[Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS

Paul van Brouwershaven Paul.vanBrouwershaven at entrust.com
Wed May 3 14:19:02 UTC 2023

Thanks for sharing!

Do you also have a list of checks that are implemented by the linter?

It would be great to have a document like zlint: ZLint Validation - Google Sheets<https://docs.google.com/spreadsheets/d/1ywp0op9mkTaggigpdF2YMTubepowJ50KQBhc_b00e-Y/edit>



From: Smcwg-public <smcwg-public-bounces at cabforum.org> on behalf of Stephen Davidson via Smcwg-public <smcwg-public at cabforum.org>
Sent: Wednesday, May 3, 2023 16:11
To: smcwg-public at cabforum.org <smcwg-public at cabforum.org>
Subject: [EXTERNAL] [Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.

DigiCert is pleased to announce the release of a new certificate linter, known as pkilint, which builds on industry experience automating compliance checks for digital certificates.

This first release of pkilint implements compliance testing for the recently released CA/Browser Forum S/MIME Baseline Requirements. Corey Bonnell will introduce pkilint’s S/MIME linting on the next SMCWG teleconference.

The pkilint linter is being provided to the community by DigiCert as Open Source Software (OSS) under the MIT License which provides wide freedom to use, distribute, and modify the software.

Read more at the pkilint repository on GitHub: https://github.com/digicert/pkilint<https://urldefense.com/v3/__https://github.com/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$>

Why pkilint?

The pkilint framework can be adapted to any certificate type. It initially includes more than 145 separate tests against different specifications of the S/MIME Baseline Requirements and other important standards that apply to digital certificate formats.

pkilint was developed based upon DigiCert’s experience using certificate linters in high volume environments. The pkilint framework provides several advantages over existing approaches:

•                     Built on top of a proven ASN.1 parser allowing very detailed checks that detect ASN.1 encoding errors;

•                     Architected from the ground up to support linting of many different types of PKI structures (including certificates, CRLs, OCSP responses, etc.) against different standards and trust frameworks; and

•                     Rich validation logic analyzes every field of an ASN.1 document and determines which sets of tests to execute. This results in faster and more thorough testing, with less development time.

In addition to pkilint, DigiCert recently provided an OSS tool called SMBR-Cert-Factory<https://urldefense.com/v3/__https://github.com/digicert/smbr-cert-factory__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIOPR2D0A$> that allows users to generate test certificates that are compliant with the different certificate profiles defined in S/MIME Baseline Requirements.

Community development

The pkilint framework is easily expandable to analyze other digital certificate types and aspects of PKI, such as CRL and OCSP implementations. Additionally, DigiCert is planning to use the framework to add lints to encompass the changes introduced by the CA/Browser Forum Ballot SC-62<https://urldefense.com/v3/__https://cabforum.org/2023/03/17/ballot-sc62v2-certificate-profiles-update/__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIq7M0lpU$> for TLS certificate profiles. Developers who are interested in contributing to pkilint can do so on the project’s GitHub page<https://urldefense.com/v3/__https://github.com/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$>.

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230503/fa3593c5/attachment-0001.html>

More information about the Smcwg-public mailing list