Like Martijn, we appreciate the spirit behind this recommendation. Establishing clear expectations related to linting is something the Chrome Root Program considers important. We’ve touched <https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164> [1] on this on the open SCWG GitHub issue <https://github.com/cabforum/servercert/issues/443> [2] related to linting, during our update at F2F 60 <https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1> [3], and in response to several incident reports disclosed to Bugzilla. We’re happy to see interest from others in this area, and the recent announcement of SC-73.
That said, we also think it’s important to avoid creating external dependencies on third-party organizations, some of which are not directly involved in this specific Working Group or the broader Forum, when considering adding new requirements to the TLS BRs - or when those requirements become effective. This is especially true when considering requirements that have real-world security implications (e.g., cryptographic deprecations). Ultimately, it is each CA’s responsibility to adhere to the BRs - and it is not the responsibility of the SCWG, as I interpret the charter <https://cabforum.org/working-groups/server/charter/> [4], to prevent compliance issues. Further, CAs aren’t required to adopt any or all of the open-source tools described in Samantha and Aaron’s message. If these tools are adopted, there’s nothing that ensures CAs rely on the latest versions of these tools - or use them “correctly.” The combination of these two points is that it seems unlikely this effort, if pursued, will completely eliminate incidents related to mis-issuance. However, better (i.e., reduced incidents) should still be considered a good thing because it represents an opportunity for investment of time and resources elsewhere in an effort to more meaningfully improve web security. - Ryan (on behalf of the Chrome Root Program) [1] https://github.com/cabforum/servercert/issues/443#issuecomment-1642438164 [2] https://github.com/cabforum/servercert/issues/443 [3] https://cabforum.org/2023/10/04/minutes-of-the-f2f-60-meeting-in-portsmouth-nh-october-3-4-2023/#discussion-outside-the-presentation-1 [4] https://cabforum.org/working-groups/server/charter/ On Tue, Apr 2, 2024 at 3:38 AM Martijn Katerbarg via Servercert-wg < [email protected]> wrote: > Hi Samantha, Aaron, > > > > I like this idea, quite a lot. Though I do want to share a few thoughts > I’ve got on the subject: > > > > - While we could (strongly) recommend that the ballot authors and/or > endorsers try to incorporate this, we should make it an optional > recommendation. Not everyone may have the skills, or not every CA may have > the resources to allocate someone to write a lint at the same time as the > ballot is in progress or being prepared. I wouldn’t want not being able to > provide a lint stand in the way of passing an otherwise perfectly good > ballot. > - We could likewise update the default ballot text template to > incorporate a line such as: “The following lints are being prepared to > accommodate these ballot requirements”, alternative “No lints are yet being > prepared for these changes. The author and endorsers are looking for > volunteers to help in this effort”. > - We have representatives for pkilint and certlint > <https://github.com/certlint/certlint> vailable at the forum, so it > should be easily do-able to make sure that if a lint is added, they could > also prepare a new release prior to the ballot’s effective date. I’m not > sure the same applies for zlint (correct me if I’ve missed a link though). > We should seek co-operation with the zlint maintainers to see if releases > can be prepared prior to any such effective date. > > > > Regards, > > Martijn > > > > *From: *Servercert-wg <[email protected]> on behalf of > Aaron Gable via Servercert-wg <[email protected]> > *Date: *Monday, 1 April 2024 at 22:18 > *To: *CA/B Forum Server Certificate WG Public Discussion List < > [email protected]> > *Subject: *[Servercert-wg] Fixing lag between requirements changes and > linter updates > > CAUTION: This email originated from outside of the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > In the last six months, by our count there have been at least: > > - 7 bugzilla incident reports due to not marking the basicConstraints > extension critical (1 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888060&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066048666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=j%2BSyuwebJvP76a1UWNicHl2rkfcOfszKeRHxFQNRLIk%3D&reserved=0>, > 2 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887008&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066059012%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=0TJkn13OmUCsOylpMwLG%2B98MLVOJeR9X3d%2FOJgpd7Ns%3D&reserved=0>, > 3 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883416&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066065512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=GupXZoxXGytAjPfoy7%2FA%2FvGGW0cZlil3XQSeTp1CCx8%3D&reserved=0>, > 4 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888104&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066071156%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=NkL222AznkNM4eRx6gMaU4xJpTtfxxjAbVwdF%2BQA93o%3D&reserved=0>, > 5 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1885132&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066076535%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bu9g3XoY2olWyhcD9ccp3%2F77Vx1Y%2FltG9PH%2F%2BUjIkYU%3D&reserved=0>, > 6 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886135&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066081844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=krdet7BBUJtJrqh%2BT79IlkB0fl7cw%2BxG4QDalkOwpL0%3D&reserved=0>, > 7 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875820&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066087108%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yCpddEhi%2F8RJBNc1fyz2awwOWFS1CsXtc8bw632aWNU%3D&reserved=0> > ) > > - 