Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for TLS BR short-lived certificates #130

Open
CBonnell opened this issue Nov 15, 2024 · 0 comments
Open

Add support for TLS BR short-lived certificates #130

CBonnell opened this issue Nov 15, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@CBonnell
Copy link
Collaborator

Now that Microsoft has relaxed its policy on requiring OCSP information in end-entity TLS BR certificates, the TLS BR linter should be adjusted to not report on the omission of OCSP information.

Microsoft still requires one (or both) of CRL or OCSP information pointers regardless of the validity period of the certificate.

Given this, here's the plan of attack:

  • Create new certificate types for DV, IV, OV, and EV with "_SHORT_LIVED" in the type name
  • Align with the TLS BR OCSP/CRL pointer inclusion rules as specified in SC-63
  • Add a new validator that checks for the inclusion of either CRL or OCSP information. The finding code for this validation will be prefixed with "msft." (not "cabf.serverauth") to make it clear this is not a CABF requirement, but rather a MSFT requirement. This validator will be enabled by default by the serverauth linter, as most all publicly trusted CAs are included in MSFT.
@CBonnell CBonnell added the enhancement New feature or request label Nov 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CBonnell