[Smcwg-public] DigiCert releases next generation certificate linter “pkilint” as OSS

Corey Bonnell Corey.Bonnell at digicert.com
Tue May 9 21:30:45 UTC 2023 

Hello,

I had some spare cycles yesterday and fleshed out the list of validations
that the S/MIME linter performs:
https://github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-
entity-certificate-linter. Each validation now has a reference and comments
(as needed).

 

Since the GitHub Wiki display leaves something to be desired, I attached the
list of validations to this email as well for easier viewing.

 

Thanks,

Corey

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org> On Behalf Of Corey
Bonnell via Smcwg-public
Sent: Wednesday, May 3, 2023 1:05 PM
To: Paul van Brouwershaven <Paul.vanBrouwershaven at entrust.com>; SMIME
Certificate Working Group <smcwg-public at cabforum.org>; Stephen Davidson
<Stephen.Davidson at digicert.com>
Subject: Re: [Smcwg-public] DigiCert releases next generation certificate
linter "pkilint" as OSS

 

Hi Paul,

The project has a Wiki page that lists the validations performed by the
S/MIME linter:
https://github.com/digicert/pkilint/wiki/Validations-performed-by-SMIME-end-
entity-certificate-linter
<https://url.avanan.click/v2/___https:/github.com/digicert/pkilint/wiki/Vali
dations-performed-by-SMIME-end-entity-certificate-linter___.YXAzOmRpZ2ljZXJ0
OmE6bzplMjQ5YWRmYjBhMWVlNGZjYjE0Njk0NmIwNDZmZmJlYTo2OjBmOTE6MjQ0NDhkNTkzNTA4
NTUwMTZlODM5MTk3ZTY2MDQ4ZTQ5MGQwNjdiNDBkNDJkMjY4YzM3MjEwNmM4ZWYzNzZkMzpoOkY>
. You can also get the list of validations performed by each linter bundled
with pkilint using the "validations" sub-command.

 

I plan to flesh out that page to add references to the relevant standard for
each validation (similar to the ZLint Google sheet) very soon.

 

Thanks,

Corey

 

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > On Behalf Of Paul van
Brouwershaven via Smcwg-public
Sent: Wednesday, May 3, 2023 10:19 AM
To: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> ; Stephen
Davidson <Stephen.Davidson at digicert.com
<mailto:Stephen.Davidson at digicert.com> >
Subject: Re: [Smcwg-public] DigiCert releases next generation certificate
linter "pkilint" as OSS

 

Thanks for sharing!

 

Do you also have a list of checks that are implemented by the linter?

 

It would be great to have a document like zlint: ZLint Validation - Google
Sheets
<https://url.avanan.click/v2/___https:/docs.google.com/spreadsheets/d/1ywp0o
p9mkTaggigpdF2YMTubepowJ50KQBhc_b00e-Y/edit___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZ
DMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjE3ZjA6Mzg4NTZhZWI1NmQxNGY5ZWRlZjM4N
DljNzNmNDE5YTg5YjQyZmY3ZTljZmU5MjlkZGFjM2RjNjZkYjVlMmQ3ODpoOkY> 

 

Thanks,

 

Paul

 

  _____  

From: Smcwg-public <smcwg-public-bounces at cabforum.org
<mailto:smcwg-public-bounces at cabforum.org> > on behalf of Stephen Davidson
via Smcwg-public <smcwg-public at cabforum.org>
Sent: Wednesday, May 3, 2023 16:11
To: smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org>
<smcwg-public at cabforum.org <mailto:smcwg-public at cabforum.org> >
Subject: [EXTERNAL] [Smcwg-public] DigiCert releases next generation
certificate linter "pkilint" as OSS 

 

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____  

DigiCert is pleased to announce the release of a new certificate linter,
known as pkilint, which builds on industry experience automating compliance
checks for digital certificates. 

 

This first release of pkilint implements compliance testing for the recently
released CA/Browser Forum S/MIME Baseline Requirements. Corey Bonnell will
introduce pkilint's S/MIME linting on the next SMCWG teleconference.

 

The pkilint linter is being provided to the community by DigiCert as Open
Source Software (OSS) under the MIT License which provides wide freedom to
use, distribute, and modify the software. 

 

Read more at the pkilint repository on GitHub:
https://github.com/digicert/pkilint
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com
/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMt
oJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$___.YXAzOmRpZ2ljZ
XJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2Ojg1YmQ6OGEyNmUwZDEwZ
WE3NmY4NWZjOTAyMTQ5N2RjZTM2MGE3MjRlMDQxMmZiODNhNmU5ZDM0ZjU5NTA2NmFjN2QzZjpoO
kY> 

 

Why pkilint?

The pkilint framework can be adapted to any certificate type. It initially
includes more than 145 separate tests against different specifications of
the S/MIME Baseline Requirements and other important standards that apply to
digital certificate formats.

 

pkilint was developed based upon DigiCert's experience using certificate
linters in high volume environments. The pkilint framework provides several
advantages over existing approaches:

 

.                     Built on top of a proven ASN.1 parser allowing very
detailed checks that detect ASN.1 encoding errors;

.                     Architected from the ground up to support linting of
many different types of PKI structures (including certificates, CRLs, OCSP
responses, etc.) against different standards and trust frameworks; and

.                     Rich validation logic analyzes every field of an ASN.1
document and determines which sets of tests to execute. This results in
faster and more thorough testing, with less development time.

 

In addition to pkilint, DigiCert recently provided an OSS tool called
SMBR-Cert-Factory
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com
/digicert/smbr-cert-factory__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_H
Jci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaIOPR2D0A$___.YXA
zOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjQ1NmY6Y2Q
xYTUzNGM5NTYxNDRmNWY2ZjQwMjUyY2I1NzkxNzlmMDI0NjQ2ZDFkOWVmZTMzYjA4OTg4MTQ3NDY
zMjNkZTpoOkY>  that allows users to generate test certificates that are
compliant with the different certificate profiles defined in S/MIME Baseline
Requirements.  

 

Community development

The pkilint framework is easily expandable to analyze other digital
certificate types and aspects of PKI, such as CRL and OCSP implementations.
Additionally, DigiCert is planning to use the framework to add lints to
encompass the changes introduced by the CA/Browser Forum Ballot SC-62
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/cabforum.o
rg/2023/03/17/ballot-sc62v2-certificate-profiles-update/__;!!FJ-Y8qCqXTj2!bF
SWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMtoJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqK
BWEwvwJnqd5yaIq7M0lpU$___.YXAzOmRpZ2ljZXJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0Zm
FjOGY2MTRjMGIxMzo2OjY1OTU6M2I5NDQ2ZTg1YjkzZWM0YTkxODQ4ZjM3M2IwN2Q1NWNlNDNkOG
QxZDk5YmU1NjA0ZTZiNDlmMjFlMzZiNDE1ZDpoOkY>  for TLS certificate profiles.
Developers who are interested in contributing to pkilint can do so on the
project's GitHub page
<https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com
/digicert/pkilint__;!!FJ-Y8qCqXTj2!bFSWHIXDcbOEUgxpDthb1PTwfpwOV_HJci8AgWBMt
oJvY4hdhMmpGQA6Z_Aotk7qjNN5gImoe3WWqKBWEwvwJnqd5yaI3jOeIRA$___.YXAzOmRpZ2ljZ
XJ0OmE6bzpmMTUyZDMxYzdiMTBhZTQ5NmY0ZmFjOGY2MTRjMGIxMzo2OjgwYTQ6MGM0ZjQxNmM3Z
jA0N2IwZGNlMWNhMTU2NDBhMDkyYjQzOTIwMWU1Yjk0NTIwNDViMjQwYjUzNzRhOGEyM2JjNTpoO
kY> .

 

 

 

Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230509/f9d3da54/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: validations.csv
Type: application/vnd.ms-excel
Size: 26670 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230509/f9d3da54/attachment-0001.xlb>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20230509/f9d3da54/attachment-0001.p7s>

More information about the Smcwg-public mailing list