update CA countryName lints' citations#979
update CA countryName lints' citations#979christopher-henderson merged 2 commits intozmap:masterfrom
Conversation
|
Side note, I know the readme says the original tests were based on v1.4.8, and that would make sense for the timing of the paper, but the original citation for these two lints were definitely from v1.4.7 or earlier. I went back and looked and these citations match the last version of the code before it was imported to this repo, and that predates the publication of 1.4.8 by close to a year. I also pulled up as much of the notes as I can find from the time and I can't find exactly what version of the BRs was use for the initial read-through. I also don't see the the CA common name lint in the original project list of lints. That lint was added here, after the import. I guess this brings up what "Historically ZLint was focused on only RFC 5280 and v1.4.8" really means in practice. I think it was written against earlier versions (probably 1.3.9, with 1.4.0 published during the first pass of zlint being worked on) and 1.4.8 was added about a year later once it was already moved to this public repo. I guess that's probably the revision it was updated to when the paper for it was written. My only real point here is that the citations in the lint files of the original lints are potentially citing to one of several of older versions. So even for the really old lints, we may not know the exact version because they weren't all 1.4.8 and while I'm sure someone checked that the requirements were still in force on each update, the citations were clearly not all updated for each change during the project. There's no real practical implications of this, but it threw me for a loop when tracing how this lint ended up with a citation that was older than v1.4.8 and I thought I'd share. |
2 participants
This history on these two lints goes back quite a bit further than the last one, but I went ahead and included the full history. The early BR versions inexplicably express this requirement as being on the issuer field, at least until I guess someone remembered that the issuer field should match the subject of the CA certificate. Given that the fix in v1.4.8 just rephrases the existing wording against the CA's subject, I think that language was always intended to be interpreted as CA subject restriction and I've left that in the history.
I know the project favors many smaller CRs over large ones, but I've combined these two together because they have always been derived from the same language in the BRs and their history is identical.
These two lints, and also
e_ca_organization_name_missingare both affected by the issue with the cross-signed CA profile I mentioned in #976 and this change does not address that. I'll open a new issue to track that problem as separate from the rest of the requirements language change.