Can you provide an example of what you believe is a bigger issue that has
been masked? Otherwise, it sounds like you're saying "Ignore the obvious
errors, because maybe someone will find something non-obvious, and we don't
want to miss out" - but that's a deeply flawed argument, and I would hope
isn't the substance of what you're saying.

Note: I still disagree with you about the artificial ontology; all of these
errors equally speak to the CA's ability to execute on Best Practices, such
as using available tools that have been evangelized for over a year as
something that can (and arguably should) be integrated into issuance
pipelines. Discussions at this point are extremely relevant, as they speak
to how well the CA is staying abreast of changes, as well as how
effectively they're managing their subsidiaries - both issues that are key
to public trust.

On Thu, Aug 10, 2017 at 2:17 PM, Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> I strongly disagree. The discussion around errors like these masks the
> bigger issues in the noise.  If there are bigger issues, let's find those.
>
> -----Original Message-----
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+jeremy.rowley=
> digicert.com@lists.mozilla
> .org] On Behalf Of David E. Ross via dev-security-policy
> Sent: Wednesday, August 9, 2017 4:35 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Certificates with metadata-only subject fields
>
> On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote:
> >
> >> On Aug 9, 2017, at 17:50, Peter Bowen <pzbo...@gmail.com> wrote:
> >>
> >> The point of certlint was to help identify issues.  While I
> >> appreciate it getting broad usage, I don't think pushing for
> >> revocation of every certificate that trips any of the Error level checks
> is productive.
> >
> > I agree, and I don't really have a position on the revocation of
> certificates with errors that do not appear to have any security impact
> like
> these.
> >
> > Jonathan
> >
> >
>
> I strongly disagree.  Errors like this make me question whether the
> certification authority is sufficiently competent to be trusted.  Small
> errors can indicate an increased likelihood of serious errors.
>
> --
> David E. Ross
> <http://www.rossde.com/>
>
> President Trump demands loyalty to himself from Republican members of
> Congress.  I always thought that members of Congress -- House and Senate --
> were required to be loyal to the people of the United States.  In any case,
> they all swore an oath of office to be loyal to the Constitution.
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to