Not really – and I don’t object to the certificate problem reports. I greatly appreciate the work Alex and Jonathan are doing.
I disagree that finding small issues indicates larger issues as a whole. There’s no support for that claim. It’s just as likely that larger issues are going ignored because of noise as the smaller issues are indicators of something like domain validation going wrong. I doubt they speak equally to CA’s ability to execute on best practices as well. Seems like a failure to do validation would be way more severe than ensuring the OU field doesn’t have metadata. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, August 10, 2017 12:24 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with metadata-only subject fields Can you provide an example of what you believe is a bigger issue that has been masked? Otherwise, it sounds like you're saying "Ignore the obvious errors, because maybe someone will find something non-obvious, and we don't want to miss out" - but that's a deeply flawed argument, and I would hope isn't the substance of what you're saying. Note: I still disagree with you about the artificial ontology; all of these errors equally speak to the CA's ability to execute on Best Practices, such as using available tools that have been evangelized for over a year as something that can (and arguably should) be integrated into issuance pipelines. Discussions at this point are extremely relevant, as they speak to how well the CA is staying abreast of changes, as well as how effectively they're managing their subsidiaries - both issues that are key to public trust. On Thu, Aug 10, 2017 at 2:17 PM, Jeremy Rowley via dev-security-policy <email@example.com <mailto:firstname.lastname@example.org> > wrote: I strongly disagree. The discussion around errors like these masks the bigger issues in the noise. If there are bigger issues, let's find those. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley <mailto:dev-security-policy-bounces%2Bjeremy.rowley> =email@example.com .org] On Behalf Of David E. Ross via dev-security-policy Sent: Wednesday, August 9, 2017 4:35 PM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Certificates with metadata-only subject fields On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote: > >> On Aug 9, 2017, at 17:50, Peter Bowen <pzbo...@gmail.com >> <mailto:pzbo...@gmail.com> > wrote: >> >> The point of certlint was to help identify issues. While I >> appreciate it getting broad usage, I don't think pushing for >> revocation of every certificate that trips any of the Error level checks is productive. > > I agree, and I don't really have a position on the revocation of certificates with errors that do not appear to have any security impact like these. > > Jonathan > > I strongly disagree. Errors like this make me question whether the certification authority is sufficiently competent to be trusted. Small errors can indicate an increased likelihood of serious errors. -- David E. Ross <http://www.rossde.com/> President Trump demands loyalty to himself from Republican members of Congress. I always thought that members of Congress -- House and Senate -- were required to be loyal to the people of the United States. In any case, they all swore an oath of office to be loyal to the Constitution. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org <mailto:email@example.com> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org <mailto:email@example.com> https://lists.mozilla.org/listinfo/dev-security-policy
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy