<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:496922492;
mso-list-type:hybrid;
mso-list-template-ids:-887329922 -435893168 134807555 134807557 134807553 134807555 134807557 134807553 134807555 134807557;}
@list l0:level1
{mso-level-start-at:5;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Aptos",sans-serif;
mso-fareast-font-family:Aptos;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style></head><body lang=en-SE link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Hi Samantha, Aaron,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>I like this idea, quite a lot. Though I do want to share a few thoughts I’ve got on the subject:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><ul style='margin-top:0cm' type=disc><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;mso-fareast-language:EN-US'>While we could (strongly) recommend that the ballot authors and/or endorsers try to incorporate this, we should make it an optional recommendation. Not everyone may have the skills, or not every CA may have the resources to allocate someone to write a lint at the same time as the ballot is in progress or being prepared. I wouldn’t want not being able to provide a lint stand in the way of passing an otherwise perfectly good ballot.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;mso-fareast-language:EN-US'>We could likewise update the default ballot text template to incorporate a line such as: “The following lints are being prepared to accommodate these ballot requirements”, alternative “No lints are yet being prepared for these changes. The author and endorsers are looking for volunteers to help in this effort”.<o:p></o:p></span></li><li class=MsoListParagraph style='margin-left:0cm;mso-list:l0 level1 lfo1'><span style='font-size:11.0pt;mso-fareast-language:EN-US'>We have representatives for pkilint and <a href="https://github.com/certlint/certlint">certlint</a> vailable at the forum, so it should be easily do-able to make sure that if a lint is added, they could also prepare a new release prior to the ballot’s effective date. I’m not sure the same applies for zlint (correct me if I’ve missed a link though). We should seek co-operation with the zlint maintainers to see if releases can be prepared prior to any such effective date. <o:p></o:p></span></li></ul><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='color:black'>From: </span></b><span style='color:black'>Servercert-wg <servercert-wg-bounces@cabforum.org> on behalf of Aaron Gable via Servercert-wg <servercert-wg@cabforum.org><br><b>Date: </b>Monday, 1 April 2024 at 22:18<br><b>To: </b>CA/B Forum Server Certificate WG Public Discussion List <servercert-wg@cabforum.org><br><b>Subject: </b>[Servercert-wg] Fixing lag between requirements changes and linter updates<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:black'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>In the last six months, by our count there have been at least: <o:p></o:p></p><div><p class=MsoNormal>- 7 bugzilla incident reports due to not marking the basicConstraints extension critical (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888060&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066048666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=j%2BSyuwebJvP76a1UWNicHl2rkfcOfszKeRHxFQNRLIk%3D&reserved=0">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887008&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066059012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=0TJkn13OmUCsOylpMwLG%2B98MLVOJeR9X3d%2FOJgpd7Ns%3D&reserved=0">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883416&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066065512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GupXZoxXGytAjPfoy7%2FA%2FvGGW0cZlil3XQSeTp1CCx8%3D&reserved=0">3</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888104&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066071156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NkL222AznkNM4eRx6gMaU4xJpTtfxxjAbVwdF%2BQA93o%3D&reserved=0">4</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1885132&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066076535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bu9g3XoY2olWyhcD9ccp3%2F77Vx1Y%2FltG9PH%2F%2BUjIkYU%3D&reserved=0">5</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886135&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066081844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=krdet7BBUJtJrqh%2BT79IlkB0fl7cw%2BxG4QDalkOwpL0%3D&reserved=0">6</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875820&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066087108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yCpddEhi%2F8RJBNc1fyz2awwOWFS1CsXtc8bw632aWNU%3D&reserved=0">7</a>)<o:p></o:p></p></div><div><p class=MsoNormal>- 5 bugzilla incident reports due to encoding Subject attributes in an incorrect order (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1864204&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066092452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VaMZUmDp5EqliS0F2L4%2BrGdNPvECxRY70d3JwvmVAKU%3D&reserved=0">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886624&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066097858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FrCMsgAzk7XFUSqEGTzLCE%2Ftj9bzYOGPIFdL4SQlIe8%3D&reserved=0">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883731&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066103104%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z5yeMp53Ri7DnuAJ%2BrjqxwxowpBLlAjrDiTfw5g6rkY%3D&reserved=0">3</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883620&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066108333%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ppLiUOFv%2BbREQDokNcIxEpLO9XsNpyL%2F3gi6FaV1jzk%3D&reserved=0">4</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883779&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066113524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fVoIm%2FifZ8w6VhSQ8dsdEZjNvXl%2BiIerDwSiRMkxjFc%3D&reserved=0">5</a>)<o:p></o:p></p></div><div><p class=MsoNormal>- 3 bugzilla incident reports due to not including the CPS URI in an EV certificate (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883843&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066118767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=loadvCWZIQUhYIhb1XL9xGNPoqOh5lpijTFrvS%2Fp91E%3D&reserved=0">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886257&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066123968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=odM0dSQFzasI0dpIOJ%2F4kp3zNy9cgKBgHcx%2BxmHLQWI%3D&reserved=0">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888016&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066129186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Gh%2FCXlzFLrYCmLC0Bys55C5XJNiEucjWe1ive00SDVE%3D&reserved=0">3</a>)<o:p></o:p></p></div><div><p class=MsoNormal>- and 7 other incidents due to missing various other requirements from the profiles ballot (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1861069&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066134397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bXRY7Gc%2BQb%2BHLAnXvBj4aOpGb1gHwMp9Pq0HEDdySkk%3D&reserved=0">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1876565&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066139616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uEG%2FvOWNaP8L77gLXkxGXR70eZVrzXVZFzy%2Fv%2BMp8qg%3D&reserved=0">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884532&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066149404%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Vma0C0IlQKwzpaSecRMFhSbQliXIQ46aMih%2B1IexXaA%3D&reserved=0">3</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884714&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066157423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P0cuTzMMPNufhL9QoYqMXykVG8V%2BsV9kqQYlffbRr%2BE%3D&reserved=0">4</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886406&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066165160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F4F%2FsWvGbjmG8jZs0KoN%2BYKJe%2FuFacmik3jHuzgJ3IU%3D&reserved=0">5</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887096&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066173373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=y%2Bm3Zi4AYqi%2Fb%2B%2BwY4ISARBtEibScQMAYnqiJxkubW0%3D&reserved=0">6</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875942&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066181540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mF79x9SOmfepRp2mPw2BRG4RdtwetLFmk1hVtHwt8OQ%3D&reserved=0">7</a>).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Many of these incidents cite reliance on linting systems (such as <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmap%2Fzlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066189666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gLZj4Dd%2FC8z3v4T23Vy7HGtbwyk0ko5ZqezhFR5OFFE%3D&reserved=0">zlint</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdigicert%2Fpkilint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066197657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xHLjkG%2F7jcX1EK7Mx1x9nrMOiG6zesHF8cS5BV3X7cA%3D&reserved=0">pkilint</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Famazon-archives%2Fcertlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066205485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F1YMCmM1zMdDXDLypNwCusWvACaLvk2zRbtJ6ACydrQ%3D&reserved=0">cablint</a>, and <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkroeckx%2Fx509lint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066215084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Fv%2BbeJBwWzxQSKzq%2BQYMVQS%2B4gQ0WRL3byUMq8hSK%2Bk%3D&reserved=0">x509lint</a>) to report whether actual issuance practices are in line with the required profiles. And many of these incidents cite the fact that ballot SC-062 was not enforced by zlint immediately on 2023-09-15 as a reason that the non-compliance was not caught.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Obviously there are many potential improvements that can be made here, including both process and technical improvements within each CA, and we're sure that they will be. But the scale of these incidents suggests to me that there may be systemic changes <i>we</i> can make to enable easier compliance with certificate profile changes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We think that it would make sense for any proposed ballot which touches Section 7 of the BRs (or equivalent sections in the EVGs) to be accompanied by a PR against zlint which adds or modifies checks to enforce the proposed ballot text.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Such a ballot would not necessarily have to be written by the ballot author (this is what endorsers are for!), and zlint already has capabilities to not start enforcing a lint until a specified Effective Date in the future, so incorporating upcoming ballot requirements into zlint ahead of time should be fairly easy and straightforward.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>We know that we certainly plan to do this for any future ballots we propose. What we don't know is how we would go about actually encouraging this behavior. Just setting new community norms about asking for such PRs during the discussion period? Adding something to our bylaws to require such a PR in the official ballot proposal? Do others have ideas?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p></div><div><p class=MsoNormal>Samantha Frank & Aaron Gable<o:p></o:p></p></div></div></div></div></div></div></body></html>