In version 2.5.0 of the ETSI european norm 319 412-5 it was clarified that -- within the QcStatements extension -- the value of the QcType element cannot contain more than one OID (id-etsi-qct-esign | id-etsi-qct-eseal | id-etsi-qct-web ). Strangely enough, the ASN.1 for the QcType value is a SEQUENCE, so it was theoretically allowed -- although nonsensical -- to issue a certificate having QcType = { id-etsi-qct-eseal | id-etsi-qct-web }. But after the release date of version 2.5.0 of the said norm, which is March 2025, doing this is expressly prohibited: the plain SEQUENCE was changed to SEQUENCE SIZE (1).
However, I've noticed that Zlint doesn't detect this error (QcType with multiple values) in certificates issued after that date, so I believe it would be better to remediate.
Since a lint already exists that performs checks on the QcType value, the author of that lint (I believe @mtgag) might consider a revision. Otherwise, I remain available to produce a suitable lint myself.
In version 2.5.0 of the ETSI european norm 319 412-5 it was clarified that -- within the QcStatements extension -- the value of the QcType element cannot contain more than one OID (id-etsi-qct-esign | id-etsi-qct-eseal | id-etsi-qct-web ). Strangely enough, the ASN.1 for the QcType value is a
SEQUENCE, so it was theoretically allowed -- although nonsensical -- to issue a certificate having QcType = { id-etsi-qct-eseal | id-etsi-qct-web }. But after the release date of version 2.5.0 of the said norm, which is March 2025, doing this is expressly prohibited: the plainSEQUENCEwas changed toSEQUENCE SIZE (1).However, I've noticed that Zlint doesn't detect this error (QcType with multiple values) in certificates issued after that date, so I believe it would be better to remediate.
Since a lint already exists that performs checks on the QcType value, the author of that lint (I believe @mtgag) might consider a revision. Otherwise, I remain available to produce a suitable lint myself.