Re: [cabfpub] CABLint

[Doug Beattie via Public]

Hi Paul (Mantilla),

I’m forwarding along the information from Paul Van Brouwershaven.

-------------------------------
From: Paul Van Brouwershaven
Sent: Thursday, May 31, 2018 7:30 AM
To: Doug Beattie <doug.beat...@globalsign.com>;
Subject: Re: [cabfpub] CABLint

You can clone the git repository and use grep like below, this should give you 
a good indication of the checks.

grep -r 'messages << ' *
certlint/extensions/keyusage.rb:        messages << 'E: Unable to parse public 
key'
certlint/extensions/keyusage.rb:          messages << "E: Unallowed key usage 
for RSA public key (#{(v-allowed).join(', ')})"
certlint/extensions/keyusage.rb:            messages << 'W: Encipherment usage 
should not be mixed with Certificate/CRL signing'
certlint/extensions/keyusage.rb:          messages << "E: Unallowed key usage 
for DSA public key (#{(v-allowed).join(', ')})"
certlint/extensions/keyusage.rb:          messages << "E: Unallowed key usage 
for EC public key (#{(v-allowed).join(', ')})"
certlint/extensions/keyusage.rb:            messages << 'E: Key agreement 
required with encipher only or decipher only'
certlint/extensions/keyusage.rb:          messages << 'E: Encipher Only and 
Decipher Only must not both be set'
certlint/extensions/keyusage.rb:            messages << 'W: Key agreement 
should not be included with Certificate/CRL Signing'
certlint/extensions/keyusage.rb:          messages << "E: Unallowed key usage 
for DH public key (#{(v-allowed).join(', ')})"
certlint/extensions/keyusage.rb:          messages << 'E: Key Agreement must be 
included for DH public keys'
certlint/extensions/keyusage.rb:          messages << 'E: Encipher Only and 
Decipher Only must not both be set'
certlint/extensions/keyusage.rb:        messages << "I: Key usages not checked 
for #{cert.public_key.class}"
certlint/extensions/subjectaltname.rb:          messages << 'E: subjectAltName 
must be critical if subject is empty'
certlint/extensions/subjectaltname.rb:          messages << 'W: subjectAltName 
should not be critical'
certlint/extensions/subjectaltname.rb:        messages << 'E: subjectAltName 
extension must include at least one name'
certlint/extensions/nameconstraints.rb:          messages << 'E: 
NameConstriants must contain at least one subtree'
certlint/extensions/nameconstraints.rb:        messages << 'E: NameConstraints 
must include either permitted or excluded Subtrees'
certlint/extensions/ctpoison.rb:      messages << 'I: Certificate Transparency 
Precertificate identified'
certlint/extensions/ctpoison.rb:        messages << 'E: CT Poison must be 
critical'
certlint/extensions/ctpoison.rb:        messages << 'E: CT Poison must contain 
a single null'
certlint/extensions/certificatepolicies.rb:          messages << "E: 
PolicyInformation is not a sequence"
certlint/extensions/certificatepolicies.rb:            messages << "E: 
PolicyQualifierInfo is not a sequence"
certlint/extensions/certificatepolicies.rb:              messages << 'W: 
Certificate Policies should not contain notice references'
certlint/extensions/certificatepolicies.rb:                messages << 'E: 
Certificate Policy explicit text must not be IA5String'
certlint/extensions/certificatepolicies.rb:              messages << 'W: 
Certificate policy explicit text should be in unicode normalization form C'
certlint/extensions/certificatepolicies.rb:              messages << 'W: 
Certificate policy explicit text should not contain control characters'
certlint/extensions/certificatepolicies.rb:            messages << 'E: Bad 
policy qualifier id'
certlint/extensions/extkeyusagesyntax.rb:          messages << 'W: 
extendedKeyUsage should not be critical if Any Extended Key Usage is present'
certlint/extensions/ocspnocheck.rb:        messages << 'E: OCSP NoCheck 
extension must be null'
certlint/extensions/ocspnocheck.rb:        messages << "W: Extension should not 
be critical for #{self}"
certlint/extensions/authoritykeyidentifier.rb:          messages << 'E: 
AuthorityKeyIdentifier must include serial number if issuer is present'
certlint/extensions/authoritykeyidentifier.rb:        messages << 'E: 
AuthorityKeyIdentifier must include issuer if serial number is present'
