mark cab_dv_conflicts_with* lints superseded

[mhyder13]

Summary

Continuing on with my attempt to baseline all the TLS BR lints against the current version of the BRs, this PR:

• updates the cab_dv_conflicts_with* lints with the most-recent version of their associated language
• fixes the out of date citation string in e_cab_dv_conflicts_with_locality
• adds a citation history to the lints
• marks e_cab_dv_conflicts_with_locality, e_cab_dv_conflicts_with_org, e_cab_dv_conflicts_with_province, e_cab_dv_conflicts_with_street, and e_cab_dv_conflicts_with_postal as ineffective on the CABFBRs_2_0_0_Date
• adds unit testing for the validity period changes

Why?

All of these lints are enforcing checks that trigger only in cases where certs violate the BRs. The reason I'm recommending deprecating them is that they no longer have any real basis in the text of the BRs and have been effectively superseded by new, broader requirement.

These lints are very old, all dating from the original implementation of zlint. At the time, the BRs were still much closer to their original, minimal form, and they used language that restricted what subject elements DV certificates could include by prohibiting specific OIDs. The language looked like this:

If the Certificate asserts the policy identifier of 2.23.140.1.2.1, then it MUST NOT include organizationName, givenName, surname, streetAddress, localityName, stateOrProvinceName, or postalCode in the Subject field.

In that context, these lints that each check one prohibited attribute made sense and directly followed the structure of the BRs. This section was completely rewritten in major certificate profile reworks included in v2.0.0, and is now a table. The table shows that countryName and commonName are permitted, but that the use of any other subject element is prohibited. This was added to zlint as e_cab_dv_subject_invalid_values, which now covers all the cases that were included in these lints. It follows the structure of the new requirement by checking for the specifically allowed elements and setting an error if it finds anything else.

Because the language these lints implement has been removed removed from the BR, and because the cases that these lints cover are now all covered by e_cab_dv_subject_invalid_values, I think it's time to sunset them. They no longer have a real basis in the requirements document, and they are just generating duplicate errors for any cert misissued after the CABFBRs_2_0_0_Date.

Additional Notes

Starting in v1.4.1, the BRs also prohibited givenName and surname from DV certs. Somehow, these didn't make it into zlint with the others (or at least I couldn't find them here now). I didn't add them to cover the period before v2.0.0. If someone has a use for those, they should be pretty easy to add.

Doc References

• §9.3.1 from v1.2.5 (page break edited out of image for brevity)

• §7.1.6.1 from v1.3.0 (the next version after v1.2.5)

• §7.1.6.4 from 1.8.7

• §7.1.2.7.2 from v2.0.0 (next version after 1.8.7, shows replacement language, page break edited out of image for brevity)

[christopher-henderson]

You put so much work into your PRs that I feel bad just leaving a lgtm, but...it looks good to me! Thank you!