[Servercert-wg] Fixing lag between requirements changes and linter updates

Martijn Katerbarg martijn.katerbarg at sectigo.com
Tue Apr 2 07:37:58 UTC 2024 

Hi Samantha, Aaron, 

I like this idea, quite a lot. Though I do want to share a few thoughts I’ve got on the subject: 


* While we could (strongly) recommend that the ballot authors and/or endorsers try to incorporate this, we should make it an optional recommendation. Not everyone may have the skills, or not every CA may have the resources to allocate someone to write a lint at the same time as the ballot is in progress or being prepared. I wouldn’t want not being able to provide a lint stand in the way of passing an otherwise perfectly good ballot. 
* We could likewise update the default ballot text template to incorporate a line such as: “The following lints are being prepared to accommodate these ballot requirements”, alternative “No lints are yet being prepared for these changes. The author and endorsers are looking for volunteers to help in this effort”. 
* We have representatives for pkilint and certlint <https://github.com/certlint/certlint> vailable at the forum, so it should be easily do-able to make sure that if a lint is added, they could also prepare a new release prior to the ballot’s effective date. I’m not sure the same applies for zlint (correct me if I’ve missed a link though). We should seek co-operation with the zlint maintainers to see if releases can be prepared prior to any such effective date. 

Regards,

Martijn 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of Aaron Gable via Servercert-wg <servercert-wg at cabforum.org>
Date: Monday, 1 April 2024 at 22:18
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Fixing lag between requirements changes and linter updates 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 


In the last six months, by our count there have been at least: 
- 7 bugzilla incident reports due to not marking the basicConstraints extension critical (1 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888060&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066048666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=j%2BSyuwebJvP76a1UWNicHl2rkfcOfszKeRHxFQNRLIk%3D&reserved=0>, 2 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887008&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066059012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=0TJkn13OmUCsOylpMwLG%2B98MLVOJeR9X3d%2FOJgpd7Ns%3D&reserved=0>, 3 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883416&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066065512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GupXZoxXGytAjPfoy7%2FA%2FvGGW0cZlil3XQSeTp1CCx8%3D&reserved=0>, 4 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888104&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066071156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NkL222AznkNM4eRx6gMaU4xJpTtfxxjAbVwdF%2BQA93o%3D&reserved=0>, 5 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1885132&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066076535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bu9g3XoY2olWyhcD9ccp3%2F77Vx1Y%2FltG9PH%2F%2BUjIkYU%3D&reserved=0>, 6 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886135&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066081844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=krdet7BBUJtJrqh%2BT79IlkB0fl7cw%2BxG4QDalkOwpL0%3D&reserved=0>, 7 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875820&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066087108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yCpddEhi%2F8RJBNc1fyz2awwOWFS1CsXtc8bw632aWNU%3D&reserved=0>) 

- 5 bugzilla incident reports due to encoding Subject attributes in an incorrect order (1 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1864204&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066092452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VaMZUmDp5EqliS0F2L4%2BrGdNPvECxRY70d3JwvmVAKU%3D&reserved=0>, 2 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886624&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066097858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FrCMsgAzk7XFUSqEGTzLCE%2Ftj9bzYOGPIFdL4SQlIe8%3D&reserved=0>, 3 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883731&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066103104%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z5yeMp53Ri7DnuAJ%2BrjqxwxowpBLlAjrDiTfw5g6rkY%3D&reserved=0>, 4 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883620&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066108333%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ppLiUOFv%2BbREQDokNcIxEpLO9XsNpyL%2F3gi6FaV1jzk%3D&reserved=0>, 5 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883779&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066113524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fVoIm%2FifZ8w6VhSQ8dsdEZjNvXl%2BiIerDwSiRMkxjFc%3D&reserved=0>) 