certlint/extensions/basicconstraints.rb:          messages << 'E: 
basicConstraints must be critical in CA certificates'
certlint/extensions/basicconstraints.rb:          messages << 'E: Must not 
include pathLenConstraint on certificates that are not CA:TRUE'
certlint/extensions/signedcertificatetimestamplist.rb:        messages << 'E: 
SignedCertificateTimestampList must not be critical'
certlint/extensions/asn1ext.rb:      messages << 'E: No PDU defined'
certlint/extensions/asn1ext.rb:        messages << "E: Extension criticality 
not allowed for #{self.to_s.split(':').last}"
certlint/extensions/asn1ext.rb:        messages << "W: Extension 
should#{@critical_should ? '' : ' not'} be critical for 
#{self.to_s.split(':').last}"
certlint/certextlint.rb:        messages << "E: Opaque or unknown extension 
(#{oid}) marked as critical"
certlint/certextlint.rb:        messages << "W: Extension #{oid} is treated as 
opaque extension"
certlint/certextlint.rb:        messages << "W: Deprecated Netscape extension 
#{oid} treated as opaque extension"
certlint/certextlint.rb:        messages << "W: Microsoft extension #{oid} 
treated as opaque extension"
certlint/certextlint.rb:      messages << "W: Unknown Extension: #{oid}"
certlint/iananames.rb:        messages << 'E: Unqualified domain name'
certlint/iananames.rb:        messages << 'E: Unknown TLD'
certlint/iananames.rb:          messages << 'I: Tor Service Descriptor in SAN'
certlint/iananames.rb:          messages << 'W: Special name'
certlint/iananames.rb:        messages << 'E: Unknown type of TLD'
certlint/iananames.rb:        messages << 'E: FQDN under reserved or special 
domain'
certlint/iananames.rb:          messages << 'W: Bad IDN A-label in DNS Name'
certlint/iananames.rb:          messages << 'E: Wildcard to immediate left of 
public suffix'
certlint/iananames.rb:        messages << 'W: Domain is bare public suffix'
certlint/iananames.rb:          messages << 'E: Wildcard to immediate left of 
public suffix'
certlint/iananames.rb:          messages << 'W: Underscore in base domain'
certlint/pemlint.rb:              messages << 'W: PEM boundaries should not 
have whitespace or characters before the boundary start'
certlint/pemlint.rb:              messages << "W: PEM boundaries should start 
with five '-' characters"
certlint/pemlint.rb:              messages << 'E: PEM boundary must have same 
number of - at start and end'
certlint/pemlint.rb:              messages << 'W: PEM boundary should be in all 
caps'
certlint/pemlint.rb:              messages << 'E: PEM boundary should be alone 
on line'
certlint/pemlint.rb:            messages << 'W: Only the last PEM encoded line 
may be less than 64 characters'
certlint/pemlint.rb:            messages << 'W: PEM encoded lines must be 64 
characters or less'
certlint/pemlint.rb:            messages << 'E: PEM encoded lines may only 
contain base64 characters'
certlint/pemlint.rb:            messages << 'W: PEM boundaries should not have 
whitespace or characters before the boundary start'
certlint/pemlint.rb:            messages << "W: PEM boundaries should start 
with five '-' characters"
certlint/pemlint.rb:            messages << 'E: PEM boundary must have same 
number of - at start and end'
certlint/pemlint.rb:            messages << 'W: PEM boundary should be in all 
caps'
certlint/pemlint.rb:            messages << 'E: PEM boundary should be alone on 
line'
certlint/pemlint.rb:        messages << 'E: Incorrect base64 encoding'
certlint/namelint.rb:          messages << 'W: Multiple attributes in a single 
RDN in the subject Name'
certlint/namelint.rb:            attr_messages << "W: Name has unknown 
attribute #{attrname}"
certlint/namelint.rb:            attr_messages << "W: Name has deprecated 
attribute #{attrname}"
certlint/namelint.rb:            attr_messages << "W: #{attrname} is using 
deprecated TeletexString"
certlint/namelint.rb:            attr_messages << "W: #{attrname} is using 
deprecated VideoexString"
certlint/namelint.rb:            attr_messages << "W: #{attrname} is using 
deprecated GraphicString"
certlint/namelint.rb:            attr_messages << "W: #{attrname} is using 
deprecated GeneralString"
