SC081 shorter validities#952
Conversation
| LintMetadata: lint.LintMetadata{ | ||
| Name: "e_server_cert_valid_time_longer_than_100_days", | ||
| Description: "TLS server certificates issued on or after on or after March 15, 2027 00:00 GMT/UTC must not have a validity period greater than 100 days", | ||
| Citation: "https://github.com/cabforum/servercert/pull/553", |
There was a problem hiding this comment.
I had this in my TODO list as well, and this is the reason why I had put it off - we don't have an actual citation yet. That is, the ballot has passed, but there isn't a published BR yet.
But I reckon that shouldn't stop us, especially since we have the concrete dates and the concrete dates are far more important than the Section/Paragraph citation.
|
|
||
| Subscriber Certificates issued on or after 15 March 2029 SHOULD NOT have a Validity Period greater than 46 days and MUST NOT have a Validity Period greater than 47 days. | ||
|
|
||
| | __Certificate issued on or after__ | __Certificate issued before__ | __Maximum Validity Period__ | |
There was a problem hiding this comment.
Beautiful ASCII visualization, good work and thank you. I reckon that someone will be confused at some point in the future and this will help the poor soul.
| } | ||
|
|
||
| func (l *sc081ThirdDate47ServerCertValidityTooLong) Execute(c *x509.Certificate) *lint.LintResult { | ||
| maxValidity := 47 * util.DAY_LENGTH |
There was a problem hiding this comment.
There's no action or insight targeted at you with the follow comment, I simply feel the need to reflect/rant.
So my OOP addled brain had the thought, this is all mostly the same, minus the actual date, so surely I can think of some way to centralize these lints!.
This thought was informed by a recent incident in my primary duties wherein a junior engineer copied thousands of lines of hard-hitting code to a separate part of the codebase simply because he did not feel like modifying the interface to accommodate a small change. It did not help that he did not bother to test the copied code nor did he inform his team that this code was actually a copy. He, essentially, plagiarized in an industrial setting , but he didn't even bother to plagiarize the tests.
Now the codebase is stuck. He re-arranged the code just enough that it's a non-trivial task to unwind the spaghetti. He also changed an RPC from accepting an int ID to a string ID but does not explain why or what the format of this string is expected to be nor who the consumers of this API is. So it would take at least a week or two for another engineer to reverse engineer all of this and make the codebase sane again.
But now I come back to this and think...this is a fair use of copying logic.
- You would need a little class hierarchy (for the lack of a better term in Go)
1a. There's really no room in this directory for implementing such mini-frameworks - The validity period is not the only difference. We would have to come up with some way to autogenerate the appropriate citation/error string contents.
2a. This would make the whole thing more difficult to understand for no discernible benefit. - Doing date differences is not exactly some huge algorithm problem that needs to be centralized for sanity's sake.
- All of this code is well tested.
And finally, ZLint is unique in that it has to honor the notion that each of these lints may actually move independently of each other in the future. That is, having these lints all resolve down to the same logic can actually cause some real heartache in the future as we would have to decouple them.
So...yeah. Engineering requires nuance and not blind application of "rules of thumb".
Thank you for coming to my TED Talk.
|
|
||
| The change in the requirements is described here: https://github.com/cabforum/servercert/pull/553/files | ||
|
|
||
| Subscriber Certificates issued on or after 15 March 2026 and before 15 March 2027 SHOULD NOT have a Validity Period greater than 199 days and MUST NOT have a Validity Period greater than 200 days. |
There was a problem hiding this comment.
It's interesting to see a requirements doc call out that, off-by-one errors happen all the time, so maybe don't cut it so close if you don't want silly outages.
3 participants
This PR adds new lints for the updated validity periods as outlined in SC81 of the CA/B Forum. See also: https://github.com/cabforum/servercert/pull/553/files.
The implementation is fairly straightforward (adapted from the 397/398-day lints), but I would appreciate it if you could do a plausibility check on the test data and implementation to catch any careless mistakes.
This PR was developed in close collaboration with D-Trust CA, who also sponsored the work.