ABCDEFGHIJKLMNOPQRSTUVWXYZAAAB
1
BR SectionScopeLint ClauseIn ScopeIn ZLintZLint NameNotes
2
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: SHA-1*TRUETRUEe_signature_algorithm_not_supported
3
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: SHA-256TRUETRUEe_signature_algorithm_not_supported
4
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: SHA-384TRUETRUEe_signature_algorithm_not_supported
5
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: SHA-512TRUETRUEe_signature_algorithm_not_supported
6
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: 2048 minimum RSA modulus sizeTRUETRUEe_rsa_mod_less_than_2048_bits
7
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: ECC NIST P-256, P-384, or P-521TRUETRUEe_ec_improper_curves
8
6.1.5allCertificates MUST meet the following requirements for algorithm type and key size: L=2048, N=224,256 minimum DSATRUETRUEe_dsa_improper_modulus_or_divisor_size
9
6.1.6allRSA: Value of public exponent is an odd number equal to 3 or more.TRUETRUEe_rsa_public_exponent_not_odd, e_rsa_public_exponent_too_small
10
6.1.6allRSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1TRUETRUEw_rsa_public_exponent_not_in_range
11
6.1.6allRSA: Modulus SHOULD also have the following characteristics: an odd numberTRUETRUEw_rsa_mod_not_odd
12
6.1.6allRSA: Modulus SHOULD also have the following characteristics: not power of a primeTRUEFALSE
13
6.1.6allRSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752TRUETRUEw_rsa_mod_factors_smaller_than_752
14
6.1.6allDSA: Certificates MUST include all domain parametersTRUETRUEe_dsa_params_missing
15
6.1.6allDSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroupTRUETRUElint_dsa_correct_order_in_subgroup
16
6.3.2subscriberCAs MUST NOT issue subscriber certificates with validity periods longer than 39 months regardless of circumstance.TRUETRUEe_sub_cert_valid_time_too_long
17
7.1.1allCertificates MUST be of type X.590 v3TRUETRUEe_invalid_certificate_version
18
7.1.2.1rootRoot CA Certificate: basicConstraints MUST appear as a critical extensionTRUETRUEe_basic_constraint_not_critical
19
7.1.2.1rootRoot CA Certificate: The CA field MUST be set to true.TRUETRUEe_ca_is_ca
20
7.1.2.1rootRoot CA Certificate: The pathLenConstraintField SHOULD NOT be present.TRUETRUEw_root_ca_basic_constraint_path_len_constraint_field_present
21
7.1.2.1rootRoot CA Certificate: keyUsage extension MUST be present and MUST be marked criticalTRUETRUEe_ca_key_usage_missing
22
7.1.2.1rootRoot CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.TRUETRUEe_ca_key_cert_sign_not_set, e_ca_crl_sign_not_yet
23
7.1.2.1rootRoot CA Certificate: certificatePolicies SHOULD NOT be present.TRUETRUEw_root_ca_contains_cert_policy
24
7.1.2.1rootRoot CA Certificate: extendedKeyUsage MUST NOT be present.TRUETRUEe_root_ca_extended_key_usage_present
25
7.1.2.2subordinateSubordinate CA Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.TRUETRUEe_sub_ca_certificate_policies_missing, w_sub_ca_certificate_policies_marked_critical
26
7.1.2.2subordinateSubordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical.TRUETRUEe_sub_ca_crl_distribution_points_missing, e_sub_ca_crl_distribution_points_marked_critical
27
7.1.2.2subordinateSubordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service.TRUETRUEe_sub_ca_crl_distribution_points_does_not_contain_url
28
7.1.2.2subordinateSubordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling.TRUETRUEe_sub_ca_aia_missing
29
7.1.2.2subordinateSubordinate CA Certificate: authorityInformationAccess MUST NOT be marked criticalTRUETRUEe_sub_ca_aia_marked_critical
30
7.1.2.2subordinateSubordinate CA Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.TRUETRUEe_sub_ca_aia_does_not_contain_ocsp_url
31
7.1.2.2subordinateSubordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.TRUETRUEw_sub_ca_aia_does_not_contain_issuing_ca_url
32
7.1.2.2subordinateSubordinate CA Certificate: basicConstraints MUST be present and MUST be marked critical.TRUETRUEe_basic_constaints_must_be_critical
33
7.1.2.2subordinateSubordinate CA Certificate: cA field MUST be set to true.TRUETRUEe_ca_is_ca
34
7.1.2.2subordinateSubordinate CA Certificate: pathLenConstraintField MAY be present.FALSEFALSE
35
7.1.2.2subordinateSubordinate CA Certificate: keyUsage extension MUST be present and MUST be marked critical.TRUETRUEe_ca_key_usage_missing
36
7.1.2.2subordinateSubordinate CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set.TRUETRUEe_ca_key_cert_sign_not_set, e_ca_crl_sign_not_yet
37
7.1.2.2subordinateSubordinate CA Certificate: NameConstraints if present, SHOULD be marked critical.TRUETRUEw_sub_ca_name_constraints_not_critical
38
7.1.2.2subordinateSubordinate CA Certificate: extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present.TRUETRUEn_sub_ca_eku_not_technically_constrained