certlint/namelint.rb:            attr_messages << "W: Unicode #{attrname} is 
using deprecated UniversalString"
certlint/namelint.rb:            attr_messages << "W: Unicode #{attrname} is 
using deprecated BMPString"
certlint/namelint.rb:              attr_messages << "W: Leading whitepsace in 
#{attrname}"
certlint/namelint.rb:              attr_messages << "W: Trailing whitespace in 
#{attrname}"
certlint/namelint.rb:              attr_messages << "E: #{attrname} is too long"
certlint/namelint.rb:              attr_messages << "E: Invalid country in 
#{attrname}"
certlint/namelint.rb:              attr_messages << "E: Invalid label in 
#{attrname}"
certlint/namelint.rb:                messages << 'W: Bad IDN A-label in DNS 
Name'
certlint/namelint.rb:                messages << 'E: Internationalized domain 
names must be in unicode normalization form C'
certlint/namelint.rb:              attr_messages << "E: #{attrname} is too long"
certlint/namelint.rb:                attr_messages << "W: #{attrname} should be 
encoded as IA5String"
certlint/namelint.rb:                attr_messages << "W: #{attrname} should be 
encoded as UF8String"
certlint/namelint.rb:        messages << "W: Name has multiple #{attrname} 
attributes"
certlint/namelint.rb:          messages << "E: Unparsable name: #{e.message}"
certlint/certlint.rb:      messages << "F: ASN.1 Error in #{pdu}: #{ex.message}"
certlint/certlint.rb:      messages << "E: Constraint failure in #{pdu}: 
#{ex.message}"
certlint/certlint.rb:        messages << "W: #{pdu} is not encoded using DER"
certlint/certlint.rb:      messages << "E: BadDER in #{pdu}"
certlint/certlint.rb:      messages << "F: Encoding error: #{e.message} in 
#{pdu}"
certlint/certlint.rb:        messages << "F: Bad GeneralizedTime in #{pdu}"
certlint/certlint.rb:        messages << "F: Bad UTCTime in #{pdu}"
certlint/certlint.rb:        messages << "F: Type mismatch during decode in 
#{pdu}"
certlint/certlint.rb:        messages << "F: Bad encoding in #{pdu}"
certlint/certlint.rb:        messages << "F: Decode error in #{pdu}: 
#{e.message}"
certlint/certlint.rb:            messages << "F: Incorrectly encoded UTF8String 
in #{pdu}"# at offset #{offset}"
certlint/certlint.rb:            messages << "E: Null byte found in UTF8String 
in #{pdu}"# at offset #{offset}"
certlint/certlint.rb:            messages << "E: Control character found in 
String in #{pdu}"# at offset #{offset}"
certlint/certlint.rb:            messages << "E: Null byte found in String in 
#{pdu}"# at offset #{offset}"
certlint/certlint.rb:            messages << "B: Unhandled escape found in 
String in #{pdu}"# at offset #{offset}"
certlint/certlint.rb:              messages << "E: Incorrectly encoded 
TeletexString in #{pdu}"# at offset #{offset}"
certlint/certlint.rb:            messages << "B: No checks for String type 
#{tag} in #{pdu}"# at offset #{offset}"
certlint/certlint.rb:      messages << "F: Type error during traverse in 
#{pdu}: #{e.message}"
certlint/certlint.rb:        messages << 'E: RSA keys must have a parameter 
specified'
certlint/certlint.rb:        messages << 'E: RSA keys must have a null 
parameter'
certlint/certlint.rb:        messages << 'E: RSA public key modulus must be 
positive'
certlint/certlint.rb:        messages << 'E: RSA public key exponent must be 
positive'
certlint/certlint.rb:          messages << 'E: RSA public key exponent must be 
between 3 and n - 1'
certlint/certlint.rb:        messages << 'E: DH keys must have parameters'
certlint/certlint.rb:        messages << 'E: EC keys must have parameters'
certlint/certlint.rb:        messages << "E: EC public key #{e.message}"
certlint/certlint.rb:        messages << 'E: EC Public key is infinity'
certlint/certlint.rb:        messages << 'E: EC Public key is not on curve'
certlint/certlint.rb:      messages << 'W: Unknown public key type'
certlint/certlint.rb:          messages << 'E: Time not in Zulu/GMT'
certlint/certlint.rb:          messages << 'N: Ruby may incorrectly interpret 
UTCTimes between 1950 and 1969'
certlint/certlint.rb:          messages << 'E: UTCTime without seconds'
certlint/certlint.rb:          messages << 'E: Time not in Zulu/GMT'
certlint/certlint.rb:          messages << 'E: Generalized Time before 2050'
certlint/certlint.rb:          messages << 'E: Generalized Time without seconds 
or with fractional seconds'
certlint/certlint.rb:      messages << 'E: Certificate signature algorithm does 
not match TBS signature algorithm'
certlint/certlint.rb:      messages << "W: Certificate signature algorithm type 
is unknown: #{sig_oid}"
certlint/certlint.rb:      messages << 'I: No checks for PSS yet'
certlint/certlint.rb:        messages << 'E: RSA signatures must have a 
parameter specified'
certlint/certlint.rb:        messages << 'E: RSA signatures must have a null 
parameter'
certlint/certlint.rb:        messages << 'E: DSA signatures must not have a 
parameter specified'
certlint/certlint.rb:        messages << 'E: ECDSA signatures must not have a 
parameter specified'
certlint/certlint.rb:      messages << 'F: Unable to parse Certificate'
certlint/certlint.rb:      messages << 'E: Invalid certificate version'
certlint/certlint.rb:      messages << 'E: Old certificate version (not 
X.509v3)'
certlint/certlint.rb:      messages << 'E: Negative serial number'
certlint/certlint.rb:      messages << 'E: Serial number must be positive'
certlint/certlint.rb:      messages << 'E: Serial numbers must be 20 octets or 
less'
certlint/certlint.rb:      messages << 'E: Certificate has negative validity 
length'
certlint/certlint.rb:      messages << 'E: issuerUniqueID is included'
certlint/certlint.rb:      messages << 'E: subjectUniqueID is included'
certlint/certlint.rb:          messages << 'N: Some python versions will not 
see SAN extension if it is the first extension'
certlint/certlint.rb:        messages << "E: Duplicate extension #{oid}"
certlint/certlint.rb:        messages << 'E: keyCertSign without CA:TRUE'
certlint/certlint.rb:        messages << 'E: CA:TRUE without keyCertSign'
certlint/cablint.rb:        messages << 'W: Cowardly refusing to run CAB check 
due to previous errors'
certlint/cablint.rb:        messages << 'E: Skipping CAB checks due to previous 
errors'
certlint/cablint.rb:        messages << "E: #{c.signature_algorithm} is not 
allowed for signing certificates"
certlint/cablint.rb:          messages << 'E: SHA-1 not allowed for signing 
certificates'
certlint/cablint.rb:          messages << 'W: Serial numbers for certificates 
using weaker hashes should have at least 64 bits of entropy'
certlint/cablint.rb:          messages << 'W: PSS is not supported by most 
browsers'
certlint/cablint.rb:        messages << 'W: Serial numbers should have at least 
20 bits of entropy'
certlint/cablint.rb:        messages << 'E: Invalid subject public key'
certlint/cablint.rb:        messages << 'E: Invalid subject public key'
certlint/cablint.rb:          messages << 'E: RSA subject key modulus must be 
at least 2048 bits'
certlint/cablint.rb:          messages << 'E: RSA subject key exponent must be 
odd'
certlint/cablint.rb:          messages << 'E: DSA subject key p must be at 
least 2048 bits'
certlint/cablint.rb:          messages << 'E: DSA subject key must have FIPS 
186-4 compliant parameters'
certlint/cablint.rb:          messages << 'E: EC subject key is not on allowed 
curve'
certlint/cablint.rb:        messages << 'E: Subject key must be RSA, DSA, or EC'
certlint/cablint.rb:            messages << "E: #{d[0]} appears to only include 
metadata"
certlint/cablint.rb:          messages << "E: #{d[0]} appears to only include 
metadata"
certlint/cablint.rb:        messages << 'I: CA certificate identified'
certlint/cablint.rb:          messages << 'E: CA certificates must include 
countryName in subject'
certlint/cablint.rb:          messages << 'E: CA certificates must include 
organizationName in subject'
certlint/cablint.rb:          messages << 'N: Some applications require CA 
certificates to include commonName in subject'
certlint/cablint.rb:          messages << 'W: CA certificates should not have a 
validity period greater than 25 years'
certlint/cablint.rb:            messages << 'W: CA certificates should not have 
a validity period greater than 25 years'
certlint/cablint.rb:              messages << 'W: CA certificates should not 
have a validity period greater than 25 years'
certlint/cablint.rb:          messages << 'E: CA certificates must include 
