zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
363 stars 109 forks source link

CABF SMIME BR Appendix A.1 - countryName matches registration scheme id #768

Closed eliot-gs closed 11 months ago

eliot-gs commented 1 year ago

Adding lint to check the 2 character countryName in the subject matches the countryName in the registration scheme id as per Appendix A.1: The country code used in the Registration Scheme identifier SHALL match that of the subject:countryName in the Certificate as specified in Section 7.1.4.2.2.

robplee commented 1 year ago

Sorry about this @eliot-gs, but there's currently some discussion about removing this requirement to have the country in the organizationIdentifier match the provided countryName attribute (will link the first email on the subject below). I wonder if we should wait for some additional clarity before merging this PR?

I guess on the flip-side though, the change hasn't been made and as it's a substantive one I imagine it will be brought in in the future making this lint useful for certs issued since 20230901 (yyyymmdd). So, perhaps this could be merged with the caveat that we may need to add an ineffective date once there's a date for when any future changes are coming into force?

SMIME WG email: https://lists.cabforum.org/pipermail/smcwg-public/2023-November/000863.html

robplee commented 12 months ago

Hi @eliot-gs, I've been thinking about this PR a bit and I think we can merge it in. There is a decent chance that the rule you're enforcing with your lint is going to be removed, but that change is a substantive change to the BRs and should be made effective from a future date. Therefore, the requirement from appendix A1 is effective from 1st September 2023 until the TBC future date.

My thinking is we should merge this in, keep our eyes open on the conversations around SMCWG and once that conversation is resolved we can do another PR to set the ineffective date for the lint in this PR.

What do you think @christopher-henderson?

eliot-gs commented 11 months ago

Thanks @christopher-henderson, I have addressed the issues you raised.

chrisbn commented 11 months ago

I'd like to highlight that the current requirement (and lint) effectively prevents the use of LEI and INT as registration schemes. As per 7.1.4.2.2 d note 2 and Appendix A A.1, the country code shall be set to XG (example INTXG, LEIXG).

The Subject:CountryName SHALL contain the country code associated with the location of the Subject verified, which cannot be XG, and so this lint would fail.

Also, the existing lint e_subject_country_not_iso does not recognize XG as a valid country, so even if the Subject:CountryName would be set to XG, this lint would block it.

robplee commented 11 months ago

Hi @chrisbn, thanks for the comment however the point you're raising is not a zlint problem. zlint exists to apply the rules as they are written and, to me, your comment sounds like the SMIME BRs are broken because of the inconsistency between the parts of the document you've highlighted. As you've pointed out, the 7.1.4.2.2 d note 2 text says that in some cases the country code in the organizationIdentifier should be "XG", Appendix A.1 says the country codes in the organizationIdentifier and countryName must match, and 7.1.4.2.2 n doesn't support the countryName being set to "XG". This is a failure of the SMIME BRs and should be fixed there before any changes to zlint are made.

tl;dr We don't write the rules here, we just enforce them :)