- 3 bugzilla incident reports due to not including the CPS URI in an EV certificate (1 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883843&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066118767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=loadvCWZIQUhYIhb1XL9xGNPoqOh5lpijTFrvS%2Fp91E%3D&reserved=0>, 2 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886257&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066123968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=odM0dSQFzasI0dpIOJ%2F4kp3zNy9cgKBgHcx%2BxmHLQWI%3D&reserved=0>, 3 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888016&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066129186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Gh%2FCXlzFLrYCmLC0Bys55C5XJNiEucjWe1ive00SDVE%3D&reserved=0>) 

- and 7 other incidents due to missing various other requirements from the profiles ballot (1 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1861069&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066134397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bXRY7Gc%2BQb%2BHLAnXvBj4aOpGb1gHwMp9Pq0HEDdySkk%3D&reserved=0>, 2 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1876565&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066139616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uEG%2FvOWNaP8L77gLXkxGXR70eZVrzXVZFzy%2Fv%2BMp8qg%3D&reserved=0>, 3 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884532&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066149404%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Vma0C0IlQKwzpaSecRMFhSbQliXIQ46aMih%2B1IexXaA%3D&reserved=0>, 4 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884714&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066157423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P0cuTzMMPNufhL9QoYqMXykVG8V%2BsV9kqQYlffbRr%2BE%3D&reserved=0>, 5 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886406&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066165160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F4F%2FsWvGbjmG8jZs0KoN%2BYKJe%2FuFacmik3jHuzgJ3IU%3D&reserved=0>, 6 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887096&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066173373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=y%2Bm3Zi4AYqi%2Fb%2B%2BwY4ISARBtEibScQMAYnqiJxkubW0%3D&reserved=0>, 7 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875942&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066181540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mF79x9SOmfepRp2mPw2BRG4RdtwetLFmk1hVtHwt8OQ%3D&reserved=0>). 



Many of these incidents cite reliance on linting systems (such as zlint <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmap%2Fzlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066189666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gLZj4Dd%2FC8z3v4T23Vy7HGtbwyk0ko5ZqezhFR5OFFE%3D&reserved=0>, pkilint <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdigicert%2Fpkilint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066197657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xHLjkG%2F7jcX1EK7Mx1x9nrMOiG6zesHF8cS5BV3X7cA%3D&reserved=0>, cablint <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Famazon-archives%2Fcertlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066205485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F1YMCmM1zMdDXDLypNwCusWvACaLvk2zRbtJ6ACydrQ%3D&reserved=0>, and x509lint <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkroeckx%2Fx509lint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066215084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Fv%2BbeJBwWzxQSKzq%2BQYMVQS%2B4gQ0WRL3byUMq8hSK%2Bk%3D&reserved=0>) to report whether actual issuance practices are in line with the required profiles. And many of these incidents cite the fact that ballot SC-062 was not enforced by zlint immediately on 2023-09-15 as a reason that the non-compliance was not caught. 



Obviously there are many potential improvements that can be made here, including both process and technical improvements within each CA, and we're sure that they will be. But the scale of these incidents suggests to me that there may be systemic changes we can make to enable easier compliance with certificate profile changes. 



We think that it would make sense for any proposed ballot which touches Section 7 of the BRs (or equivalent sections in the EVGs) to be accompanied by a PR against zlint which adds or modifies checks to enforce the proposed ballot text. 



Such a ballot would not necessarily have to be written by the ballot author (this is what endorsers are for!), and zlint already has capabilities to not start enforcing a lint until a specified Effective Date in the future, so incorporating upcoming ballot requirements into zlint ahead of time should be fairly easy and straightforward. 



We know that we certainly plan to do this for any future ballots we propose. What we don't know is how we would go about actually encouraging this behavior. Just setting new community norms about asking for such PRs during the discussion period? Adding something to our bylaws to require such a PR in the official ballot proposal? Do others have ideas? 



Thanks, 

Samantha Frank & Aaron Gable 






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240402/0a862c31/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 8254 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240402/0a862c31/attachment-0001.bin>

More information about the Servercert-wg mailing list