keyUsage extension'
certlint/cablint.rb:            messages << 'E: CA certificates must set 
keyUsage extension as critical'
certlint/cablint.rb:            messages << 'E: CA certificates must include 
CRL Signing'
certlint/cablint.rb:            messages << 'N: CA certificates without Digital 
Signature do not allow direct signing of OCSP responses'
certlint/cablint.rb:          messages << 'W: CA certificates should not 
include subject alternative names'
certlint/cablint.rb:        messages << 'I: EV certificate identified'
certlint/cablint.rb:          messages << 'E: EV certificates must include 
organizationName in subject'
certlint/cablint.rb:          messages << 'E: EV certificates must include 
businessCategory in subject'
certlint/cablint.rb:          messages << 'E: EV certificates must include 
serialNumber in subject'
certlint/cablint.rb:          messages << 'E: EV certificates must include 
localityName in subject'
certlint/cablint.rb:          messages << 'E: EV certificates must include 
countryName in subject'
certlint/cablint.rb:        messages << 'I: TLS Server certificate identified'
certlint/cablint.rb:          messages << "W: TLS Server certificates must 
include serverAuth key purpose in extended key usage"
certlint/cablint.rb:          messages << 'I: Intel AMT/vPro certificate 
identified'
certlint/cablint.rb:          messages << "W: TLS Server auth certificates 
should not contain #{e} usage"
certlint/cablint.rb:              messages << 'E: EV certificates must be 825 
days in validity or less'
certlint/cablint.rb:            messages << 'E: EV certificates must be 27 
months in validity or less'
certlint/cablint.rb:            messages << 'E: BR certificates must be 825 
days in validity or less'
certlint/cablint.rb:            messages << 'W: Pre-BR certificates should not 
be more than 120 months in validity'
certlint/cablint.rb:            messages << 'E: BR certificates must be 39 
months in validity or less'
certlint/cablint.rb:            messages << 'E: BR certificates must be 60 
months in validity or less'
certlint/cablint.rb:            messages << 'E: BR certificates without 
organizationName must not include localityName'
certlint/cablint.rb:            messages << 'E: BR certificates without 
organizationName must not include stateOrProvinceName'
certlint/cablint.rb:            messages << 'E: BR certificates without 
organizationName must not include streetAddress'
certlint/cablint.rb:            messages << 'E: BR certificates without 
organizationName must not include postalCode'
certlint/cablint.rb:            messages << 'E: BR certificates with 
organizationName must include either localityName or stateOrProvinceName'
certlint/cablint.rb:            messages << 'E: BR certificates with 
organizationName must include countryName'
certlint/cablint.rb:          messages << 'W: Certificate does not include 
authorityInformationAccess. BRs require OCSP stapling for this certificate.'
certlint/cablint.rb:            messages << 'E: BR certificates must include an 
HTTP URL of the OCSP responder'
certlint/cablint.rb:            messages << 'W: BR certificates should include 
an HTTP URL of the issuing CA\'s certificate'
certlint/cablint.rb:          messages << 'E: BR certificates must include 
certificatePolicies'
certlint/cablint.rb:            messages << 'E: BR certificates must contain at 
least one policy'
certlint/cablint.rb:            messages << 'E: BR certificates with CRL 
Distribution Point must include HTTP URL'
certlint/cablint.rb:            messages << 'E: BR certificates must not 
include CRL Signing'
certlint/cablint.rb:            messages << 'E: BR certificates must not 
include Certificate Signing'
certlint/cablint.rb:          messages << 'E: BR certificates must have subject 
alternative names extension'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain otherName type alternative name'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain rfc822Name type alternative name'
certlint/cablint.rb:                  messages << 'E: Wildcard not in first 
label of FQDN'
certlint/cablint.rb:                  messages << 'E: Bare wildcard'
certlint/cablint.rb:                  messages << 'W: Wildcard other than 
