search

zmap / zlint

X.509 Certificate Linter focused on Web PKI standards and requirements.
https://zmap.io
Apache License 2.0
361 stars 110 forks source link

fix: Fix PSD2 based cabfOrganizationIdentifier check #880

Closed XolphinMartijn closed 2 months ago

XolphinMartijn commented 2 months ago

This fix allows for PSD2 based cabfOrganizationIdentifier extensions to both include the NCA identifier in the registrationReference, as well as leaving it out.

This is an item recently discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1897538 in which we have stated why it's our interpretation that the NCA is not supposed to be part of the registrationReference. The fix leaves the option to keep the NCA in the registrationReference as a valid option as well,since several other CAs are using that as default practice. Until there is a change in the EVGs, we suggest keeping both options as an allowed method in zlint

XolphinMartijn commented 2 months ago

@christopher-henderson Thank you. Reviewed and merged the PR on my repo