriber Certificate Extensions) says the opposite: "subjectKeyIdentifier NOT RECOMMENDED"
I think ZLint should implement a new
cabf_br
lint that emits a Warning if SKI is present, and that (when enabled) this new lint should override the existing RFC5280 lint inrfc/lint_ext_subject_key_identifier_missing_sub_cert.go
. Does that sound right?