[cabfpub] crt.sh and linting (was Re: Proposed new ballot on IP Addresses in SANs)

Rob Stradling rob.stradling at comodo.com
Tue Apr 26 09:20:28 UTC 2016

On 26/04/16 08:34, Kurt Roeckx wrote:
> On Mon, Apr 25, 2016 at 03:56:40PM -0700, Ryan Sleevi wrote:
>> The non-compliance of CAs to RFC5280 and related have caused significant
>> hurdles in improving Chrome's certificate validation code, as we're
>> constantly having to work through not only the spec, but examine other
>> implementations to see what sorts of voodoo and dark-magic have been imbued
>> to work around matters of non-compliance. I'm sure, from the CA side, this
>> can be appreciated in terms of not understanding how browsers build
>> certificate chains, so I would hope we can all agree that objective
>> standards - like 5280 is meant to be (and the underlying ASN.1
>> specifications like X.690) - help the industry move at a faster, better
>> pace.
> OpenSSL also wants to be more strict in what it accepts, which is
> one reason why I started with my x509lint, which results you can
> now also see on crt.sh.

Indeed you can.  :-)

https://crt.sh/?a=1 now lets you see linting results from cablint, 
x509lint, or both linters together.

Let the linter wars begin!  ;-)

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list