Support enforcement of additional requirements and allowed policy identifiers

[christopherincanada]

NOT A CONTRIBUTION

The CABF requirements for SMIME states:

"The Certificate MAY also contain additional policy identifier(s) defined by the Issuing CA. The Issuing CA SHALL document in its CP and/or CPS that the Certificates it issues containing the specified policy identifier(s) are managed in accordance with these Requirements."

We would like to see pkilint enhanced to also check additional policy identifier. Specifically, the abiity to configure the tool with one or more of the following inputs:

• Additional Required Policy Identifier (perhaps via a new command option: [--additional-required-policy-id POLICY_OID])
• Additional Allowed Policy Identifier (perhaps via a new command option: [--additional-allowed-policy-id POLICY_OID])

When provided, the tool would ensure that all additional required policy OIDs were present in the Certificate Policies extension, and that any remaining policy OIDs found are allowed.

The CABF requirements for TLS contains similar statements/requirements around policy identifiers, so it would be ideal if similar capability could be added there as well.

Note: Longer term, instead of (or perhaps in addition to) specifying these inputs via the command line, you might consider an input configuration file (perhaps in YAML) that could contain these values (and more).

[CBonnell]

Thanks for the request, @christopherincanada. I agree that support for CA-specific linting would be valuable to have.

Is this something you'd like to also see exposed in the REST API, or is CLI support sufficient?

[christopherincanada]

CLI support is sufficient for our use case.