New Lint for empty SCT extension #740
Comments
|
I may be interested in contributing this lint, but can't make any timeline promises. |
|
This issue is addressed by #837 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In https://bugzilla.mozilla.org/show_bug.cgi?id=1852404, certificates were issues with an SCT extension that was empty.
The extension shouldn't be present if it is empty. The incident report mentions that zlint and other linters didn't catch it. This seems like an easy mistake to make and worth adding a lint for.
I believe this should be a rfc error lint per reference:
https://datatracker.ietf.org/doc/html/rfc6962#section-3.3 which says
At least one SCT MUST be included.Baseline Requirements
7.1.2.11.3 Signed Certificate Timestamp Listreferences the above RFC so it could reasonably be a cabf_br lint as well, but that seems more indirect than needed to me.The text was updated successfully, but these errors were encountered: