[Servercert-wg] Ballot SC-75 - Pre-sign linting

Aaron Gable aaron at letsencrypt.org
Fri May 31 21:20:02 UTC 2024 

On Wed, May 29, 2024 at 10:57 PM Dimitris Zacharopoulos (HARICA) via
Servercert-wg <servercert-wg at cabforum.org> wrote:

> While we're in this vein, it would also be useful to add a recommendation
> for CAs to lint all non-expired, non-revoked certificates whenever they
> install an update of their linting software.
>
>    - "The CA SHOULD perform Linting on the corpus of its non-expired,
>    non-revoked Subscriber Certificates whenever it updates the Linting
>    software".
>
> What do people think about these proposals?
>

Just chiming in to say that I don't love this proposal, for a few reasons.

1. Linting software has not always had a great track record of applying new
lints (based on new requirements) only to certificates issued after a
certain date. Running a new linting tool over old certificates frequently
raises warnings or errors which were not actually errors at the time of
issuance. Zlint has support for this behavior, but it is not used
consistently across all lints in their corpus. A quick glance at pkilint's
source does not seem to show any support for this behavior, but I easily
could be wrong.

2. Some CAs have very large certificate corpuses, e.g. Let's Encrypt has
400 million currently-valid certificates. Some linting tools are very slow,
e.g. pkilint's `lint_pkix_cert` takes 300ms per run. At that rate,
re-linting LE's whole corpus would take *four years*. I'm sure there are
speedups to be had, but they'd have to be several orders of magnitude to
make that feasible.

3. Any large systems engineer knows that streaming processing and batch
processing infrastructure are very different, with wholly different
software and hardware setups to make each efficient. I think it is much
more important to incentivize stream-linting (i.e. as issuance happens),
and that it would be counterproductive to require CAs to invest in both at
the same time.

Thanks,
Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240531/fce3334e/attachment.html>

More information about the Servercert-wg mailing list