Mailbox addresses from san for all br #809
Conversation
This reverts commit 6c23670.
util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC
|
Also a minor typo in lint_ext_subject_key_identifier_not_recommended_subscriber.go has been corrected. |
|
Nice catch, I can't believe the wrong check applies function got past all the reviews! This happened because when I was porting the lint we had the |
|
This lint now triggers where the CN is "AAA@123BBB" which is not an RFC822 mailbox. The go function The subject would look something like: Maybe the lint should also check if the emailAddress value is present in the SAN. |
|
Reconsidering, "AAA@123BBB" seems to be a valid RFC822 mailbox, but the linter should probably look at the
https://cabforum.org/working-groups/smime/requirements/#71422-subject-distinguished-name-fields |
The implementation extracts mailbox addesses from CN only if it is a well-formed mailbox address: Then it operates only on the extracted mailbox addresses. For example, in a sponsor-vaildated certificate with a personal name in CN the personal name is not added to mailboxAddresses, while if the CN contains a mailbox address, this is added and checked later. In all four profiles a mailbox address is allowed in CN. This implementation catches the OR of the specification. On the other hand your comment gives an alternative look at the lint. Imagine a sponsor-validated certificate with a personal name, as subject:commonName and neither subject:emailAddress nor dirName. I guess the most appropriate result of the lint should be NA, however the current implementation would result into a Pass. This means that the checkApplies method should fill the toFindMailboxAddresses and if this list is not empty then return true combined with the other checks that it already performs. Should we go for it? |
The problem is that this method will catch any value that contains an @ sign within the text, for example in a Pseudonym, which can either be a unique identifier selected by the CA for the Subject of the Certificate, or an identifier selected by the Enterprise RA which uniquely identifies the Subject of the Certificate within the Organization included in the So we could compare the
Should we consider ignoring the
It would make sense to mark this as a NA in that case. |
|
I see the point.... it boils down to that we cannot reliably and unambiguously identify mailbox addresses in certificates other than mailbox-validated. Therefore, the most appropriate solution would be to check only for mailbox-validated (as in the first implementation) to avoid false positives, leaving on the other hand space to not lint other profiles that do contain mailbox addresses. To avoid false positives I will change it back to check only for mailbox-validated. Is this fine? |
|
What if we would just ignore the |
sounds good. Also, if it is mailbox-validated then also consider subject:commonName. I will address the discussion here in a new PR. |
* lint about the encoding of qcstatements for PSD2 * Revert "lint about the encoding of qcstatements for PSD2" This reverts commit 6c23670. * util: gtld_map autopull updates for 2021-10-21T07:25:20 UTC * always check and perform the operation in the execution * synchronised with project * synchronised with project * synchronised with project * synchronised with project * fixed merge error * synchronised with project * address comments of PR #809 * trying to decrease cyclomatic complexity * reverted commit in this branch --------- Co-authored-by: mtg <[email protected]> Co-authored-by: GitHub <[email protected]> Co-authored-by: Christopher Henderson <[email protected]>
This PR is a refactor for e_mailbox_address_shall_contain_an_rfc822_name to support not only mailbox validated certificates but all SMIME BR certificates. First change is to lint only BR certificates and not any certificate with email protection or anyExtendedKeyUsage because the lint should apply only to BR certificates. The second change is to lint all types of SMIME BR certificates because the may contain a mailbox address in the CN. The implementation already checks whether this is a well-formed email address and we can re-use this to filter out CN entries that are not email addresses. To test the implementation two new sponsor validated certificates have been added and a sponsor validated policy identifier has been introduced in two existent certificates.