<div dir="ltr"><span id="gmail-docs-internal-guid-9901fdd8-7fff-e324-83ab-cdcfe641e138"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Like Martijn, we appreciate the spirit behind this recommendation.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Establishing clear expectations related to linting is something the Chrome Root Program considers important. We’ve </span><a href="https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164" style="text-decoration-line:none"><span style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">touched</span></a><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> [1] on this on the open SCWG </span><a href="https://github.com/cabforum/servercert/issues/443" style="text-decoration-line:none"><span style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">GitHub issue</span></a><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> [2] related to linting, during our update at </span><a href="https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1" style="text-decoration-line:none"><span style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">F2F 60</span></a><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> [3], and in response to several incident reports disclosed to Bugzilla. We’re happy to see interest from others in this area, and the recent announcement of SC-73.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">That said, we also think it’s important to avoid creating external dependencies on third-party organizations, some of which are not directly involved in this specific Working Group or the broader Forum, when considering adding new requirements to the TLS BRs - or when those requirements become effective. This is especially true when considering requirements that have real-world security implications (e.g., cryptographic deprecations). Ultimately, it is each CA’s responsibility to adhere to the BRs - and it is not the responsibility of the SCWG, as I interpret the </span><a href="https://cabforum.org/working-groups/server/charter/" style="text-decoration-line:none"><span style="font-family:Arial,sans-serif;background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;text-decoration-line:underline;vertical-align:baseline">charter</span></a><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline"> [4], to prevent compliance issues.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">Further, CAs aren’t required to adopt any or all of the open-source tools described in Samantha and Aaron’s message. If these tools are adopted, there’s nothing that ensures CAs rely on the latest versions of these tools - or use them “correctly.” The combination of these two points is that it seems unlikely this effort, if pursued, will completely eliminate incidents related to mis-issuance. However, better (i.e., reduced incidents) should still be considered a good thing because it represents an opportunity for investment of time and resources elsewhere in an effort to more meaningfully improve web security.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">- Ryan (on behalf of the Chrome Root Program)</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[1] <a href="https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164">https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164</a></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[2] <a href="https://github.com/cabforum/servercert/issues/443">https://github.com/cabforum/servercert/issues/443</a></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[3] <a href="https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1">https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1</a></span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial,sans-serif;color:rgb(0,0,0);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;font-variant-alternates:normal;vertical-align:baseline">[4] <a href="https://cabforum.org/working-groups/server/charter/">https://cabforum.org/working-groups/server/charter/</a></span></p></span><br class="gmail-Apple-interchange-newline"></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 2, 2024 at 3:38 AM Martijn Katerbarg via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div class="msg-5097174354276871654"><div lang="en-SE" style="overflow-wrap: break-word;"><div class="m_-5097174354276871654WordSection1"><p class="MsoNormal"><span style="font-size:11pt">Hi Samantha, Aaron,<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">I like this idea, quite a lot. Though I do want to share a few thoughts I’ve got on the subject:<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><ul style="margin-top:0cm" type="disc"><li class="m_-5097174354276871654MsoListParagraph" style="margin-left:0cm"><span style="font-size:11pt">While we could  (strongly) recommend that the ballot authors and/or endorsers try to incorporate this, we should make it an optional recommendation. Not everyone may have the skills, or not every CA may have the resources to allocate someone to write a lint at the same time as the ballot is in progress or being prepared. I wouldn’t want not being able to provide a lint stand in the way of passing an otherwise perfectly good ballot.<u></u><u></u></span></li><li class="m_-5097174354276871654MsoListParagraph" style="margin-left:0cm"><span style="font-size:11pt">We could likewise update the default ballot text template to incorporate a line such as: “The following lints are being prepared to accommodate these ballot requirements”, alternative “No lints are yet being prepared for these changes. The author and endorsers are looking for volunteers to help in this effort”.