Policy Mappings extension should be blocked on end-entity certificates per RFC

[yosleg]

This extension is used in CA certificates.

https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.5

[christopher-henderson]

Would you be amenable to warn rather than error?

The reason is that ZLint, generally, attempts to take the typical RFC language of...

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].

And map it accordingly....

"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT" --> error
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" --> warn

When no such language exists it then becomes a bit tricky. In some cases it is common industry knowledge that you really cannot do a certain thing without causing problems, so it becomes an error despite the lack of an explicit MUST/MUST NOT.

For this one, I would need help finding cases where it could, or has, caused serious issues. Otherwise, I would prefer warning. It certainly is something you SHOULD NOT do, but it is otherwise not explicitly forbidden.

[yosleg]

warn is probably a safer change. I don't know of historical cases of this having caused issues, I can only make up hypothetical ones