search

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
349 stars 108 forks source link

Subject Key Identifiers in Subscriber TLS Certificates #749

Closed robstradling closed 5 months ago

robstradling commented 9 months ago

RFC5280 4.2.1.2 says "this extension SHOULD be included in all end entity certificates", hence https://github.com/zmap/zlint/blob/386a8dc413add9bb92d80badbb4d86f833f6a4e5/v3/lints/rfc/lint_ext_subject_key_identifier_missing_sub_cert.go#L48

However, TLS BRs v2 section 7.1.2.7.6 (Subscriber Certificate Extensions) says the opposite: "subjectKeyIdentifier NOT RECOMMENDED"

I think ZLint should implement a new cabf_br lint that emits a Warning if SKI is present, and that (when enabled) this new lint should override the existing RFC5280 lint in rfc/lint_ext_subject_key_identifier_missing_sub_cert.go. Does that sound right?

robstradling commented 8 months ago

The discussion in #762 is relevant here.