Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for STIR/SHAKEN Compliance Tests? #793

Open
rmhrisk opened this issue Feb 5, 2024 · 3 comments
Open

Support for STIR/SHAKEN Compliance Tests? #793

rmhrisk opened this issue Feb 5, 2024 · 3 comments

Comments

@rmhrisk
Copy link

rmhrisk commented Feb 5, 2024

@martinisec has a version of Zlint that includes tests for spotting visible issuance-related compliance problems in the STIR/SHAKEN ecosystem. For those who might not know, STIR/SHAKEN is a system based on X.509 PKI that uses ACME to give out certificates that look similar to OV certificates to telecom companies in the WebPKI.

We combine this version of Zlint with real certificates to identify when certificates are issued incorrectly by different CAs, similar to how Certificate Transparency works in the WebPKI. You can check out the reports we make with these tests here:
https://ecosystemcompliance.martinisecurity.com/

Here's a quick preview:
image

So far, the main administrators of this ecosystem haven't addressed the issue of CA misissuance, which is why we continue to see widespread problems with how approved CAs issue certificates, even though they know about the tests and the report.

We think one way to possibly get more CAs to follow better practices is if the Zlint project would be open to adding these tests. Each test specifies the exact rule it's based on, and except for Notices, uses clear normative style language. We've used these findings to highlight what we think are generally agreed-upon best practices in PKI.

Would there be interest in adding these tests to Zlint?

@zakird
Copy link
Member

zakird commented Feb 7, 2024

I'm supportive if there's someone who can help to maintain and approve lints related to STIR/SHAKEN. I don't know if anyone right now has the domain expertise, but I'm open to the idea, in part because we can limit the scope to only STIR/SHAKEN certs, so there's not much potential for harm.

@aaomidi
Copy link
Contributor

aaomidi commented Feb 7, 2024

+1 to supporting STIR/SHAKEN given what @zakird said. It's part of Public PKI after all :)

@rmhrisk
Copy link
Author

rmhrisk commented Feb 8, 2024

Sounds good, we can sign up to support the help on maintenance and approval. We will work on getting a PR over for review, we recently re-based so it shouldn't be too much work to get an initial PR for review in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants