On Tuesday, March 13, 2018 at 2:02:45 PM UTC-7, Ryan Sleevi wrote: > availability of certificate linting tools - such as ZLint, x509Lint, > (AWS's) certlint, and (GlobalSign's) certlint - there's no dearth of > availability of open tools and checks. Given the industry push towards > integration of these automated tools, it's not entirely clear why LE would > invent yet another, but it's also not reasonable to require that LE use > something 'off the shelf'.
We are indeed planning to integrate GlobalSign's certlint and/or zlint into our existing cert-checker pipeline rather than build something new. We've already started submitting issues and PRs, in order to give back to the ecosystem: https://github.com/zmap/zlint/issues/212 https://github.com/zmap/zlint/issues/211 https://github.com/zmap/zlint/issues/210 https://github.com/globalsign/certlint/pull/5 If your question is why we wrote cert-checker rather than use something off-the-shelf: cablint / x509lint weren't available at the time we wrote cert-checker. When they became available we evaluated them for production and/or CI use, but concluded that the complex dependencies and difficulty of productionizing them in our environment outweighed the extra confidence we expected to gain, especially given that our certificate profile at the time was very static. A system improvement we could have made here would have been to set "deploy cablint or its equivalent" as a blocker for future certificate profile changes. I'll add that to our list of items for remediation. _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy