zlint icon indicating copy to clipboard operation
zlint copied to clipboard
verified publisher icon zmap

Add lints checking for underscores in labels pre-and-post CABF 1.6.2

Open christopher-henderson opened this issue 4 years ago • 0 comments

In the interest of moving #646 over the finish line (@CBonnell because I don't think I can add you as a reviewer), I believe that it would be prudent to add two lints regarding the presence of underscores in DNS lables.

Ballot SC12 sunsetted the permissibility of underscores in DNS names on April 1st, 2019 via CABF 1.6.2.

The language is as follows:

Prior to April 1, 2019, certificates containing underscore characters (“_”) in domain labels in dNSName entries MAY be issued as follows:

  • dNSName entries MAY include underscore characters such that replacing all underscore characters with hyphen characters (“-“) would result in a valid domain label, and;
  • Underscore characters MUST NOT be placed in the left most domain label, and;
  • Such certificates MUST NOT be valid for longer than 30 days.

This change adds two lints:

  1. One which allows for underscores, albeit with a WARN and only if the above clauses apply. Else the underscore is an error. 1.a. This lint is ineffective after April 1st, 2019.
  2. One which is disallows underscores altogether. 2.a: This lint is effectivve after April 1st, 2019.

Integration Test Failures

There are a large number of integration test failures (over 300) and a smoke check is showing that they are likely valid in that these certificates are valid for longer than the required thirty days. I will do a deep dive on these test failure, however.

christopher-henderson avatar Jan 30 '22 20:01 christopher-henderson