On Tuesday, March 13, 2018 at 2:02:45 PM UTC-7, Ryan Sleevi wrote:
> availability of certificate linting tools - such as ZLint, x509Lint,
> (AWS's) certlint, and (GlobalSign's) certlint - there's no dearth of
> availability of open tools and checks. Given the industry push towards
> integration of these automated tools, it's not entirely clear why LE would
> invent yet another, but it's also not reasonable to require that LE use
> something 'off the shelf'.

We are indeed planning to integrate GlobalSign's certlint and/or zlint into our 
existing cert-checker pipeline rather than build something new. We've already 
started submitting issues and PRs, in order to give back to the ecosystem:

https://github.com/zmap/zlint/issues/212
https://github.com/zmap/zlint/issues/211
https://github.com/zmap/zlint/issues/210
https://github.com/globalsign/certlint/pull/5

If your question is why we wrote cert-checker rather than use something 
off-the-shelf: cablint / x509lint weren't available at the time we wrote 
cert-checker. When they became available we evaluated them for production 
and/or CI use, but concluded that the complex dependencies and difficulty of 
productionizing them in our environment outweighed the extra confidence we 
expected to gain, especially given that our certificate profile at the time was 
very static. A system improvement we could have made here would have been to 
set "deploy cablint or its equivalent" as a blocker for future certificate 
profile changes. I'll add that to our list of items for remediation.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to