lints: remove w_serial_number_low_entropy lint. #292
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Per zlint zmap#270: > I believe this check does more harm than good. > > > A fully compliant CA which generates a random serial number from > exactly 64 bits of entropy will produce a serial number less than > 8 bytes long 1 in 256 times. That means that for every million certs > issued, this check will cause about 4,000 false positives. > > ... > > The only sensible way to detect low entropy is to run an analysis > across a large corpus of certificates. If you try to detect it on > a cert-by-cert basis you should at least have a much smaller minimum > length than 8 so there's a lower false positive rate than 1/256. This commit removes the `w_serial_number_low_entropy` lint and associated tests/testdata.
zakird
approved these changes
Jul 20, 2019
aaomidi
pushed a commit
to aaomidi/zlint
that referenced
this pull request
Nov 29, 2022
…ng (zmap#298) * backporting asn1, pkix to allow permissive parsing (zmap#284) * forking from golang.org/x/crypto/cryptobyte to allow permissive parsing * Allow permissive asn1 parsing on UTF8, integer and NameConstraints (zmap#287) * Allow permissive asn1 parsing on UTF8, integer and NameConstraints * Allow permissive asn1 parsing on UTF8, integer and NameConstraints, NumericString * Allow permissive parsing: IA5, integer min len (zmap#289) * Fix Name.String() to legacy behavior, permissive parsing asn1.IA5String (zmap#292) * deps: update publicsuffix-go for 2021-05-11T10:35:34 UTC * deps: update publicsuffix-go for 2021-05-13T08:40:11 UTC * deps: update publicsuffix-go for 2021-05-21T08:41:21 UTC * deps: update publicsuffix-go for 2021-05-27T09:03:28 UTC * Allow permissive parsing: IA5, integer min len * Fix Name.String() to legacy behavior Co-authored-by: GitHub <noreply@github.com> * Fix RDNSequence.String() to print user friendly names (zmap#294) * Merge branch master into feature/parse_certs (zmap#296) * deps: update publicsuffix-go for 2021-05-11T10:35:34 UTC * deps: update publicsuffix-go for 2021-05-13T08:40:11 UTC * deps: update publicsuffix-go for 2021-05-21T08:41:21 UTC * deps: update publicsuffix-go for 2021-05-27T09:03:28 UTC * deps: update publicsuffix-go for 2021-06-01T15:03:13 UTC * Fix RDNSequence.String() to print user friendly names * Porting ocsp package from the latest standard lib (zmap#279) Co-authored-by: Zakir Durumeric <zakird@gmail.com> * deps: update publicsuffix-go for 2021-06-07T12:03:41 UTC Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Daniel McCarney <daniel@binaryparadox.net> Co-authored-by: Zakir Durumeric <zakird@gmail.com> Co-authored-by: Benjamin Wireman <ben@censys.io> Co-authored-by: GitHub <noreply@github.com> Co-authored-by: Daniel McCarney <daniel@binaryparadox.net> Co-authored-by: Zakir Durumeric <zakird@gmail.com> Co-authored-by: Jeff Cody <jeff@codyprime.org>
aaomidi
added a commit
to aaomidi/zlint
that referenced
this pull request
Jun 17, 2024
This reverts commit a0632ad.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Quoting @agwa:
I agree with the assessment the current
w_serial_number_low_entropylint does more harm than good. This commit removes it and the associated tests/testdata. The current design ofzlintdoesn't support the large corpus analysis that would be required for a proper replacement.Resolves #270