A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z | AA | AB | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | BR Section | Scope | Lint Clause | In Scope | In ZLint | ZLint Name | Notes | |||||||||||||||||||||
2 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: SHA-1* | TRUE | TRUE | e_signature_algorithm_not_supported | ||||||||||||||||||||||
3 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: SHA-256 | TRUE | TRUE | e_signature_algorithm_not_supported | ||||||||||||||||||||||
4 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: SHA-384 | TRUE | TRUE | e_signature_algorithm_not_supported | ||||||||||||||||||||||
5 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: SHA-512 | TRUE | TRUE | e_signature_algorithm_not_supported | ||||||||||||||||||||||
6 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: 2048 minimum RSA modulus size | TRUE | TRUE | e_rsa_mod_less_than_2048_bits | ||||||||||||||||||||||
7 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: ECC NIST P-256, P-384, or P-521 | TRUE | TRUE | e_ec_improper_curves | ||||||||||||||||||||||
8 | 6.1.5 | all | Certificates MUST meet the following requirements for algorithm type and key size: L=2048, N=224,256 minimum DSA | TRUE | TRUE | e_dsa_improper_modulus_or_divisor_size | ||||||||||||||||||||||
9 | 6.1.6 | all | RSA: Value of public exponent is an odd number equal to 3 or more. | TRUE | TRUE | e_rsa_public_exponent_not_odd, e_rsa_public_exponent_too_small | ||||||||||||||||||||||
10 | 6.1.6 | all | RSA: Public exponent SHOULD be in the range between 2^16 + 1 and 2^256 - 1 | TRUE | TRUE | w_rsa_public_exponent_not_in_range | ||||||||||||||||||||||
11 | 6.1.6 | all | RSA: Modulus SHOULD also have the following characteristics: an odd number | TRUE | TRUE | w_rsa_mod_not_odd | ||||||||||||||||||||||
12 | 6.1.6 | all | RSA: Modulus SHOULD also have the following characteristics: not power of a prime | TRUE | FALSE | |||||||||||||||||||||||
13 | 6.1.6 | all | RSA: Modulus SHOULD also have the following characteristics: no factors smaller than 752 | TRUE | TRUE | w_rsa_mod_factors_smaller_than_752 | ||||||||||||||||||||||
14 | 6.1.6 | all | DSA: Certificates MUST include all domain parameters | TRUE | TRUE | e_dsa_params_missing | ||||||||||||||||||||||
15 | 6.1.6 | all | DSA: Public key value has the unique correct representation in the field, and that the key has the correct order in the subgroup | TRUE | TRUE | lint_dsa_correct_order_in_subgroup | ||||||||||||||||||||||
16 | 6.3.2 | subscriber | CAs MUST NOT issue subscriber certificates with validity periods longer than 39 months regardless of circumstance. | TRUE | TRUE | e_sub_cert_valid_time_too_long | ||||||||||||||||||||||
17 | 7.1.1 | all | Certificates MUST be of type X.590 v3 | TRUE | TRUE | e_invalid_certificate_version | ||||||||||||||||||||||
18 | 7.1.2.1 | root | Root CA Certificate: basicConstraints MUST appear as a critical extension | TRUE | TRUE | e_basic_constraint_not_critical | ||||||||||||||||||||||
19 | 7.1.2.1 | root | Root CA Certificate: The CA field MUST be set to true. | TRUE | TRUE | e_ca_is_ca | ||||||||||||||||||||||
20 | 7.1.2.1 | root | Root CA Certificate: The pathLenConstraintField SHOULD NOT be present. | TRUE | TRUE | w_root_ca_basic_constraint_path_len_constraint_field_present | ||||||||||||||||||||||
21 | 7.1.2.1 | root | Root CA Certificate: keyUsage extension MUST be present and MUST be marked critical | TRUE | TRUE | e_ca_key_usage_missing | ||||||||||||||||||||||
22 | 7.1.2.1 | root | Root CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set. | TRUE | TRUE | e_ca_key_cert_sign_not_set, e_ca_crl_sign_not_yet | ||||||||||||||||||||||
23 | 7.1.2.1 | root | Root CA Certificate: certificatePolicies SHOULD NOT be present. | TRUE | TRUE | w_root_ca_contains_cert_policy | ||||||||||||||||||||||
24 | 7.1.2.1 | root | Root CA Certificate: extendedKeyUsage MUST NOT be present. | TRUE | TRUE | e_root_ca_extended_key_usage_present | ||||||||||||||||||||||
25 | 7.1.2.2 | subordinate | Subordinate CA Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical. | TRUE | TRUE | e_sub_ca_certificate_policies_missing, w_sub_ca_certificate_policies_marked_critical | ||||||||||||||||||||||
26 | 7.1.2.2 | subordinate | Subordinate CA Certificate: cRLDistributionPoints MUST be present and MUST NOT be marked critical. | TRUE | TRUE | e_sub_ca_crl_distribution_points_missing, e_sub_ca_crl_distribution_points_marked_critical | ||||||||||||||||||||||
27 | 7.1.2.2 | subordinate | Subordinate CA Certificate: cRLDistributionPoints MUST contain the HTTP URL of the CA's CRL service. | TRUE | TRUE | e_sub_ca_crl_distribution_points_does_not_contain_url | ||||||||||||||||||||||
28 | 7.1.2.2 | subordinate | Subordinate CA Certificate: authorityInformationAccess MUST be present, with the exception of stapling. | TRUE | TRUE | e_sub_ca_aia_missing | ||||||||||||||||||||||
29 | 7.1.2.2 | subordinate | Subordinate CA Certificate: authorityInformationAccess MUST NOT be marked critical | TRUE | TRUE | e_sub_ca_aia_marked_critical | ||||||||||||||||||||||
30 | 7.1.2.2 | subordinate | Subordinate CA Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder. | TRUE | TRUE | e_sub_ca_aia_does_not_contain_ocsp_url | ||||||||||||||||||||||
31 | 7.1.2.2 | subordinate | Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate. | TRUE | TRUE | w_sub_ca_aia_does_not_contain_issuing_ca_url | ||||||||||||||||||||||
32 | 7.1.2.2 | subordinate | Subordinate CA Certificate: basicConstraints MUST be present and MUST be marked critical. | TRUE | TRUE | e_basic_constaints_must_be_critical | ||||||||||||||||||||||
33 | 7.1.2.2 | subordinate | Subordinate CA Certificate: cA field MUST be set to true. | TRUE | TRUE | e_ca_is_ca | ||||||||||||||||||||||
34 | 7.1.2.2 | subordinate | Subordinate CA Certificate: pathLenConstraintField MAY be present. | FALSE | FALSE | |||||||||||||||||||||||
35 | 7.1.2.2 | subordinate | Subordinate CA Certificate: keyUsage extension MUST be present and MUST be marked critical. | TRUE | TRUE | e_ca_key_usage_missing | ||||||||||||||||||||||
36 | 7.1.2.2 | subordinate | Subordinate CA Certificate: Bit positions for keyCertSign and cRLSign MUST be set. | TRUE | TRUE | e_ca_key_cert_sign_not_set, e_ca_crl_sign_not_yet | ||||||||||||||||||||||
37 | 7.1.2.2 | subordinate | Subordinate CA Certificate: NameConstraints if present, SHOULD be marked critical. | TRUE | TRUE | w_sub_ca_name_constraints_not_critical | ||||||||||||||||||||||
38 | 7.1.2.2 | subordinate | Subordinate CA Certificate: extkeyUsage, either id-kp-serverAuth or id-kp-clientAuth or both values MUST be present. | TRUE | TRUE | n_sub_ca_eku_not_technically_constrained | ||||||||||||||||||||||
39 | 7.1.2.3 | subscriber | Subscriber Certificate: certificatePolicies MUST be present and SHOULD NOT be marked critical. | TRUE | TRUE | e_sub_cert_certificate_policies_missing, w_sub_cert_certificate_policies_marked_critical | ||||||||||||||||||||||
40 | 7.1.2.3 | subscriber | Subscriber Certificate: certificatePolicies:policyQualifier:policyQualifierId MAY be present. | FALSE | FALSE | |||||||||||||||||||||||
41 | 7.1.2.3 | subscriber | Subscriber Certificate: certificatePolicies:policyQualifier:qualifier:cPSuri MAY be present. | FALSE | FALSE | |||||||||||||||||||||||
42 | 7.1.2.3 | subscriber | Subscriber Certiifcate: cRLDistributionPoints MAY be present. | FALSE | FALSE | |||||||||||||||||||||||
43 | 7.1.2.3 | subscriber | Subscriber Certiifcate: cRLDistributionPoints MUST NOT be marked critical, and MUST contain the HTTP URL of the CA's CRL service. | TRUE | TRUE | e_sub_cert_crl_distribution_points_marked_critical | ||||||||||||||||||||||
44 | 7.1.2.3 | subscriber | Subscriber Certiifcate: authorityInformationAccess MUST be present, with the exception of stapling. | TRUE | TRUE | e_sub_cert_aia_missing | ||||||||||||||||||||||
45 | 7.1.2.3 | subscriber | Subscriber Certificate: authorityInformationAccess MUST NOT be marked critical | TRUE | TRUE | e_sub_cert_aia_marked_critical | ||||||||||||||||||||||
46 | 7.1.2.3 | subscriber | Subscriber Certificate: authorityInformationAccess MUST contain the HTTP URL of the Issuing CA's OSCP responder. | TRUE | TRUE | e_sub_cert_aia_does_not_contain_ocsp_url | ||||||||||||||||||||||
47 | 7.1.2.3 | subscriber | Subscriber Certificate: basicContrainsts cA field MUST NOT be true. | TRUE | TRUE | e_sub_cert_not_is_ca | ||||||||||||||||||||||
48 | 7.1.2.3 | subscriber | Subscriber Certificate: keyUsage if present, bit positions for keyCertSign and cRLSign MUST NOT be set. | TRUE | TRUE | e_sub_cert_key_usage_cert_sign_bit_set, e_sub_cert_key_usage_crl_sign_bit_set | ||||||||||||||||||||||
49 | 7.1.2.3 | subscriber | Subscriber Certificate: extKeyUsage either the value id-kp-serverAuth or id-kp-clientAuth or both values MUST be present. | TRUE | TRUE | w_sub_cert_eku_extra_values | ||||||||||||||||||||||
50 | 7.1.2.3 | subscriber | Subscriber Certificate: extKeyUsage id-kp-emailProtection MAY be present. Other values SHOULD NOT be present. | TRUE | TRUE | w_sub_cert_eku_extra_values | ||||||||||||||||||||||
51 | 7.1.2.3 | subscriber | Subscriber Certificate: extKeyUsage: Any other values SHOULD NOT be present. | TRUE | TRUE | w_sub_cert_eku_extra_values | ||||||||||||||||||||||
52 | 7.1.3 | subscriber | CAs MUST NOT issue any new Subscriber certificates or Subordinate CA certificates using SHA-1 after 1 January 2016 | TRUE | TRUE | e_sub_cert_or_sub_ca_using_sha1 | ||||||||||||||||||||||
53 | 7.1.4 | all | Certificate Issuer Distinguished Name MUST match the Subject DN of the Issuing CA | FALSE | FALSE | |||||||||||||||||||||||
54 | 7.1.4.2.1 | subscriber | Subscriber Certificate: subjAltName MUST appear. | TRUE | TRUE | e_ext_san_missing | ||||||||||||||||||||||
55 | 7.1.4.2.1 | subscriber | Subscriber Certificate: subjAltName MUST contain at least one entry. | TRUE | TRUE | e_ext_san_no_entries | ||||||||||||||||||||||
56 | 7.1.4.2.1 | subscriber | Subscriber Certificate: subjAltName each entry MUST be either a dNSName containing an FQDN or an IP Address. Wildcard FQDNs are permitted. | TRUE | TRUE | dnsname_*, e_ext_san_host_not_fqdn_or_ip | ||||||||||||||||||||||
57 | 7.1.4.2.2 | subscriber | Subscriber Certificate: commonName is deprecated. | TRUE | TRUE | n_subject_common_name_included | ||||||||||||||||||||||
58 | 7.1.4.2.2 | subscriber | Subscriber Certificate: commonName If present, the field MUST contain a single IP address or FQDN that is one of the values contained in the subjAltName extension. | TRUE | TRUE | e_subject_common_name_not_from_san | ||||||||||||||||||||||
59 | 7.1.4.2.2 | subscriber | Subscriber Certificate: A certificate containing a subject:givenName field or subject:surname field MUST contain the (2.23.140.1.2.3) certPolicy OID. | TRUE | TRUE | e_subject_given_name_surname_contains_correct_policy | ||||||||||||||||||||||
60 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:streetAddress MUST NOT appear if subject:organizationName, subject:givenName, and subject:surname fields are absent. | TRUE | TRUE | e_sub_cert_street_address_should_not_exist | ||||||||||||||||||||||
61 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:localityName MUST appear if subject:organizationName, subject:givenName, or subject:surname fields are present but the subject:stateOrProvinceName field is absent. | TRUE | TRUE | e_sub_cert_locality_name_must_appear | ||||||||||||||||||||||
62 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:localityName MUST NOT appear is subject:organizationName, subject:givenName, and subject:surname fields are present. | TRUE | TRUE | e_sub_cert_locality_name_must_not_appear | ||||||||||||||||||||||
63 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:stateOrProvinceName MUST appeear if the subject:organizationName, subject:givenName, or subject:surname fields are present and subject:localityName is absent. | TRUE | TRUE | e_sub_cert_province_must_appear | ||||||||||||||||||||||
64 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:stateOrProvinceName MUST NOT appeear if the subject:organizationName, subject:givenName, and subject:surname fields are absent. | TRUE | TRUE | e_sub_cert_province_must_not_appear | ||||||||||||||||||||||
65 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:postalCode MUST NOT appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are absent. | TRUE | TRUE | e_sub_cert_postal_code_prohibited | ||||||||||||||||||||||
66 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:countryName MUST appear if the subject:organizationName field, subject:givenName field, or subject:surname fields are present. | TRUE | TRUE | e_sub_cert_country_name_must_appear | ||||||||||||||||||||||
67 | 7.1.4.2.2 | subscriber | Subscriber Certificate: subject:countryName MUST NOT appear if the subject:organizationName field, subject:givenName field, and subject:surname fields are absent. | TRUE | TRUE | e_sub_cert_country_name_must_not_appear | ||||||||||||||||||||||
68 | 7.1.4.3.1 | ca | CA Certificates: subject:commonName MUST appear. | TRUE | TRUE | e_ca_common_name_missing | ||||||||||||||||||||||
69 | 7.1.4.3.1 | ca | CA Certificates: subject:organizationName MUST appear. | TRUE | TRUE | e_ca_organization_name_missing | ||||||||||||||||||||||
70 | 7.1.4.3.1 | ca | CA Certificates: subject:countryName MUST appear. | TRUE | TRUE | e_ca_country_name_missing | ||||||||||||||||||||||
71 | 7.1.5 | subordinate | Subordinate CA: Must include an EKU extension. | TRUE | TRUE | e_sub_ca_eku_missing | ||||||||||||||||||||||
72 | 7.1.5 | subordinate | Subordinate CA: If includes id-kp-serverAuth EKU, then it MUST include Name constraints w/ constraints on DNSName, IPAddress, and DirectoryName | TRUE | TRUE | e_sub_ca_eku_name_constraints | ||||||||||||||||||||||
73 | 7.1.6.1 | all | If certificate asserts policy identifier of 2.23.140.1.2.1 then it MUST NOT include organizationName, givenName, surname, streetAddress, localityName, stateOrProvinceName, or postalCode in subject. | TRUE | TRUE | lint_cab_dv_conflicts_with* | ||||||||||||||||||||||
74 | 7.1.6.1 | all | If certificate asserts policy identifier of 2.23.140.1.2.2 then it MUST include organizationName, localityName, stateOrProvinceName, and countryName in subject. | TRUE | TRUE | cert_policy_ov_requires_*, cert_policy_requires_org | ||||||||||||||||||||||
75 | 7.1.6.1 | all | If certificate asserts policy identifier of 2.23.140.1.2.3 then it MUST include either (1) either organizationName, givenName, or surname, (2) localityName, (3) stateOrProvinceName, and (4) countryName in subject. | TRUE | TRUE | cert_policy_iv_requires_* | ||||||||||||||||||||||
76 | 7.1.6.2 | root | Root CA: SHOULD NOT contain the certificatePolicies extension. | TRUE | TRUE | w_root_ca_contains_cert_policy | ||||||||||||||||||||||
77 | 7.1.6.2 | subordinate | Subordinate CA: MUST include one or more explicit policy identifiers that indicates the Subordinate CA’s adherence to and compliance with these requirements | TRUE | TRUE | e_sub_ca_certificate_policies_missing | ||||||||||||||||||||||
78 | 7.1.6.2 | subordinate | Subordinate CA: MUST NOT contain the anyPolicy identifier (2.5.29.32.0) | TRUE | TRUE | lint_sub_ca_must_not_contain_anypolicy | ||||||||||||||||||||||
79 | 7.1.6.4 | subordinate | Subscriber Certificates: MUST contain one or more policy identifiers. | TRUE | TRUE | e_sub_cert_cert_policy_empty | ||||||||||||||||||||||
80 | 7.1 | subscriber | Effective September 30, 2016, CAs SHALL generate non‐sequential Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG. | TRUE | TRUE | lint_serial_number_low_entropy | ||||||||||||||||||||||
81 | 1.3.2 | The CA MAY delegate the performance of all, or any part, of Section 3.2 requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2. | FALSE | FALSE | ||||||||||||||||||||||||
82 | 1.3.2 | The CA SHALL contractually require the delegated third party to meet the qualification requirements of 5.3.1(personnel controls), when applicable. | FALSE | FALSE | ||||||||||||||||||||||||
83 | 1.3.2 | The CA SHALL contractually require the delegated third party to retain documentation in accordance with 5.5.2 | FALSE | FALSE | ||||||||||||||||||||||||
84 | 1.3.2 | The CA SHALL contractually require the delegated third party to comply with CA CPS. | FALSE | FALSE | ||||||||||||||||||||||||
85 | 1.3.2 | The CA MAY designate an Enterprise RA to verify certificate requests from the Enterprise RA’s own organization | FALSE | FALSE | ||||||||||||||||||||||||
86 | 1.5.2 | The CA SHALL provide a link to a web page or an email address for contacting the person or persons responsible for operation of the CA | FALSE | FALSE | ||||||||||||||||||||||||
87 | 1.6.1 | The Request Token SHALL incorporate the key used in the certificate request. | FALSE | FALSE | ||||||||||||||||||||||||
88 | 1.6.1 | A Request Token that includes a timestamp SHALL remain valid for no more than 30 days from the time of creation. | FALSE | FALSE | ||||||||||||||||||||||||
89 | 1.6.1 | A Request Token that includes a timestamp SHALL be treated as invalid if its timestamp is in the future. | FALSE | FALSE | ||||||||||||||||||||||||
90 | 1.6.1 | A Request Token that does not include a timestamp is valid for a single use and the CA SHALL NOT re‐use it for a subsequent validation. | FALSE | FALSE | ||||||||||||||||||||||||
91 | 1.6.1 | The binding SHALL use a digital signature algorithm or a cryptographic hash algorithm at least as strong as that to be used in signing the certificate request. | FALSE | FALSE | ||||||||||||||||||||||||
92 | 2 | The CA SHALL develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements. | FALSE | FALSE | ||||||||||||||||||||||||
93 | 2.1 | The CA SHALL make revocation information for Subordinate Certificates and Subscriber Certificates available in accordance with this Policy. | FALSE | FALSE | ||||||||||||||||||||||||
94 | 2.2 | The disclosures MUST include all the material required by RFC 2527 or RFC 3647, and MUST be structured in accordance with either RFC 2527 or RFC 3647. | FALSE | FALSE | ||||||||||||||||||||||||
95 | 2.2 | Effective 8 September 2017, section 4.2 of a CA's Certificate Policy and/or Certification Practice Statement SHALL state the CA’s policy or practice on processing CAA Records for Fully Qualified Domain Names | FALSE | FALSE | ||||||||||||||||||||||||
96 | 2.2 | At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired. | FALSE | FALSE | ||||||||||||||||||||||||
97 | 3.2.2 | A Certificate that will contain Subject Information comprised only of the countryName field, then the CA SHALL verify the country associated with the Subject using a verification process Section 3.2.2.3 | FALSE | FALSE | ||||||||||||||||||||||||
98 | 3.2.2.1 | If the Subject Identity Information is to include the name or address of an organization, the CA SHALL verify the identity and address of the organization and that the address is the Applicant’s address of existence or operation | FALSE | FALSE | ||||||||||||||||||||||||
99 | 3.2.2.1 | The CA SHALL verify the identity and address of the Applicant using documentation provided by, or through communication with, at least one of the following: 1. A government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A third party database that is periodically updated and considered a Reliable Data Source; 3. A site visit by the CA or a third party who is acting as an agent for the CA; or 4. An Attestation Letter. | FALSE | FALSE | ||||||||||||||||||||||||
100 | 3.2.2.2. | If the Subject Identity Information is to include a DBA or tradename, the CA SHALL verify the Applicant’s right to use the DBA/tradename using at least one of the following: 1. Documentation provided by, or communication with, a government agency in the jurisdiction of the Applicant’s legal creation, existence, or recognition; 2. A Reliable Data Source; 3. Communication with a government agency responsible for the management of such DBAs or tradenames; 4. An Attestation Letter accompanied by documentary support; or 5. A utility bill, bank statement, credit card statement, government‐issued tax document, or other form of identification that the CA determines to be reliable | FALSE | FALSE |