Update cab_iv_requires_personal_name lint to only require Personal Name by digirenpeter · Pull Request #980 · zmap/zlint

digirenpeter · 2025-08-03T17:25:18Z

Just a small change for this lint, as of CABF BR v2.0.0, organizationName is a NOT RECOMMENDED Subject attribute, and so the old language no longer applies:

Such Certificates MUST also include either organizationName or both givenName and
surname, localityName (to the extent such field is required under Section 7.1.4.2.2),
stateOrProvinceName (to the extent required under Section 7.1.4.2.2), and countryName
in the Subject field.

This has been updated with a new table in BR v2.0.0:

The following table details the acceptable AttributeTypes that may appear within the
type field of an AttributeTypeAndValue, as well as the contents permitted within the
value field.
Attribute Name | Presence | Verification
------------------ | ---------------- | ----------------------
organizationName | NOT RECOMMENDED | Section 3.2.3, pg. 111
surname | MUST | Section 3.2.3
givenName | MUST | Section 3.2.3

I'm only showing the relevant part of the table for these changes.

master merge

mhyder13 · 2025-08-10T05:28:12Z

v3/lints/cabf_br/lint_cab_iv_requires_personal_name.go

+			Citation:      "BRs: 7.1.2.7.3",
 			Source:        lint.CABFBaselineRequirements,
-			EffectiveDate: util.CABV131Date,
+			EffectiveDate: util.CABFBRs_2_0_0_Date,


This is going to break zlint output for certificates issued before 2023-09-15 which might affect some use cases like crt.sh. I think it might make more sense here to mark the existing lint ineffective at CABFBRs_2_0_0_Date and copy this code into a new lint that enforces only the new, unmixed version of the requirement.

I see what you mean, I’ll split these into separate lints.

My only concern is that over time, each directory may accumulate a large number of lints that have been ineffective for years (e.g., 3+ years old). Is there a plan or policy for how long to keep ineffective lints around before cleaning them up or is the plan to always be backwards compatible with old requirements?

Is there a plan or policy for how long to keep ineffective lints around before cleaning them up or is the plan to always be backwards compatible with old requirements?

I suppose that that depends on...

What is out there in the wild

The audience of ZLint

For #1, as certs expire their sunsetted requirements will naturally become irrelevant. That'll be much easier over the course of the next decade as shorter-and-shorter lifecycles not only become the norm, but are enforced. In the meantime, I would not be surprised to find many 10 year+ certificates.

For #2, it depends on whether the audience of ZLint cares to scrutinize old certificates with such long life cycles. I would hazard a guess that most industry users are more concerned with the now-rather-than-the-then. Although researchers may have an interest in the "wild side" of the older web PKI.

…lint

christopher-henderson

lgtm. Thank you to @mhyder13 for catching the backwards compatibility, I'll let you chime-in again before merging.

mhyder13

LGTM

digirenpeter and others added 9 commits August 3, 2025 10:51

rebase

81a24e8

Fix commment formatting

d8144c9

Updated effective date and unit tests

6a8f16e

Update personal name lint to not require OrgName or Personal Name

fbc2ac8

Update comment to show orgName is no longer required

4027e76

Fix comment again?

6481c7f

Add lint error message

cdf76b1

Merge pull request #3 from zmap/master

b8a195d

master merge

Update unit tests

0ef7ef7

mhyder13 reviewed Aug 10, 2025

View reviewed changes

digirenpeter added 2 commits August 10, 2025 09:37

Split new iv requirements into their own lint, revert changes to old …

92629d3

…lint

Reverted test certificates, split up personal_name_strict testdata

1f35428

christopher-henderson approved these changes Aug 10, 2025

View reviewed changes

mhyder13 approved these changes Aug 12, 2025

View reviewed changes

Merge branch 'master' into master

16e350b

christopher-henderson merged commit 8c38228 into zmap:master Aug 12, 2025
4 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update cab_iv_requires_personal_name lint to only require Personal Name#980

Update cab_iv_requires_personal_name lint to only require Personal Name#980
christopher-henderson merged 12 commits intozmap:masterfrom
digirenpeter:master

digirenpeter commented Aug 3, 2025

Uh oh!

mhyder13 Aug 10, 2025

Uh oh!

digirenpeter Aug 10, 2025

Uh oh!

christopher-henderson Aug 10, 2025

Uh oh!

christopher-henderson left a comment

Uh oh!

mhyder13 left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

digirenpeter commented Aug 3, 2025

Uh oh!

mhyder13 Aug 10, 2025

Choose a reason for hiding this comment

Uh oh!

digirenpeter Aug 10, 2025

Choose a reason for hiding this comment

Uh oh!

christopher-henderson Aug 10, 2025

Choose a reason for hiding this comment

Uh oh!

christopher-henderson left a comment

Choose a reason for hiding this comment

Uh oh!

mhyder13 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants