Open Marco-Fe opened 4 months ago
@christopher-henderson We have seen some TLS BRs lints being duplicated for S/MIME recently, is this what should happen here and is this really the best approach?
This might cause quite a bit of duplication between lints for TLS, S/MIME, Code-Signing, ETSI, VMC, etc.
I don't think there has been much conversation about creating a set of common criteria lints that apply across multiple regulatory docs and how that would work. As of now, the duplication is preferred to keep related lints bundled together in the folder structure. I would recommend copying that lint over to the SMIME lints.
Without reading too much into this particular case, @cardonator is correct in that we have historically avoided deduplication.
It is relatively common for two governing bodies to declare similar (if not precisely the same) requirements. It certainly seems as though DRY would be a useful approach here, however it can actually make maintenance matters far more complicated.
Consider that case where we have a shared lint between RFC 5280 and CABF/BRs. CABF then releases a new ballot that slightly modifies the requirement.
ineffective
date on the previous CABF lint.effective
on the new ballot.ineffective
on the ballot date.Aside from simply being more steps, it is a significantly more complicated workflow that can easily lead to errors in implementing the language correctly. Specifically, Find the divergence, if any.
can (and has) lead to endless discussion and yak shaving.
So while copy-pasting is not the best coding practice in the world, treating these shared requirements as mere coincidences has made life generally easier in the repo.
We recently noticed that zlint seems not to check Subject Name fields like givenname, surname and common name for placeholder data like ".", "-" or " " (space). As these fields should contain the natural person's name, if present, these placeholders/Metadata are not allowed for Subject name fields. See also https://bugzilla.mozilla.org/show_bug.cgi?id=1902042
Having a lint that checks for these characters would also help to enforce the SMIME requirement 7.1.4.2.2.e: "Subjects with a single legal name SHALL provide the name in the subject:surname attribute."
After having a look at the implemented lints we found a similar one for source CABF BR that seems to already implement this check: https://github.com/zmap/zlint/blob/04d863f7660edfe0498162334524742397226fb2/v3/lints/cabf_br/lint_subject_contains_noninformational_value.go#L40
However this lint does not seem to be run when checking S/MIME certificates. The question would now be if this lint could also be reused for this case.