[Servercert-wg] Fixing lag between requirements changes and linter updates
Ryan Dickson
ryandickson at google.com
Tue Apr 2 13:32:12 UTC 2024
Like Martijn, we appreciate the spirit behind this recommendation.
Establishing clear expectations related to linting is something the Chrome
Root Program considers important. We’ve touched
<https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164>
[1] on this on the open SCWG GitHub issue
<https://github.com/cabforum/servercert/issues/443> [2] related to linting,
during our update at F2F 60
<https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1>
[3], and in response to several incident reports disclosed to Bugzilla.
We’re happy to see interest from others in this area, and the recent
announcement of SC-73.
That said, we also think it’s important to avoid creating external
dependencies on third-party organizations, some of which are not directly
involved in this specific Working Group or the broader Forum, when
considering adding new requirements to the TLS BRs - or when those
requirements become effective. This is especially true when considering
requirements that have real-world security implications (e.g.,
cryptographic deprecations). Ultimately, it is each CA’s responsibility to
adhere to the BRs - and it is not the responsibility of the SCWG, as I
interpret the charter <https://cabforum.org/working-groups/server/charter/>
[4], to prevent compliance issues.
Further, CAs aren’t required to adopt any or all of the open-source tools
described in Samantha and Aaron’s message. If these tools are adopted,
there’s nothing that ensures CAs rely on the latest versions of these tools
- or use them “correctly.” The combination of these two points is that it
seems unlikely this effort, if pursued, will completely eliminate incidents
related to mis-issuance. However, better (i.e., reduced incidents) should
still be considered a good thing because it represents an opportunity for
investment of time and resources elsewhere in an effort to more
meaningfully improve web security.
- Ryan (on behalf of the Chrome Root Program)
[1]
https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164
[2] https://github.com/cabforum/servercert/issues/443
[3]
https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1
[4] https://cabforum.org/working-groups/server/charter/
On Tue, Apr 2, 2024 at 3:38 AM Martijn Katerbarg via Servercert-wg <
servercert-wg at cabforum.org> wrote:
> Hi Samantha, Aaron,
>
>
>
> I like this idea, quite a lot. Though I do want to share a few thoughts
> I’ve got on the subject:
>
>
>
> - While we could (strongly) recommend that the ballot authors and/or
> endorsers try to incorporate this, we should make it an optional
> recommendation. Not everyone may have the skills, or not every CA may have
> the resources to allocate someone to write a lint at the same time as the
> ballot is in progress or being prepared. I wouldn’t want not being able to
> provide a lint stand in the way of passing an otherwise perfectly good
> ballot.
> - We could likewise update the default ballot text template to
> incorporate a line such as: “The following lints are being prepared to
> accommodate these ballot requirements”, alternative “No lints are yet being
> prepared for these changes. The author and endorsers are looking for
> volunteers to help in this effort”.
> - We have representatives for pkilint and certlint
> <https://github.com/certlint/certlint> vailable at the forum, so it
> should be easily do-able to make sure that if a lint is added, they could
> also prepare a new release prior to the ballot’s effective date. I’m not
> sure the same applies for zlint (correct me if I’ve missed a link though).
> We should seek co-operation with the zlint maintainers to see if releases
> can be prepared prior to any such effective date.
>
>
>
> Regards,
>
> Martijn
>
>
>
> *From: *Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf of
> Aaron Gable via Servercert-wg <servercert-wg at cabforum.org>
> *Date: *Monday, 1 April 2024 at 22:18
> *To: *CA/B Forum Server Certificate WG Public Discussion List <
> servercert-wg at cabforum.org>
> *Subject: *[Servercert-wg] Fixing lag between requirements changes and
> linter updates
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> In the last six months, by our count there have been at least:
>
> - 7 bugzilla incident reports due to not marking the basicConstraints
> extension critical (1
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888060&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066048666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=j%2BSyuwebJvP76a1UWNicHl2rkfcOfszKeRHxFQNRLIk%3D&reserved=0>,
> 2
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887008&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066059012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=0TJkn13OmUCsOylpMwLG%2B98MLVOJeR9X3d%2FOJgpd7Ns%3D&reserved=0>,
> 3
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883416&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066065512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GupXZoxXGytAjPfoy7%2FA%2FvGGW0cZlil3XQSeTp1CCx8%3D&reserved=0>,
> 4
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888104&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066071156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NkL222AznkNM4eRx6gMaU4xJpTtfxxjAbVwdF%2BQA93o%3D&reserved=0>,
> 5
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1885132&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066076535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bu9g3XoY2olWyhcD9ccp3%2F77Vx1Y%2FltG9PH%2F%2BUjIkYU%3D&reserved=0>,
> 6
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886135&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066081844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=krdet7BBUJtJrqh%2BT79IlkB0fl7cw%2BxG4QDalkOwpL0%3D&reserved=0>,
> 7
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875820&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066087108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yCpddEhi%2F8RJBNc1fyz2awwOWFS1CsXtc8bw632aWNU%3D&reserved=0>
> )
>
> - 5 bugzilla incident reports due to encoding Subject attributes in an
> incorrect order (1
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1864204&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066092452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VaMZUmDp5EqliS0F2L4%2BrGdNPvECxRY70d3JwvmVAKU%3D&reserved=0>,
