Hi Ben. I forget exactly what prompt I gave the image generator, but it's supposed to be a cartoon lint roller pretending to be a brave knight, clad in armour (metal, obviously) to bravely fight the good fight of WebPKI policy compliance! Standing atop its vanquished foe (a pile of clothes, representing a marauding band of noncompliant TBSCertificates), it proudly displays the battle wounds (linter "findings") sustained during its noble quest. 😉
________________________________ From: Ben Laurie <[email protected]> Sent: 30 July 2024 16:46 To: Rob Stradling <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: pkimetal - A PKI Meta-Linter CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Awesome! But I have to ask: what is going on here<https://pkimet.al/mascot.jpg>? On Tue, 30 Jul 2024 at 16:23, 'Rob Stradling' via [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> wrote: Hi everyone. I've already posted a release announcement<https://groups.google.com/a/groups.cabforum.org/g/public/c/lM7XZxUYakc/m/3z9IIqq0AgAJ> for this project on the CABForum Public list, but I imagine there are some folks here who aren't following that list but who might be interested... Amir wrote<https://www.mail-archive.com/[email protected]/msg01669.html>: "You've had issues with, arguably one of the easiest parts of being a CA, linting. Your issues with linting go back at least six years. Seriously, how do you have so much difficulty with properly implementing pre, and post issuance linting?" Mike Shaver wrote<https://www.mail-archive.com/[email protected]/msg01727.html>: "Finally, conformance to the standards and correct issuance is just not that hard, as regards the things that have been argued to be "too minor to revoke in 5 days". They would virtually all have been caught by decent linting." In my experience, effective integration of linters into a CA's pre-issuance pipeline isn't rocket science, but it's also far from trivial. In recent months on Bugzilla we've seen a number of CAs struggle with, or take a long time to complete, linter integration projects; and now that CABForum has set deadlines in the TLS BRs for when CAs SHOULD<https://github.com/cabforum/servercert/pull/518/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR193> and MUST<https://github.com/cabforum/servercert/pull/518/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR194> implement a linting strategy, every TLS-capable CA needs to get on top of this. pkimetal delivers: easier linter integration, a comprehensive linting strategy, and more performant and scalable linting. Open-source project: https://github.com/pkimetal/pkimetal (code, documentation, prebuilt Docker containers) Public instance: https://pkimet.al/ (not recommended for production CA environments) I, for one, look forward to the day when misissuance incidents that could have been "caught by decent linting" are a thing of the past! -- Rob Stradling Distinguished Engineer Sectigo Limited -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729614F57D6CACA7DE0A1AAAAB02%40MW4PR17MB4729.namprd17.prod.outlook.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729614F57D6CACA7DE0A1AAAAB02%40MW4PR17MB4729.namprd17.prod.outlook.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB472984B324CD74337C8FF5F9AAB02%40MW4PR17MB4729.namprd17.prod.outlook.com.
