Part 1 of SC-62 related updates to zlint #739
Conversation
…d has switched from deprecated to NOT RECOMMENDED (essentially SHOULD NOT). An IneffectiveDate was added to the original lint. Added a new lint for subscriber cert basic constraints checking. Post-SC62, basicConstraint MAY be included but MUST be critical if present. Added a date for SC62 Effective
There was a problem hiding this comment.
We don't usually use Ballot numbers in the effective dates...
I believe that the issue that we are seeing here is that we have an efficacy date for a requirement that does not line up with the efficacy date of its containing BR.
While it's not what is usually done (indeed, most efficacy dates are tied to BR dates) there is precedence in utils/time.go of efficacy dates being declared against very specific requirements.
So, so long as the name of the efficacy date is at least moderately descriptive of where the date came from (and it is), then I believe that what you've done here is perfectly fine.
Restated, I think it's most important that it's clear where the date came from for tracing purposes. That the given date does not lineup with a release, and is referenced in multiple documents, should be fine so long as it is traceable to this SC.
Aside from that, I had two tiny code nits. It otherwise looks great.
v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go
Outdated
Show resolved
Hide resolved
v3/lints/cabf_br/lint_sub_cert_basic_constraints_not_critical.go
Outdated
Show resolved
Hide resolved
Co-authored-by: Christopher Henderson <[email protected]>
Co-authored-by: Christopher Henderson <[email protected]>
|
Thanks, I accepted both of those changes and agree with your reasoning. Appreciate the review! |
These are two of the more critical changes required by the SC-62 ballot that goes into effect on Sept 15th. The following changes were made in this PR:
I did want to get eyes on the approach here. We don't usually use Ballot numbers in the effective dates, however these changes present a unique challenge since we have one lint that is no longer effective while a new lint becomes effective; additionally SC-62 makes changes to both the TLS BRs and the EVGs. Perhaps I could change that to the version of the TLS BRs going into effect on that date anyway? paging @christopher-henderson for feedback.