Ryan Sleevi
Ryan Sleevi
Are you aware of any user agent that applies restrictions like that? Otherwise, isn’t this moot?
I’m not sure any UA would ever implement it, for the obvious reasons like github.io or appspot.com. Unless you want those non-functional/want to break that use case for domain holders,...
I’ll have to think about how to capture that even an ICANN-based block would fail. Like I said, I thought it was obvious how such restrictions still fall down, but...
Thanks @sandorszoke ! I think you're spot on here: the KU/EKU consistency check in the context of RFC 5280 assumes an end-entity certificate, because RFC 5280 only normatively addresses the...
Could you provide an example certificate you believe this is a false-positive for? This would help diagnose. I "suspect" this is because the early lints from @mtgag unconditionally assume TLS...
@cpu I don't think so. This particular lint comes from v1 (that is, before lints were shuffled and split). Specifically, https://github.com/zmap/zlint/pull/250 from 2019. So this is long-standing, (un?)fortunately, and mostly...
@mtgag I was having trouble parsing out which lints went to which requirements, so I attempted to try and distill some of them here. I'm not sure I matched the...
> A proposal for this one: > Reference only to Appendix A. There are other positions (e.g. GEN-5.1-3) that may be relevant and need to be listed or the question...
So, as it stands right now, the SMCWG (S/MIME) is wholly independent of the SCWG (TLS); thus, the requirements are best described as a "fork" (with no common ancestor), even...
I'm not sure I follow? Like, the S/MIME WG could decide to reject RFC 5280 and adopt ITU-T's (incompatible) X.509, for example, in which case, S/MIME wouldn't run RFC lints...