Starting with v2.0, the CABF BRs prohibit the organizationalUnitName (OU) attribute in the Subject of Root CA and TLS SubCA certificates (they are tolerated, although not recommended, in other types of CA certs such as cross-certificates and non-TLS SubCA certificates). Zlint does not check this requirement as of today, so I propose this lint to fill the gap.
This lint is configurable, thus allowing to safely distinguish a cross-certificate from a normal SubCA certificate. Non-TLS CA certificates and other uncommon types of CA certificates (to which the OU ban does not apply) are ignored via the pre-flight checks. To signal this lint that the certificate under examination is a cross-certificate, pass to zlint a TOML file containing the following directive:
Starting with v2.0, the CABF BRs prohibit the organizationalUnitName (OU) attribute in the Subject of Root CA and TLS SubCA certificates (they are tolerated, although not recommended, in other types of CA certs such as cross-certificates and non-TLS SubCA certificates). Zlint does not check this requirement as of today, so I propose this lint to fill the gap.
This lint is configurable, thus allowing to safely distinguish a cross-certificate from a normal SubCA certificate. Non-TLS CA certificates and other uncommon types of CA certificates (to which the OU ban does not apply) are ignored via the pre-flight checks. To signal this lint that the certificate under examination is a cross-certificate, pass to zlint a TOML file containing the following directive: