Not really – and I don’t object to the certificate problem reports. I greatly 
appreciate the work Alex and Jonathan are doing.


I disagree that finding small issues indicates larger issues as a whole. 
There’s no support for that claim.  It’s just as likely that larger issues are 
going ignored because of noise as the smaller issues are indicators of 
something like domain validation going wrong. I doubt they speak equally to 
CA’s ability to execute on best practices as well.  Seems like a failure to do 
validation would be way more severe than ensuring the OU field doesn’t have 



From: Ryan Sleevi [] 
Sent: Thursday, August 10, 2017 12:24 PM
To: Jeremy Rowley <>
Subject: Re: Certificates with metadata-only subject fields


Can you provide an example of what you believe is a bigger issue that has been 
masked? Otherwise, it sounds like you're saying "Ignore the obvious errors, 
because maybe someone will find something non-obvious, and we don't want to 
miss out" - but that's a deeply flawed argument, and I would hope isn't the 
substance of what you're saying.


Note: I still disagree with you about the artificial ontology; all of these 
errors equally speak to the CA's ability to execute on Best Practices, such as 
using available tools that have been evangelized for over a year as something 
that can (and arguably should) be integrated into issuance pipelines. 
Discussions at this point are extremely relevant, as they speak to how well the 
CA is staying abreast of changes, as well as how effectively they're managing 
their subsidiaries - both issues that are key to public trust.


On Thu, Aug 10, 2017 at 2:17 PM, Jeremy Rowley via dev-security-policy 
<> > wrote:

I strongly disagree. The discussion around errors like these masks the
bigger issues in the noise.  If there are bigger issues, let's find those.

-----Original Message-----
From: dev-security-policy

.org] On Behalf Of David E. Ross via dev-security-policy
Sent: Wednesday, August 9, 2017 4:35 PM
Subject: Re: Certificates with metadata-only subject fields

On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote:
>> On Aug 9, 2017, at 17:50, Peter Bowen < 
>> <> > wrote:
>> The point of certlint was to help identify issues.  While I
>> appreciate it getting broad usage, I don't think pushing for
>> revocation of every certificate that trips any of the Error level checks
is productive.
> I agree, and I don't really have a position on the revocation of
certificates with errors that do not appear to have any security impact like
> Jonathan

I strongly disagree.  Errors like this make me question whether the
certification authority is sufficiently competent to be trusted.  Small
errors can indicate an increased likelihood of serious errors.

David E. Ross

President Trump demands loyalty to himself from Republican members of
Congress.  I always thought that members of Congress -- House and Senate --
were required to be loyal to the people of the United States.  In any case,
they all swore an oath of office to be loyal to the Constitution.
dev-security-policy mailing list 

dev-security-policy mailing list 


Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to