trustme icon indicating copy to clipboard operation
trustme copied to clipboard
verified publisher icon python-trio

Follow CAFB guidelines more closely?

Open njsmith opened this issue 8 years ago • 3 comments

There are a bunch of ways we aren't really following CAFB rules. Not sure how much it matters. But for example:

7.1.2.1 rules for root certificates:

  • SHOULD NOT set path_length
  • MUST include keyUsage
    • MUST be marked critical
    • MUST have keyCertSign and cRLSign set

7.1.4.3 CA certificates:

  • MUST have a common name, organization name, and country name

7.1.2.3 subscriber certificates:

  • MUST have certificatePolicies
  • MUST have extKeyUsage

We might have some RFC 5280 fails too, I haven't read it carefully.

njsmith avatar Aug 07 '17 04:08 njsmith

There was some progress in #30 with https://github.com/python-trio/trustme/commit/fdcfbf808dfc64dced94d600dc51c9ae3e0cc9b5 (and https://github.com/python-trio/trustme/commit/684854bb35c8b26ef6640f4143a59970dd568f15):

  • keyUsage and extKeyUsage are now set.
  • however, path_length is now incorrectly set on root CAs, sorry about that.

pquentin avatar Aug 12 '18 07:08 pquentin

Using a tool like https://github.com/globalsign/certlint could help!

pquentin avatar Aug 26 '18 20:08 pquentin

https://github.com/python-trio/trustme/pull/328 sets EKU and KU now

graingert avatar Jun 08 '21 17:06 graingert