Ryan Sleevi
Ryan Sleevi
@mikewest pointed out that I don't really touch on the topic of site isolation at all, which is one of the few things that provides a real and hard security...
The `req_v3_conf` files used to generate the CSRs for certificates, and subsequently the actual certificates for those that aren’t issued by a publicly trusted CA (e.g. `untrusted-root` and `self-signed`) lack...
The CABForum adopted [SC17 v7](https://cabforum.org/2019/05/21/ballot-sc17-version-7-alternative-registration-numbers-for-ev-certificates/), which were adopted in [EV Guidelines v1.7.0](https://cabforum.org/wp-content/uploads/CA-Browser-Forum-EV-Guidelines-v1.7.0.pdf) This permits the use of the `organizationIdentifier` field within the Subject, as well as introduces an additional extension...
The citation is correct, but the Source lists it as Baseline Requirements
I [recently shared](https://archive.cabforum.org/pipermail/validation/2021-March/001645.html) with the CA/B Forum the latest draft that attempts to overhaul how the Server Certificate Working Group expresses requirements on certificates, by moving from its three section...
Presently, there are not lints on the well-formedness of the dNSName and iPAddress nameConstraints. There are lints for other name types, such as https://github.com/zmap/zlint/blob/fd40f579253ea1ebfb18a585ab5cd8e7dcde61aa/v2/lints/rfc/lint_name_constraint_on_edi_party_name.go or https://github.com/zmap/zlint/blob/fd40f579253ea1ebfb18a585ab5cd8e7dcde61aa/v2/lints/rfc/lint_name_constraint_on_x400.go , but none for...
Tracking this as a meta-issue for "Lints in the wrong category" As restructuring these would be breaking changes, tracking this under an umbrella issue. - [ ] #538 - e_dnsname_empty_label...
[BRs 1.7.1](https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.1.pdf) adopted the [Browser Alignment Ballot SC31](https://cabforum.org/2020/07/16/ballot-sc31-browser-alignment/), which made AIA **optional** for subordinate CA certificates. Previously, CAs were required to include OCSP responders for subordinate CAs. However, the new...
See https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#4-program-technical-requirements , Item 15 > CAs must use the following OIDs in the end-entity certificate: > * DV 2.23.140.1.2.1 > * OV 2.23.140.1.2.2 > * EV 2.23.140.1.1. > *...
See https://docs.microsoft.com/en-us/security/trusted-root/program-requirements#4-program-technical-requirements , 11 and 12 11. > New intermediate CA certificates under root certificates submitted for distribution by the Program must separate Server Authentication, S/MIME, Code Signing, and Time...