39
7.1.2.3subscriberSubscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical.TRUETRUEe_sub_cert_certificate_policies_missing, w_sub_cert_certificate_policies_marked_critical
40
7.1.2.3subscriberSubscriber Certificate: certificatePolicies:policyQualifier:policyQualifierId MAY be present.FALSEFALSE
41
7.1.2.3subscriberSubscriber Certificate: certificatePolicies:policyQualifier:qualifier:cPSuri MAY be present.FALSEFALSE
42
7.1.2.3subscriberSubscriber Certiifcate: cRLDistributionPoints MAY be present.FALSEFALSE
43
7.1.2.3subscriberSubscriber Certiifcate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service.TRUETRUEe_sub_cert_crl_distribution_points_marked_critical
44
7.1.2.3subscriberSubscriber Certiifcate: authorityInformationAccess MUST be present, with the exception of stapling.TRUETRUEe_sub_cert_aia_missing
45
7.1.2.3subscriberSubscriber Certificate: authorityInformationAccess MUST NOT be marked criticalTRUETRUEe_sub_cert_aia_marked_critical
46
7.1.2.3subscriberSubscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder.TRUETRUEe_sub_cert_aia_does_not_contain_ocsp_url
47
7.1.2.3subscriberSubscriber Certificate: basicContrainsts cA field MUST NOT be true.TRUETRUEe_sub_cert_not_is_ca
48
7.1.2.3subscriberSubscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set.TRUETRUEe_sub_cert_key_usage_cert_sign_bit_set, e_sub_cert_key_usage_crl_sign_bit_set
49
7.1.2.3subscriberSubscriber Certificate: extKeyUsage either the value id-kp-serverAuth or id-kp-clientAuth or both values MUST be present.TRUETRUEw_sub_cert_eku_extra_values
50
7.1.2.3subscriberSubscriber Certificate: extKeyUsage id-kp-emailProtection MAY be present. Other values SHOULD NOT be present.TRUETRUEw_sub_cert_eku_extra_values
51
7.1.2.3subscriberSubscriber Certificate: extKeyUsage: Any other values SHOULD NOT be present.TRUETRUEw_sub_cert_eku_extra_values
52
7.1.3subscriberCAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016TRUETRUEe_sub_cert_or_sub_ca_using_sha1
53
7.1.4allCertificate Issuer Distinguished Name MUST match the Subject DN of the Issuing CAFALSEFALSE
54
7.1.4.2.1subscriberSubscriber Certificate: subjAltName MUST appear.TRUETRUEe_ext_san_missing
55
7.1.4.2.1subscriberSubscriber Certificate: subjAltName MUST contain at least one entry.TRUETRUEe_ext_san_no_entries
56
7.1.4.2.1subscriberSubscriber Certificate: subjAltName each entry MUST be either a dNSName containing an FQDN or an IP Address. Wildcard FQDNs are permitted.TRUETRUEdnsname_*, e_ext_san_host_not_fqdn_or_ip
57
7.1.4.2.2subscriberSubscriber Certificate: commonName is deprecated.TRUETRUEn_subject_common_name_included
58
7.1.4.2.2subscriberSubscriber Certificate: commonName If present, the field MUST contain a single IP address or FQDN that is one of the values contained in the subjAltName extension.TRUETRUEe_subject_common_name_not_from_san
59
7.1.4.2.2subscriberSubscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID.TRUETRUEe_subject_given_name_surname_contains_correct_policy
60
7.1.4.2.2subscriberSubscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent.TRUETRUEe_sub_cert_street_address_should_not_exist
61
7.1.4.2.2subscriberSubscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent.TRUETRUEe_sub_cert_locality_name_must_appear
62
7.1.4.2.2subscriberSubscriber Certificate: subject:localityName MUST NOT appear is subject:organizationName, subject:givenName, and subject:surname fields are present.TRUETRUEe_sub_cert_locality_name_must_not_appear
63
7.1.4.2.2subscriberSubscriber Certificate: subject:stateOrProvinceName MUST appeear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent.TRUETRUEe_sub_cert_province_must_appear
64
7.1.4.2.2subscriberSubscriber Certificate: subject:stateOrProvinceName MUST NOT appeear if the subject:organizationName, subject:givenName, and subject:surname fields are absent.TRUETRUEe_sub_cert_province_must_not_appear
65
7.1.4.2.2subscriberSubscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent.TRUETRUEe_sub_cert_postal_code_prohibited
66
7.1.4.2.2subscriberSubscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present.TRUETRUEe_sub_cert_country_name_must_appear
67
7.1.4.2.2subscriberSubscriber Certificate: subject:countryName MUST NOT appear if the subject:organizationName field, subject:givenName field, and subject:surname fields are absent.TRUETRUEe_sub_cert_country_name_must_not_appear
68
7.1.4.3.1caCA Certificates: subject:commonName MUST appear.TRUETRUEe_ca_common_name_missing
69
7.1.4.3.1caCA Certificates: subject:organizationName MUST appear.TRUETRUEe_ca_organization_name_missing
70
7.1.4.3.1caCA Certificates: subject:countryName MUST appear.TRUETRUEe_ca_country_name_missing
71
7.1.5subordinateSubordinate CA: Must include an EKU extension.TRUETRUEe_sub_ca_eku_missing
72
