On Sat, Jul 7, 2018 at 4:43 AM, Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Sat, Jul 07, 2018 at 01:23:24AM +0000, Peter Gutmann via > dev-security-policy wrote: > > > > So for certlint I'd always warn for T61String with anything other than > ASCII > > (which century are they living in? Point them at UTF8 and tell them to > come > > back when they've implemented it), treat it as a probably 8859-1 string > when > > checking for validity, and report an error if they try anything like > character > > set switching and fancy escape sequences, which are pretty much > guaranteed not > > to work (i.e. display) properly. > > I think it should generate an error on any character not defined > in 102 and the space character. So any time you try to use anything > in C0, C1 and G1, and those 6 in 102 that are not defined. > Is that because you believe it forbidden by spec, or simply unwise? The value of a linter is fairly proportional to its value in spec adherence. I'm all for warnings for things that are unwise, but otherwise permitted, but making them errors puts burden on CAs and the community to evaluate whether or not it's an "actual violation" or just something "monumentally stupid". The former is far more important to the relying party community, and thus if it's not a spec violation that can be demonstrated as such, making it an error is just a good way to get linters ignored :/ Perhaps I misunderstood the proposal, though? Is this considering the escape sequences or not? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
