[cabf_validation] Fwd: [zlint] ZLint v2.1.0 Release Candidate

Ryan Sleevi sleevi at google.com
Wed May 13 09:37:27 MST 2020

I'm not sure how closely CAs here are following new ZLint versions, but
given how many CAs have incorporated some form of pre- or post-issuance
linting based on ZLint and cablint, I thought it useful to pass this along.

1) There's a new version of ZLint being RC'd that incorporates lint for
root programs (see announcement below)
2) There's now a mailing list that CAs can subscribe to that will only be
used for announcements related to new versions of zlint - the
zlint-announcements at googlegroups.com mailing list

Considering several CAs have had incidents where they deployed linters, but
didn't keep them up to date to reflect changing requirements and/or
improved checks, this seemed useful to forward along and hopefully to be
added the same as CAs do for other software they depend on.

ZLint also adopted a cadence of Release-Candidate before releases, to allow
CAs a chance to raise concerns if they believe a Lint is incorrect/buggy,
which seems useful when looking at some of the lints in discussion around
some of the more complex cases.

---------- Forwarded message ---------
From: ZLint Announcements <zlint-announcements at googlegroups.com>
Date: Tue, May 12, 2020 at 2:08 PM
Subject: [zlint] ZLint v2.1.0 Release Candidate
To: ZLint Announcements <zlint-announcements at googlegroups.com>

We've cut a new release candidate, v2.1.0-rc1
<https://github.com/zmap/zlint/releases/tag/v2.1.0-rc1> (
https://github.com/zmap/zlint/releases/tag/v2.1.0-rc1). This is a minor
release that primarily includes bug fixes and new lints. Testing would be

If you find any problems feel free to report them on Github Issue #430
<https://github.com/zmap/zlint/issues/430>. We plan to cut a final v2.1.0
release next week if no problems are identified, per the "Versioning and
Releases" <https://github.com/zmap/zlint#versioning-and-releases> guidance
in the README.

*New Lints*

   - New CABF Baseline Requirements Lint
      - e_ext_nc_intersects_reserved_ip
   - New Mozilla PKI Policy Lints
      - e_mp_rsassa-pss_in_spki
      - e_mp_rsassa-pss_parameters_encoding_in_signature_algorithm_correct
      - e_mp_ecdsa_pub_key_encoding_correct
      - e_mp_ecdsa_signature_encoding_correct
   - New Apple PKI Policy Lints
      - e_tls_server_cert_valid_time_longer_than_398_days

Bug Fixes

   - The 2001:5::/32 network was removed from reserved networks list since
   it is no longer IANA reserved.


   - Updated TLD data (Current to 2020-04-02).
   - README updates.
   - CI test for ensuring OpenSSL text prepend of test cert data.

You received this message because you are subscribed to the Google Groups
"ZLint Announcements" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to zlint-announcements+unsubscribe at googlegroups.com.
To view this discussion on the web visit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20200513/f258147d/attachment.html>

More information about the Validation mailing list