[Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS

Corey Bonnell Corey.Bonnell at digicert.com
Tue May 9 21:30:45 UTC 2023


I had some spare cycles yesterday and fleshed out the list of validations
that the S/MIME linter performs:
entity-certificate-linter. Each validation now has a reference and comments
(as needed).


Since the GitHub Wiki display leaves something to be desired, I attached the
list of validations to this email as well for easier viewing.





From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Corey
Bonnell via Smcwg-public
Sent: Wednesday, May 3, 2023 1:05 PM
To: Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>; SMIME
Certificate Working Group <smcwg-public at cabforum.org>; Stephen Davidson
<Stephen.Davidson at digicert.com>
Subject: Re: [Smcwg-public] DigiCert releases next generation certificate
linter "pkilint" as OSS


Hi Paul,

The project has a Wiki page that lists the validations performed by the
S/MIME linter:
. You can also get the list of validations performed by each linter bundled
with pkilint using the "validations" sub-command.


I plan to flesh out that page to add references to the relevant standard for
each validation (similar to the ZLint Google sheet) very soon.





From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Paul van
Brouwershaven via Smcwg-public
Sent: Wednesday, May 3, 2023 10:19 AM
To: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> ; Stephen
Davidson <Stephen.Davidson at digicert.com
<mailto:Stephen.Davidson at digicert.com> >
Subject: Re: [Smcwg-public] DigiCert releases next generation certificate
linter "pkilint" as OSS


Thanks for sharing!


Do you also have a list of checks that are implemented by the linter?


It would be great to have a document like zlint: ZLint Validation - Google







From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > on behalf of Stephen Davidson
via Smcwg-public <smcwg-public at cabforum.org>
Sent: Wednesday, May 3, 2023 16:11
To: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>
<smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [EXTERNAL] [Smcwg-public] DigiCert releases next generation
certificate linter "pkilint" as OSS 


WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.


DigiCert is pleased to announce the release of a new certificate linter,
known as pkilint, which builds on industry experience automating compliance
checks for digital certificates. 


This first release of pkilint implements compliance testing for the recently
released CA/Browser Forum S/MIME Baseline Requirements. Corey Bonnell will
introduce pkilint's S/MIME linting on the next SMCWG teleconference.


The pkilint linter is being provided to the community by DigiCert as Open
Source Software (OSS) under the MIT License which provides wide freedom to
use, distribute, and modify the software. 


Read more at the pkilint repository on GitHub:


Why pkilint?

The pkilint framework can be adapted to any certificate type. It initially
includes more than 145 separate tests against different specifications of
the S/MIME Baseline Requirements and other important standards that apply to
digital certificate formats.


pkilint was developed based upon DigiCert's experience using certificate
linters in high volume environments. The pkilint framework provides several
advantages over existing approaches:


.                     Built on top of a proven ASN.1 parser allowing very
detailed checks that detect ASN.1 encoding errors;

.                     Architected from the ground up to support linting of
many different types of PKI structures (including certificates, CRLs, OCSP
responses, etc.) against different standards and trust frameworks; and

.                     Rich validation logic analyzes every field of an ASN.1
document and determines which sets of tests to execute. This results in
faster and more thorough testing, with less development time.


In addition to pkilint, DigiCert recently provided an OSS tool called
zMjNkZTpoOkY>  that allows users to generate test certificates that are
compliant with the different certificate profiles defined in S/MIME Baseline


Community development

The pkilint framework is easily expandable to analyze other digital
certificate types and aspects of PKI, such as CRL and OCSP implementations.
Additionally, DigiCert is planning to use the framework to add lints to
encompass the changes introduced by the CA/Browser Forum Ballot SC-62
QxZDk5YmU1NjA0ZTZiNDlmMjFlMzZiNDE1ZDpoOkY>  for TLS certificate profiles.
Developers who are interested in contributing to pkilint can do so on the
project's GitHub page
kY> .




Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230509/f9d3da54/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: validations.csv
Type: application/vnd.ms-excel
Size: 26670 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230509/f9d3da54/attachment-0001.xlb>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230509/f9d3da54/attachment-0001.p7s>

More information about the Smcwg-public mailing list