<div dir="ltr"><div dir="ltr">On Wed, May 29, 2024 at 10:57 PM Dimitris Zacharopoulos (HARICA) via Servercert-wg <<a href="mailto:servercert-wg@cabforum.org">servercert-wg@cabforum.org</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>While we're in this vein, it would also be useful to add a
recommendation for CAs to lint all non-expired, non-revoked
certificates whenever they install an update of their linting
software.<br>
<ul>
<li>"The CA SHOULD perform Linting on the corpus of its
non-expired, non-revoked Subscriber Certificates whenever it
updates the Linting software".<br>
</li>
</ul>
What do people think about these proposals?<br></div></blockquote><div><br></div><div>Just chiming in to say that I don't love this proposal, for a few reasons.</div><div><br></div><div>1. Linting software has not always had a great track record of applying new lints (based on new requirements) only to certificates issued after a certain date. Running a new linting tool over old certificates frequently raises warnings or errors which were not actually errors at the time of issuance. Zlint has support for this behavior, but it is not used consistently across all lints in their corpus. A quick glance at pkilint's source does not seem to show any support for this behavior, but I easily could be wrong.</div><div><br></div><div>2. Some CAs have very large certificate corpuses, e.g. Let's Encrypt has 400 million currently-valid certificates. Some linting tools are very slow, e.g. pkilint's `lint_pkix_cert` takes 300ms per run. At that rate, re-linting LE's whole corpus would take <i>four years</i>. I'm sure there are speedups to be had, but they'd have to be several orders of magnitude to make that feasible.</div><div><br></div><div>3. Any large systems engineer knows that streaming processing and batch processing infrastructure are very different, with wholly different software and hardware setups to make each efficient. I think it is much more important to incentivize stream-linting (i.e. as issuance happens), and that it would be counterproductive to require CAs to invest in both at the same time.</div><div><br></div><div>Thanks,</div><div>Aaron</div></div></div>