letsencrypt
Upgrade zlint from v3.6.0 to v3.6.2
Adds a few new lints (largely related to the Profiles ballot and recent CA incidents), two of which we need to disable:
-
e_cab_dv_subject_invalid_valuesfails with a Warning because we include a Common Name in most of our certificates. We already ignorew_subject_common_name_included, so this is a similar situation. -
w_ext_subject_key_identifier_not_recommended_subscriberfails with a Warning because we include the SKID extension in all of our certificates. We intend to remove this extension in our upcoming "modernized" certificate profile.
DO NOT MERGE until IN-10466 is complete
@pgporada, this PR appears to contain configuration and/or SQL schema changes. Please ensure that a corresponding deployment ticket has been filed with the new values.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
It's worth noting that e_cab_dv_subject_invalid_values contains multiple checks, only one of which we violate. Skipping this lint is somewhat risky, if zlint decides to remove other individual lints which check for things like the Country field.
This is also a good prompt to consider removing the SKID from our end-entity certificates. I don't believe anyone is relying on it, and would be some good bytes to shed. (See https://github.com/letsencrypt/boulder/issues/7446.)
Finally, we may want to consider having different sets of lints for different issuance profiles, so that a "modern" profile which excludes the Common Name can be more strictly checked.
It's worth noting that e_cab_dv_subject_invalid_values contains multiple checks, only one of which we violate. Skipping this lint is somewhat risky, if zlint decides to remove other individual lints which check for things like the Country field.
The unhelpful warning was removed in https://github.com/zmap/zlint/commit/068ae82324696a6f484be9baa6085318e7851112 So you could also upgrade or 3.6.3 or 3.6.4 instead of skipping that lint.
