Support for STIR/SHAKEN Compliance Tests?

[rmhrisk]

@martinisec has a version of Zlint that includes tests for spotting visible issuance-related compliance problems in the STIR/SHAKEN ecosystem. For those who might not know, STIR/SHAKEN is a system based on X.509 PKI that uses ACME to give out certificates that look similar to OV certificates to telecom companies in the WebPKI.

We combine this version of Zlint with real certificates to identify when certificates are issued incorrectly by different CAs, similar to how Certificate Transparency works in the WebPKI. You can check out the reports we make with these tests here: https://ecosystemcompliance.martinisecurity.com/

Here's a quick preview:

So far, the main administrators of this ecosystem haven't addressed the issue of CA misissuance, which is why we continue to see widespread problems with how approved CAs issue certificates, even though they know about the tests and the report.

We think one way to possibly get more CAs to follow better practices is if the Zlint project would be open to adding these tests. Each test specifies the exact rule it's based on, and except for Notices, uses clear normative style language. We've used these findings to highlight what we think are generally agreed-upon best practices in PKI.

Would there be interest in adding these tests to Zlint?

[zakird]

I'm supportive if there's someone who can help to maintain and approve lints related to STIR/SHAKEN. I don't know if anyone right now has the domain expertise, but I'm open to the idea, in part because we can limit the scope to only STIR/SHAKEN certs, so there's not much potential for harm.

[aaomidi]

+1 to supporting STIR/SHAKEN given what @zakird said. It's part of Public PKI after all :)

[rmhrisk]

Sounds good, we can sign up to support the help on maintenance and approval. We will work on getting a PR over for review, we recently re-based so it shouldn't be too much work to get an initial PR for review in.