*.<fqdn> in SAN'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain x400Address type alternative name'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain directoryName type alternative name'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain ediPartyName type alternative name'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain uniformResourceIdentifier type alternative name'
certlint/cablint.rb:              messages << 'E: BR certificates must not 
contain registeredID type alternative name'
certlint/cablint.rb:              messages << 'W: Duplicate SAN entry'
certlint/cablint.rb:              messages << 'W: commonNames in BR certificate 
contains U-labels'
certlint/cablint.rb:              messages << 'E: commonNames in BR 
certificates must be from SAN entries'
certlint/cablint.rb:        messages << 'I: No certificate type identified'
certlint/generalnames.rb:          messages << "I: No checks for OtherName type 
#{oid}"
certlint/generalnames.rb:          messages << "I: Missing check for OtherName 
#{checker}"
certlint/generalnames.rb:        messages << "I: No checks for unknown 
OtherName type #{oid}"
certlint/generalnames.rb:        messages << 'E: RFC822Name has empty value'
certlint/generalnames.rb:        messages << 'E: RFC822Name includes null'
certlint/generalnames.rb:        messages << 'E: Invalid padding in RFC822Name'
certlint/generalnames.rb:          messages << 'E: RFC822Name without @'
certlint/generalnames.rb:          messages << 'E: RFC822Name domain must not 
start with .'
certlint/generalnames.rb:        messages << 'E: RFC822Name without domain'
certlint/generalnames.rb:        messages << 'E: RFC822Name with invalid domain'
certlint/generalnames.rb:          messages << 'W: Bad IDN A-label in Email 
Address'
certlint/generalnames.rb:          messages << 'E: Internationalized domain 
names must be in unicode normalization form C'
certlint/generalnames.rb:        messages << 'E: RFC822Name without local part'
certlint/generalnames.rb:        messages << 'W: RFC822Name with quoted local 
part'
certlint/generalnames.rb:        messages << 'E: RFC822Name with invalid local 
part'
certlint/generalnames.rb:        messages << 'E: DNSName is empty'
certlint/generalnames.rb:        messages << 'F: DNSName is not a string'
certlint/generalnames.rb:        messages << 'E: DNSName includes null'
certlint/generalnames.rb:        messages << 'E: DNSName is not in preferred 
syntax'
certlint/generalnames.rb:        messages << 'E: DNSName must not start with .'
certlint/generalnames.rb:        messages << 'E: DNSName is not FQDN'
certlint/generalnames.rb:        messages << 'E: FQDN in DNSName is too long'
certlint/generalnames.rb:          messages << 'E: Wildcard in FQDN'
certlint/generalnames.rb:        messages << 'W: Underscore should not appear 
in DNS names'
certlint/generalnames.rb:          messages << 'W: Bad IDN A-label in DNS Name'
certlint/generalnames.rb:          messages << 'E: Internationalized domain 
names must be in unicode normalization form C'
certlint/generalnames.rb:          messages << 'F: RFC822Name is not a String'
certlint/generalnames.rb:          messages << 'F: DNS Name is not a String'
certlint/generalnames.rb:          messages << "E: X400Address is empty"
certlint/generalnames.rb:        messages << "I: No checks for X400Address"
certlint/generalnames.rb:          messages << "E: DirectoryName is empty"
certlint/generalnames.rb:        messages << "I: No checks for DirectoryName"
certlint/generalnames.rb:          messages << "E: EDIPartyName is empty"
certlint/generalnames.rb:        messages << "I: No checks for EDIPartyName"
certlint/generalnames.rb:          messages << "E: URI is empty"
certlint/generalnames.rb:        messages << "I: No checks for URI"
certlint/generalnames.rb:            messages << 'E: Invalid IP address in SAN'
certlint/generalnames.rb:            messages << 'E: Invalid IP address in 
constraint'
certlint/generalnames.rb:          messages << 'E: RegisteredId is empty'
certlint/generalnames.rb:        messages << "I: No checks for RegisteredId"
certlint/generalnames.rb:        messages << 'E: Unknown type of name in 
subjectAltName'



