baloo
commented
8 months ago Fair warning: I've never contributed here, nor interacted with the CABF before. Please take this as a suggestion and use of grains of salt are highly suggested.
Closed baloo closed 8 months ago
baloo
commented
8 months ago Fair warning: I've never contributed here, nor interacted with the CABF before. Please take this as a suggestion and use of grains of salt are highly suggested.
XolphinMartijn
commented
8 months ago Issue #749 ties into this. I'm not sure the proposed solution here is optional.
The linter source is lint.RFC5280. That source still says the same about this SHOULD requirement.
SC62 went against RFC5280 in this regard. It seems to me like it's a case where the RFC5280 lint should still show a warning if the SKI is not present, where-as a similar lint for Source CABFBR, should print a warning is it is present.
Anyone linting, could then exclude one of the two, depending on which requirement they'd like to follow more strictly
baloo
commented
8 months ago I missed #749. closing this and following up there.
Ballot SC62 appears to have marked Subject Key Identifier as NOT RECOMMENDED.
https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/
See section 7.1.2.7.6 Subscriber Certificate Extensions of the BR: https://cabforum.org/wp-content/uploads/CA-Browser-Forum-TLS-BR-2.0.2.pdf#page=79
I believe zlint should stop issuing warnings for certificates issued after SC62 was effective.