<u></u><u></u></span></li><li class="m_-5097174354276871654MsoListParagraph" style="margin-left:0cm"><span style="font-size:11pt">We have representatives for pkilint and <a href="https://github.com/certlint/certlint" target="_blank">certlint</a> vailable at the forum, so it should be easily do-able to make sure that if a lint is added, they could also prepare a new release prior to the ballot’s effective date. I’m not sure the same applies for zlint (correct me if I’ve missed a link though). We should seek co-operation with the zlint maintainers to see if releases can be prepared prior to any such effective date. <u></u><u></u></span></li></ul><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11pt">Regards,<br><br>Martijn<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11pt"><u></u> <u></u></span></p><div id="m_-5097174354276871654mail-editor-reference-message-container"><div><div style="border-right:none;border-bottom:none;border-left:none;border-top:1pt solid rgb(181,196,223);padding:3pt 0cm 0cm"><p class="MsoNormal" style="margin-bottom:12pt"><b><span style="color:black">From: </span></b><span style="color:black">Servercert-wg <<a href="mailto:servercert-wg-bounces@cabforum.org" target="_blank">servercert-wg-bounces@cabforum.org</a>> on behalf of Aaron Gable via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Date: </b>Monday, 1 April 2024 at 22:18<br><b>To: </b>CA/B Forum Server Certificate WG Public Discussion List <<a href="mailto:servercert-wg@cabforum.org" target="_blank">servercert-wg@cabforum.org</a>><br><b>Subject: </b>[Servercert-wg] Fixing lag between requirements changes and linter updates<u></u><u></u></span></p></div><div style="border:1pt solid black;padding:2pt"><p class="MsoNormal" style="line-height:12pt;background:rgb(250,250,3)"><span style="font-size:10pt;font-family:Calibri,sans-serif;color:black">CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<u></u><u></u></span></p></div><p class="MsoNormal"><u></u> <u></u></p><div><div><p class="MsoNormal">In the last six months, by our count there have been at least: <u></u><u></u></p><div><p class="MsoNormal">- 7 bugzilla incident reports due to not marking the basicConstraints extension critical (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888060&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066048666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=j%2BSyuwebJvP76a1UWNicHl2rkfcOfszKeRHxFQNRLIk%3D&reserved=0" target="_blank">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887008&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066059012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=0TJkn13OmUCsOylpMwLG%2B98MLVOJeR9X3d%2FOJgpd7Ns%3D&reserved=0" target="_blank">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883416&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066065512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GupXZoxXGytAjPfoy7%2FA%2FvGGW0cZlil3XQSeTp1CCx8%3D&reserved=0" target="_blank">3</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888104&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066071156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NkL222AznkNM4eRx6gMaU4xJpTtfxxjAbVwdF%2BQA93o%3D&reserved=0" target="_blank">4</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1885132&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066076535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bu9g3XoY2olWyhcD9ccp3%2F77Vx1Y%2FltG9PH%2F%2BUjIkYU%3D&reserved=0" target="_blank">5</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886135&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066081844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=krdet7BBUJtJrqh%2BT79IlkB0fl7cw%2BxG4QDalkOwpL0%3D&reserved=0" target="_blank">6</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875820&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066087108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yCpddEhi%2F8RJBNc1fyz2awwOWFS1CsXtc8bw632aWNU%3D&reserved=0" target="_blank">7</a>)<u></u><u></u></p></div><div><p class="MsoNormal">- 5 bugzilla incident reports due to encoding Subject attributes in an incorrect order (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1864204&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066092452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VaMZUmDp5EqliS0F2L4%2BrGdNPvECxRY70d3JwvmVAKU%3D&reserved=0" target="_blank">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886624&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066097858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FrCMsgAzk7XFUSqEGTzLCE%2Ftj9bzYOGPIFdL4SQlIe8%3D&reserved=0" target="_blank">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883731&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066103104%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z5yeMp53Ri7DnuAJ%2BrjqxwxowpBLlAjrDiTfw5g6rkY%3D&reserved=0" target="_blank">3</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883620&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066108333%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ppLiUOFv%2BbREQDokNcIxEpLO9XsNpyL%2F3gi6FaV1jzk%3D&reserved=0" target="_blank">4</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883779&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066113524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fVoIm%2FifZ8w6VhSQ8dsdEZjNvXl%2BiIerDwSiRMkxjFc%3D&reserved=0" target="_blank">5</a>)<u></u><u></u></p></div><div><p class="MsoNormal">- 3 bugzilla incident reports due to not including the CPS URI in an EV certificate (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883843&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066118767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=loadvCWZIQUhYIhb1XL9xGNPoqOh5lpijTFrvS%2Fp91E%3D&reserved=0" target="_blank">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886257&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066123968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=odM0dSQFzasI0dpIOJ%2F4kp3zNy9cgKBgHcx%2BxmHLQWI%3D&reserved=0" target="_blank">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888016&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066129186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Gh%2FCXlzFLrYCmLC0Bys55C5XJNiEucjWe1ive00SDVE%3D&reserved=0" target="_blank">3</a>)<u></u><u></u></p></div><div><p