From: Paul Mantilla [mailto:paulmanti...@hotmail.com]
Sent: Wednesday, May 30, 2018 5:50 PM
To: Doug Beattie <doug.beat...@globalsign.com>; CA/Browser Forum Public 
Discussion List <public@cabforum.org>
Subject: Re: [cabfpub] CABLint

Hello guys, as a side question, is it possible to have a list of all the test 
run by certlint/cablint? Since If I run the tool in the command line, if all 
the tests passed I get nothing, no message, so I am never sure of what really 
happened.

I’ve searched a lot, even in the GitHub repo, but I couldn’t find the list of 
tests these lints contain
Please advice
Thanks



On Apr 16, 2018, at 4:00 PM, Doug Beattie via Public 
<public@cabforum.org<mailto:public@cabforum.org>> wrote:
Hi Dave,

I was looking just at the very top level and see there are more Commits, Closed 
Issues, and contributors for zlint, but if cablint has a new maintainer to keep 
it up to date, then having 2 independent checkers will help find bugs or 
inconsistencies in the other lint.

Doug

From: Blunt, Dave [mailto:dbl...@amazon.com]
Sent: Friday, April 13, 2018 5:29 PM
To: Doug Beattie 
<doug.beat...@globalsign.com<mailto:doug.beat...@globalsign.com>>; CA/Browser 
Forum Public Discussion List <public@cabforum.org<mailto:public@cabforum.org>>; 
Ryan Sleevi <sle...@google.com<mailto:sle...@google.com>>; Tim Hollebeek 
<tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>>
Subject: RE: [cabfpub] CABLint


Tim – I’m transitioning into Peter’s role as maintainer of the cablint 
maintained under awslabs. Do you have concerns or suggestions for changes?

Doug, if you aren’t sure how zlint and cablint stack up, what is the 
recommendation to use zlint based on?

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Doug Beattie via 
Public
Sent: Friday, April 13, 2018 1:28 PM
To: Ryan Sleevi <sle...@google.com<mailto:sle...@google.com>>; CA/Browser Forum 
Public Discussion List <public@cabforum.org<mailto:public@cabforum.org>>; Tim 
Hollebeek <tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>>
Subject: Re: [cabfpub] CABLint

We’ve shifted our efforts towards zlint and away from the GlobalSign certlint 
as our future validation tool.  I’m not sure how zlint and cablint stack up 
with each other but having 2 open source projects is going to be extra work to 
maintain and keep current.  I’d recommend zlint for those that can use it.

Dug

From: Public [mailto:public-boun...@cabforum.org] On Behalf Of Ryan Sleevi via 
Public
Sent: Friday, April 13, 2018 3:57 PM
To: Tim Hollebeek 
<tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>>; CA/Browser 
Forum Public Discussion List <public@cabforum.org<mailto:public@cabforum.org>>
Subject: Re: [cabfpub] CABLint

There's been several duplicate names

Are you talking about the 'cablint' portion of the AWSLabs certlint - 
https://github.com/awslabs/certlint ? That is what is referred to as 'cablint' 
on crt.sh

Not to be confused with the GlobalSign certlint ( 
https://github.com/globalsign/certlint )

On Fri, Apr 13, 2018 at 3:38 PM, Tim Hollebeek via Public 
<public@cabforum.org<mailto:public@cabforum.org>> wrote:

Who is maintaining CABLint these days?  And where?

-Tim


_______________________________________________
Public mailing list
Public@cabforum.org<mailto:Public@cabforum.org>
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public@cabforum.org<mailto:Public@cabforum.org>
https://cabforum.org/mailman/listinfo/public

_______________________________________________
Public mailing list
Public@cabforum.org
https://cabforum.org/mailman/listinfo/public