> On Aug 9, 2017, at 18:34, David E. Ross via dev-security-policy
> <email@example.com> wrote:
> On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote:
>>> On Aug 9, 2017, at 17:50, Peter Bowen <pzbo...@gmail.com> wrote:
>>> The point of certlint was to help identify issues. While I appreciate
>>> it getting broad usage, I don't think pushing for revocation of every
>>> certificate that trips any of the Error level checks is productive.
>> I agree, and I don’t really have a position on the revocation of
>> certificates with errors that do not appear to have any security impact like
> I strongly disagree. Errors like this make me question whether the
> certification authority is sufficiently competent to be trusted. Small
> errors can indicate an increased likelihood of serious errors.
I’m not saying the errors are okay. They aren’t. All I’m saying is that for
this batch I’m not requesting revocation directly from CAs using their problem
reporting contact details, as I’ve done with other more serious issues.
dev-security-policy mailing list