<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:"Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@Yu Gothic";
panose-1:2 11 4 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.xmsolistparagraph, li.xmsolistparagraph, div.xmsolistparagraph
{mso-style-name:x_msolistparagraph;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal>Hello,<o:p></o:p></p><p class=MsoNormal>I had some spare cycles yesterday and fleshed out the list of validations that the S/MIME linter performs: <a href="https://github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-entity-certificate-linter">https://github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-entity-certificate-linter</a>. Each validation now has a reference and comments (as needed).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Since the GitHub Wiki display leaves something to be desired, I attached the list of validations to this email as well for easier viewing.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Smcwg-public <smcwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Corey Bonnell via Smcwg-public<br><b>Sent:</b> Wednesday, May 3, 2023 1:05 PM<br><b>To:</b> Paul van Brouwershaven <Paul.vanBrouwershaven@entrust.com>; SMIME Certificate Working Group <smcwg-public@cabforum.org>; Stephen Davidson <Stephen.Davidson@digicert.com><br><b>Subject:</b> Re: [Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi Paul,<o:p></o:p></p><p class=MsoNormal>The project has a Wiki page that lists the validations performed by the S/MIME linter: <a href="https://url.avanan.click/v2/___https:/github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-entity-certificate-linter___.YXAzOmRpZ2ljZXJ0OmE6bzplMjQ5YWRmYjBhMWVlNGZjYjE0Njk0NmIwNDZmZmJlYTo2OjBmOTE6MjQ0NDhkNTkzNTA4NTUwMTZlODM5MTk3ZTY2MDQ4ZTQ5MGQwNjdiNDBkNDJkMjY4YzM3MjEwNmM4ZWYzNzZkMzpoOkY" title="Protected by Avanan: https://github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-entity-certificate-linter">https://github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-entity-certificate-linter</a>. You can also get the list of validations performed by each linter bundled with pkilint using the “validations” sub-command.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I plan to flesh out that page to add references to the relevant standard for each validation (similar to the ZLint Google sheet) very soon.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks,<o:p></o:p></p><p class=MsoNormal>Corey<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b>From:</b> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Paul van Brouwershaven via Smcwg-public<br><b>Sent:</b> Wednesday, May 3, 2023 10:19 AM<br><b>To:</b> <a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>; Stephen Davidson <<a href="mailto:Stephen.Davidson@digicert.com">Stephen.Davidson@digicert.com</a>><br><b>Subject:</b> Re: [Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>Thanks for sharing!<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>Do you also have a list of checks that are implemented by the linter?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>It would be great to have a document like zlint: <a href="https://url.avanan.click/v2/___https:/docs.google.com/spreadsheets/d/1ywp0op9mkTaggigpdF2YMTubepowJ50KQBhc_b00e-Y/edit___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjE3ZjA6Mzg4NTZhZWI1NmQxNGY5ZWRlZjM4NDljNzNmNDE5YTg5YjQyZmY3ZTljZmU5MjlkZGFjM2RjNjZkYjVlMmQ3ODpoOkY" title="Protected by Avanan: https://docs.google.com/spreadsheets/d/1ywp0op9mkTaggigpdF2YMTubepowJ50KQBhc_b00e-Y/edit">ZLint Validation - Google Sheets</a><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'>Paul<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:12.0pt;color:black'><o:p> </o:p></span></p></div><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="98%" align=center></div><div id=divRplyFwdMsg><p class=MsoNormal><b><span style='color:black'>From:</span></b><span style='color:black'> Smcwg-public <<a href="mailto:smcwg-public-bounces@cabforum.org">smcwg-public-bounces@cabforum.org</a>> on behalf of Stephen Davidson via Smcwg-public <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Sent:</b> Wednesday, May 3, 2023 16:11<br><b>To:</b> <a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a> <<a href="mailto:smcwg-public@cabforum.org">smcwg-public@cabforum.org</a>><br><b>Subject:</b> [EXTERNAL] [Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS</span> <o:p></o:p></p><div><p class=MsoNormal> <o:p></o:p></p></div></div><div><p class=MsoNormal>WARNING: This email originated outside of Entrust.<br>DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.<o:p></o:p></p><div class=MsoNormal align=center style='text-align:center'><hr size=2 width="100%" align=center></div><div><p class=xmsonormal>DigiCert is pleased to announce the release of a new certificate linter, known as pkilint, which builds on industry experience automating compliance checks for digital certificates. <o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal>This first release of pkilint implements compliance testing for the recently released CA/Browser Forum S/MIME Baseline Requirements. Corey Bonnell will introduce pkilint’s S/MIME linting on the next SMCWG teleconference.<o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal>The pkilint linter is being provided to the community by DigiCert as Open Source Software (OSS) under the MIT License which provides wide freedom to use, distribute, and modify the software. <o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal>Read more at the pkilint repository on GitHub: <a href="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2Ojg1YmQ6OGEyNmUwZDEwZWE3NmY4NWZjOTAyMTQ5N2RjZTM2MGE3MjRlMDQxMmZiODNhNmU5ZDM0ZjU5NTA2NmFjN2QzZjpoOkY" title="Protected by Avanan: https://urldefense.com/v3/__https://github.com/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$">https://github.com/digicert/pkilint</a><o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal><b><span style='font-size:14.0pt'>Why pkilint?</span></b><o:p></o:p></p><p class=xmsonormal>The pkilint framework can be adapted to any certificate type. It initially includes more than 145 separate tests against different specifications of the S/MIME Baseline Requirements and other important standards that apply to digital certificate formats.<o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal>pkilint was developed based upon DigiCert’s experience using certificate linters in high volume environments. The pkilint framework provides several advantages over existing approaches:<o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsolistparagraph style='margin-left:.75in;text-indent:-.5in'>•<span style='font-size:7.0pt;font-family:"Times New Roman",serif'> </span>Built on top of a proven ASN.1 parser allowing very detailed checks that detect ASN.1 encoding errors;<o:p></o:p></p><p class=xmsolistparagraph style='margin-left:.75in;text-indent:-.5in'>•<span style='font-size:7.0pt;font-family:"Times New Roman",serif'> </span>Architected from the ground up to support linting of many different types of PKI structures (including certificates, CRLs, OCSP responses, etc.) against different standards and trust frameworks; and<o:p></o:p></p><p class=xmsolistparagraph style='margin-left:.75in;text-indent:-.5in'>•<span style='font-size:7.0pt;font-family:"Times New Roman",serif'> </span>Rich validation logic analyzes every field of an ASN.1 document and determines which sets of tests to execute. This results in faster and more thorough testing, with less development time.<o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal>In addition to pkilint, DigiCert recently provided an OSS tool called <a href="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/digicert/smbr-cert-factory__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIOPR2D0A$___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjQ1NmY6Y2QxYTUzNGM5NTYxNDRmNWY2ZjQwMjUyY2I1NzkxNzlmMDI0NjQ2ZDFkOWVmZTMzYjA4OTg4MTQ3NDYzMjNkZTpoOkY" title="Protected by Avanan: https://urldefense.com/v3/__https://github.com/digicert/smbr-cert-factory__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIOPR2D0A$">SMBR-Cert-Factory</a> that allows users to generate test certificates that are compliant with the different certificate profiles defined in S/MIME Baseline Requirements. <o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal><b><span style='font-size:14.0pt'>Community development</span></b><o:p></o:p></p><p class=xmsonormal>The pkilint framework is easily expandable to analyze other digital certificate types and aspects of PKI, such as CRL and OCSP implementations. Additionally, DigiCert is planning to use the framework to add lints to encompass the changes introduced by the CA/Browser Forum <a href="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIq7M0lpU$___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjY1OTU6M2I5NDQ2ZTg1YjkzZWM0YTkxODQ4ZjM3M2IwN2Q1NWNlNDNkOGQxZDk5YmU1NjA0ZTZiNDlmMjFlMzZiNDE1ZDpoOkY" title="Protected by Avanan: https://urldefense.com/v3/__https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIq7M0lpU$">Ballot SC-62</a> for TLS certificate profiles. Developers who are interested in contributing to pkilint can do so on the project’s <a href="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjgwYTQ6MGM0ZjQxNmM3ZjA0N2IwZGNlMWNhMTU2NDBhMDkyYjQzOTIwMWU1Yjk0NTIwNDViMjQwYjUzNzRhOGEyM2JjNTpoOkY" title="Protected by Avanan: https://urldefense.com/v3/__https://github.com/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$">GitHub page</a>.<o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p><p class=xmsonormal> <o:p></o:p></p></div></div><p class=MsoNormal><i>Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. <u>Please notify Entrust immediately</u> and delete the message from your system.</i> <o:p></o:p></p></div></body></html>