On Tue, Oct 04, 2016 at 11:13:21AM +0100, Rob Stradling wrote: > On 04/10/16 07:10, Gervase Markham wrote: > <snip> > >> [4] https://crt.sh/?cablint=1+week > > > > This URL is a 404. > > Sorry, crt.sh is a bit under the weather right now. Someone submitted a > batch of several million certs to the Google CT logs, and this has > rather overwhelmed the replication between crt.sh's master DB and slave > DBs. The slaves are still catching up at the moment. > > crt.sh queries are occasionally killed off due to some DB replication > issues that I don't yet fully understand. Unfortunately, the current > backlog has exacerbated this problem, hence the high number of 404s. > > crt.sh should be fighting fit again soon though. :-) > > > Are you simply saying that cablint alerted you to the error? > > Yes. > > > Does Comodo run cablint over all certificates post-issuance (or > > pre-issuance)? > > Neither. I'd like to run cablint over all certs pre-issuance, but > unfortunately it's not practical to do this yet because 1) cablint is > too slow and 2) there are some differences of opinion that have been > discussed at CABForum but not yet resolved.
I guess you don't have the same slowness with x509lint, but that: - It doesn't cover all the same things - It might also still give errors about things that CABForum needs to resolve. But I guess it should be easy enough for you to ignore some of the errors (or warnings). I do intend to make it check more things, but activity really comes in bursts. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