class="MsoNormal">- and 7 other incidents due to missing various other requirements from the profiles ballot (<a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1861069&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066134397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bXRY7Gc%2BQb%2BHLAnXvBj4aOpGb1gHwMp9Pq0HEDdySkk%3D&reserved=0" target="_blank">1</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1876565&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066139616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uEG%2FvOWNaP8L77gLXkxGXR70eZVrzXVZFzy%2Fv%2BMp8qg%3D&reserved=0" target="_blank">2</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884532&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066149404%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Vma0C0IlQKwzpaSecRMFhSbQliXIQ46aMih%2B1IexXaA%3D&reserved=0" target="_blank">3</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884714&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066157423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P0cuTzMMPNufhL9QoYqMXykVG8V%2BsV9kqQYlffbRr%2BE%3D&reserved=0" target="_blank">4</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886406&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066165160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F4F%2FsWvGbjmG8jZs0KoN%2BYKJe%2FuFacmik3jHuzgJ3IU%3D&reserved=0" target="_blank">5</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887096&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066173373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=y%2Bm3Zi4AYqi%2Fb%2B%2BwY4ISARBtEibScQMAYnqiJxkubW0%3D&reserved=0" target="_blank">6</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875942&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066181540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mF79x9SOmfepRp2mPw2BRG4RdtwetLFmk1hVtHwt8OQ%3D&reserved=0" target="_blank">7</a>).<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Many of these incidents cite reliance on linting systems (such as <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmap%2Fzlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066189666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gLZj4Dd%2FC8z3v4T23Vy7HGtbwyk0ko5ZqezhFR5OFFE%3D&reserved=0" target="_blank">zlint</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdigicert%2Fpkilint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066197657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xHLjkG%2F7jcX1EK7Mx1x9nrMOiG6zesHF8cS5BV3X7cA%3D&reserved=0" target="_blank">pkilint</a>, <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Famazon-archives%2Fcertlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066205485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F1YMCmM1zMdDXDLypNwCusWvACaLvk2zRbtJ6ACydrQ%3D&reserved=0" target="_blank">cablint</a>, and <a href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkroeckx%2Fx509lint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066215084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Fv%2BbeJBwWzxQSKzq%2BQYMVQS%2B4gQ0WRL3byUMq8hSK%2Bk%3D&reserved=0" target="_blank">x509lint</a>) to report whether actual issuance practices are in line with the required profiles. And many of these incidents cite the fact that ballot SC-062 was not enforced by zlint immediately on 2023-09-15 as a reason that the non-compliance was not caught.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Obviously there are many potential improvements that can be made here, including both process and technical improvements within each CA, and we're sure that they will be. But the scale of these incidents suggests to me that there may be systemic changes <i>we</i> can make to enable easier compliance with certificate profile changes.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">We think that it would make sense for any proposed ballot which touches Section 7 of the BRs (or equivalent sections in the EVGs) to be accompanied by a PR against zlint which adds or modifies checks to enforce the proposed ballot text.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Such a ballot would not necessarily have to be written by the ballot author (this is what endorsers are for!), and zlint already has capabilities to not start enforcing a lint until a specified Effective Date in the future, so incorporating upcoming ballot requirements into zlint ahead of time should be fairly easy and straightforward.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">We know that we certainly plan to do this for any future ballots we propose. What we don't know is how we would go about actually encouraging this behavior. Just setting new community norms about asking for such PRs during the discussion period? Adding something to our bylaws to require such a PR in the official ballot proposal? Do others have ideas?<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Thanks,<u></u><u></u></p></div><div><p class="MsoNormal">Samantha Frank & Aaron Gable<u></u><u></u></p></div></div></div></div></div></div></div>_______________________________________________<br>
Servercert-wg mailing list<br>
<a href="mailto:Servercert-wg@cabforum.org" target="_blank">Servercert-wg@cabforum.org</a><br>
<a href="https://lists.cabforum.org/mailman/listinfo/servercert-wg" rel="noreferrer" target="_blank">https://lists.cabforum.org/mailman/listinfo/servercert-wg</a><br>
</div></blockquote></div>