> 2
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886624&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066097858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FrCMsgAzk7XFUSqEGTzLCE%2Ftj9bzYOGPIFdL4SQlIe8%3D&reserved=0>,
> 3
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883731&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066103104%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z5yeMp53Ri7DnuAJ%2BrjqxwxowpBLlAjrDiTfw5g6rkY%3D&reserved=0>,
> 4
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883620&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066108333%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ppLiUOFv%2BbREQDokNcIxEpLO9XsNpyL%2F3gi6FaV1jzk%3D&reserved=0>,
> 5
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883779&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066113524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fVoIm%2FifZ8w6VhSQ8dsdEZjNvXl%2BiIerDwSiRMkxjFc%3D&reserved=0>
> )
>
> - 3 bugzilla incident reports due to not including the CPS URI in an EV
> certificate (1
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883843&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066118767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=loadvCWZIQUhYIhb1XL9xGNPoqOh5lpijTFrvS%2Fp91E%3D&reserved=0>,
> 2
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886257&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066123968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=odM0dSQFzasI0dpIOJ%2F4kp3zNy9cgKBgHcx%2BxmHLQWI%3D&reserved=0>,
> 3
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888016&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066129186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Gh%2FCXlzFLrYCmLC0Bys55C5XJNiEucjWe1ive00SDVE%3D&reserved=0>
> )
>
> - and 7 other incidents due to missing various other requirements from the
> profiles ballot (1
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1861069&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066134397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bXRY7Gc%2BQb%2BHLAnXvBj4aOpGb1gHwMp9Pq0HEDdySkk%3D&reserved=0>,
> 2
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1876565&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066139616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uEG%2FvOWNaP8L77gLXkxGXR70eZVrzXVZFzy%2Fv%2BMp8qg%3D&reserved=0>,
> 3
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884532&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066149404%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Vma0C0IlQKwzpaSecRMFhSbQliXIQ46aMih%2B1IexXaA%3D&reserved=0>,
> 4
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884714&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066157423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P0cuTzMMPNufhL9QoYqMXykVG8V%2BsV9kqQYlffbRr%2BE%3D&reserved=0>,
> 5
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886406&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066165160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F4F%2FsWvGbjmG8jZs0KoN%2BYKJe%2FuFacmik3jHuzgJ3IU%3D&reserved=0>,
> 6
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887096&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066173373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=y%2Bm3Zi4AYqi%2Fb%2B%2BwY4ISARBtEibScQMAYnqiJxkubW0%3D&reserved=0>,
> 7
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875942&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066181540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mF79x9SOmfepRp2mPw2BRG4RdtwetLFmk1hVtHwt8OQ%3D&reserved=0>
> ).
>
>
>
> Many of these incidents cite reliance on linting systems (such as zlint
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmap%2Fzlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066189666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gLZj4Dd%2FC8z3v4T23Vy7HGtbwyk0ko5ZqezhFR5OFFE%3D&reserved=0>,
> pkilint
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdigicert%2Fpkilint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066197657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xHLjkG%2F7jcX1EK7Mx1x9nrMOiG6zesHF8cS5BV3X7cA%3D&reserved=0>,
> cablint
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Famazon-archives%2Fcertlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066205485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F1YMCmM1zMdDXDLypNwCusWvACaLvk2zRbtJ6ACydrQ%3D&reserved=0>,
> and x509lint
> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkroeckx%2Fx509lint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066215084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Fv%2BbeJBwWzxQSKzq%2BQYMVQS%2B4gQ0WRL3byUMq8hSK%2Bk%3D&reserved=0>)
> to report whether actual issuance practices are in line with the required
> profiles. And many of these incidents cite the fact that ballot SC-062 was
> not enforced by zlint immediately on 2023-09-15 as a reason that the
> non-compliance was not caught.
>
>
>
> Obviously there are many potential improvements that can be made here,
> including both process and technical improvements within each CA, and we're
> sure that they will be. But the scale of these incidents suggests to me
> that there may be systemic changes *we* can make to enable easier
> compliance with certificate profile changes.
>
>
>
> We think that it would make sense for any proposed ballot which touches
> Section 7 of the BRs (or equivalent sections in the EVGs) to be accompanied
> by a PR against zlint which adds or modifies checks to enforce the proposed
> ballot text.
>
>
>
> Such a ballot would not necessarily have to be written by the ballot
> author (this is what endorsers are for!), and zlint already has
> capabilities to not start enforcing a lint until a specified Effective Date
> in the future, so incorporating upcoming ballot requirements into zlint
> ahead of time should be fairly easy and straightforward.
>
>
>
> We know that we certainly plan to do this for any future ballots we
> propose. What we don't know is how we would go about actually encouraging
> this behavior. Just setting new community norms about asking for such PRs
> during the discussion period? Adding something to our bylaws to require
> such a PR in the official ballot proposal? Do others have ideas?
>
>
>
> Thanks,
>
> Samantha Frank & Aaron Gable
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240402/61d8ce07/attachment-0001.html>
More information about the Servercert-wg
mailing list