cardonator
commented
8 months ago @christopher-henderson this is ready for review. I can't add you as a reviewer myself.
Closed cardonator closed 8 months ago
cardonator
commented
8 months ago @christopher-henderson this is ready for review. I can't add you as a reviewer myself.
cardonator
commented
8 months ago Thanks for the review @christopher-henderson I had one question above but otherwise should be ready to re-review. 👍
e: I confirmed internally that I shouldn't have allowed https.
As part of the SMIME work, I discovered at least one example of a cert that was issued using an outdated OCSP URL that would have been valid prior to the SMIME BRs. The rules around the AIA paths are not super strict but they are similar for both TLS and SMIME requirements, which read:
For publicly trusted certificates that are present in CT logs, these URLs are required to point to a resolvable location and shouldn't contain internal names. However, that requirement is not strictly codified in the requirements but is implied by what the resource is intended to point to. This lint intends to check and warn for this condition that may not be an actual problem, but probably is.
Note: I don't believe the Legacy lint is quite right here. The rule for Legacy reads
The current lint tries to parse the url and make sure the DNS name has a valid TLD. Should I instead try to validate the scheme of the field before parsing in that lint only?
I also combined the Strict and Multipurpose lints into one as they have the same requirements.
Feedback welcome and desired!