search

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
358 stars 107 forks source link

Lints for PSD2 certificates - worth implementing? #847

Open defacto64 opened 4 months ago

defacto64 commented 4 months ago

I would like to know if the folks reading here believe it might be useful to have some lints for qualified certificates intended for use in the PSD2 context. These certificates must comply with the ETSI TS 119 495 specification. A few thousand have been issued over the last few years. According to my preliminary investigation, almost all of them are basically okay, but there are some errors. It is not clear how much it is worth worrying about, given that there does not seem to be any real supervision of these aspects. It is also unclear how "sensitive" relying parties are to the correct encoding of such certificates. The PSD2 directive will be replaced by a PSD3 directive, but it is not clear when or if there will be any impact on the certificate profile. In any case, new certificates of this type continue to be issued at the moment, so I would like to gather opinions on the usefulness of linting them by Zlint, and if so which checks seem worth implementing (I can think of 4 or 5 at the moment). Regardless of opinions, I might still propose some lints in this area in the near future.

mtgag commented 3 months ago

Some of them are implemented here:

https://github.com/mtgag/zlint/tree/all/v3/lints/etsi

Some have found there way into the main project, some not. Please check if you can re-use some of them to avoid re-implementing them.

cardonator commented 3 months ago

I fully support adding these lints. We had several qualified lints that were dropped because they were breaking and not being supported well, but I think it's valuable for lint bundles to exist for any regulatory body/consortium that requires properly formatted certificates to be issued.

defacto64 commented 3 months ago

@mtgag So why do not you open PRs to include your PSD2-related lints in the official Zlint?

mtgag commented 3 months ago

@mtgag So why do not you open PRs to include your PSD2-related lints in the official Zlint?

There were several PRs (about 2021?) that were not processed further and were closed.

If interest from the community on these lints is still active, reviewers are available and such lints are a good match for zlint I could start working on this

defacto64 commented 3 months ago

@mtgag I was not aware of those past PRs of yours. It seems you opened all of them on Jan 18, 2021. Most of them were closed on the same day with the following motivation:

Activity on this pull request has trailed off and it is currently out of sync with the main branch. In the interest of keeping our review queue easy to manage I'm going to close this PR out. Please feel free to re-open once you've rebased on master and are ready for fresh reviews. Thanks!

It seems for some reasons you decide to let it go...

mtgag commented 3 months ago

I am willing to start working on it. I propose the following: Let me re-open an old PR (or simply create a new one) and see how this works out. A reviewer who is familiar with the ETSI standard should especially take a look at it.

mtgag commented 3 months ago

https://github.com/zmap/zlint/pull/861