7.1.5subordinateSubordinate CA: If includes id-kp-serverAuth EKU, then it MUST include Name constraints w/ constraints on DNSName, IPAddress, and DirectoryNameTRUETRUEe_sub_ca_eku_name_constraints
73
7.1.6.1allIf certificate asserts policy identifier of 2.23.140.1.2.1 then it MUST NOT include organizationName, givenName, surname, streetAddress, localityName, stateOrProvinceName, or postalCode in subject.TRUETRUElint_cab_dv_conflicts_with*
74
7.1.6.1allIf certificate asserts policy identifier of 2.23.140.1.2.2 then it MUST include organizationName, localityName, stateOrProvinceName, and countryName in subject.TRUETRUEcert_policy_ov_requires_*, cert_policy_requires_org
75
7.1.6.1allIf certificate asserts policy identifier of 2.23.140.1.2.3 then it MUST include either (1) either organizationName, givenName, or surname, (2) localityName, (3) stateOrProvinceName, and (4) countryName in subject.TRUETRUEcert_policy_iv_requires_*
76
7.1.6.2rootRoot CA: SHOULD NOT contain the certificatePolicies extension.TRUETRUEw_root_ca_contains_cert_policy
77
7.1.6.2subordinateSubordinate CA: MUST include one or more explicit policy identifiers that indicates the Subordinate CA’s adherence to and compliance with these requirementsTRUETRUEe_sub_ca_certificate_policies_missing
78
7.1.6.2subordinateSubordinate CA: MUST NOT contain the anyPolicy identifier (2.5.29.32.0)TRUETRUElint_sub_ca_must_not_contain_anypolicy
79
7.1.6.4subordinateSubscriber Certificates: MUST contain one or more policy identifiers.TRUETRUEe_sub_cert_cert_policy_empty
80
7.1subscriberEffective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.TRUETRUElint_serial_number_low_entropy
81
1.3.2The CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2.FALSEFALSE
82
1.3.2The CA SHALL contractually require the delegated third party to meet the qualification requirements of 5.3.1(personnel controls), when applicable.FALSEFALSE
83
1.3.2The CA SHALL contractually require the delegated third party to retain documentation in accordance with 5.5.2FALSEFALSE
84
1.3.2The CA SHALL contractually require the delegated third party to comply with CA CPS.FALSEFALSE
85
1.3.2The CA MAY designate an Enterprise RA to verify certificate requests from the Enterprise RA’s own organizationFALSEFALSE
86
1.5.2The CA SHALL provide a link to a web page or an email address for contacting the person or persons responsible for operation of the CAFALSEFALSE
87
1.6.1The Request Token SHALL incorporate the key used in the certificate request.FALSEFALSE
88
1.6.1A Request Token that includes a timestamp SHALL remain valid for no more than 30 days from the time of creation.FALSEFALSE
89
1.6.1A Request Token that includes a timestamp SHALL be treated as invalid if its timestamp is in the future.FALSEFALSE
90
1.6.1A Request Token that does not include a timestamp is valid for a single use and the CA SHALL NOT re‐use it for a subsequent validation.FALSEFALSE
91
1.6.1The binding SHALL use a digital signature algorithm or a cryptographic hash algorithm at least as strong as that to be used in signing the certificate request.FALSEFALSE
92
2The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements.FALSEFALSE
93
2.1The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy.FALSEFALSE
94
2.2The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647.FALSEFALSE
95
2.2Effective 8 September 2017, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement SHALL state the CA’s policy or practice on processing CAA Records for Fully Qualified Domain NamesFALSEFALSE
96
2.2At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.FALSEFALSE
97
3.2.2A Certificate that will contain Subject Information comprised only of the countryName field, then the CA SHALL verify the country associated with the Subject using a verification process Section 3.2.2.3FALSEFALSE
98
3.2.2.1If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operationFALSEFALSE
99
3.2.2.1The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 1. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A third party database that is periodically updated and considered a Reliable Data Source; 3. A site visit by the CA or a third party who is acting as an agent for the CA; or 4. An Attestation Letter.FALSEFALSE
100
3.2.2.2.If the Subject Identity Information is to include a DBA or tradename, the CA SHALL verify the Applicant’s right to use the DBA/tradename using at least one of the following: 1. Documentation provided by, or communication with, a government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A Reliable Data Source; 3. Communication with a government agency responsible for the management of such DBAs or tradenames; 4. An Attestation Letter accompanied by documentary support; or 5. A utility bill, bank statement, credit card statement, government‐issued tax document, or other form of identification that the CA determines to be reliableFALSEFALSE