5 bugzilla incident reports due to encoding Subject attributes in an > incorrect order (1 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1864204&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066092452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=VaMZUmDp5EqliS0F2L4%2BrGdNPvECxRY70d3JwvmVAKU%3D&reserved=0>, > 2 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886624&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066097858%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=%2FrCMsgAzk7XFUSqEGTzLCE%2Ftj9bzYOGPIFdL4SQlIe8%3D&reserved=0>, > 3 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883731&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066103104%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=z5yeMp53Ri7DnuAJ%2BrjqxwxowpBLlAjrDiTfw5g6rkY%3D&reserved=0>, > 4 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883620&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066108333%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=ppLiUOFv%2BbREQDokNcIxEpLO9XsNpyL%2F3gi6FaV1jzk%3D&reserved=0>, > 5 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883779&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066113524%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=fVoIm%2FifZ8w6VhSQ8dsdEZjNvXl%2BiIerDwSiRMkxjFc%3D&reserved=0> > ) > > - 3 bugzilla incident reports due to not including the CPS URI in an EV > certificate (1 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1883843&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066118767%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=loadvCWZIQUhYIhb1XL9xGNPoqOh5lpijTFrvS%2Fp91E%3D&reserved=0>, > 2 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886257&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066123968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=odM0dSQFzasI0dpIOJ%2F4kp3zNy9cgKBgHcx%2BxmHLQWI%3D&reserved=0>, > 3 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1888016&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066129186%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Gh%2FCXlzFLrYCmLC0Bys55C5XJNiEucjWe1ive00SDVE%3D&reserved=0> > ) > > - and 7 other incidents due to missing various other requirements from the > profiles ballot (1 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1861069&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066134397%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bXRY7Gc%2BQb%2BHLAnXvBj4aOpGb1gHwMp9Pq0HEDdySkk%3D&reserved=0>, > 2 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1876565&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066139616%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=uEG%2FvOWNaP8L77gLXkxGXR70eZVrzXVZFzy%2Fv%2BMp8qg%3D&reserved=0>, > 3 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884532&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066149404%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Vma0C0IlQKwzpaSecRMFhSbQliXIQ46aMih%2B1IexXaA%3D&reserved=0>, > 4 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1884714&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066157423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=P0cuTzMMPNufhL9QoYqMXykVG8V%2BsV9kqQYlffbRr%2BE%3D&reserved=0>, > 5 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1886406&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066165160%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F4F%2FsWvGbjmG8jZs0KoN%2BYKJe%2FuFacmik3jHuzgJ3IU%3D&reserved=0>, > 6 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1887096&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066173373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=y%2Bm3Zi4AYqi%2Fb%2B%2BwY4ISARBtEibScQMAYnqiJxkubW0%3D&reserved=0>, > 7 > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.mozilla.org%2Fshow_bug.cgi%3Fid%3D1875942&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066181540%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=mF79x9SOmfepRp2mPw2BRG4RdtwetLFmk1hVtHwt8OQ%3D&reserved=0> > ). > > > > Many of these incidents cite reliance on linting systems (such as zlint > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fzmap%2Fzlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066189666%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gLZj4Dd%2FC8z3v4T23Vy7HGtbwyk0ko5ZqezhFR5OFFE%3D&reserved=0>, > pkilint > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdigicert%2Fpkilint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066197657%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xHLjkG%2F7jcX1EK7Mx1x9nrMOiG6zesHF8cS5BV3X7cA%3D&reserved=0>, > cablint > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Famazon-archives%2Fcertlint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066205485%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F1YMCmM1zMdDXDLypNwCusWvACaLvk2zRbtJ6ACydrQ%3D&reserved=0>, > and x509lint > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkroeckx%2Fx509lint&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7Cdba727efbd444f0a3b8708dc5288e0c0%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638475995066215084%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Fv%2BbeJBwWzxQSKzq%2BQYMVQS%2B4gQ0WRL3byUMq8hSK%2Bk%3D&reserved=0>) > to report whether actual issuance practices are in line with the required > profiles. And many of these incidents cite the fact that ballot SC-062 was > not enforced by zlint immediately on 2023-09-15 as a reason that the > non-compliance was not caught. > > > > Obviously there are many potential improvements that can be made here, > including both process and technical improvements within each CA, and we're > sure that they will be. But the scale of these incidents suggests to me > that there may be systemic changes *we* can make to enable easier > compliance with certificate profile changes. > > > > We think that it would make sense for any proposed ballot which touches > Section 7 of the BRs (or equivalent sections in the EVGs) to be accompanied > by a PR against zlint which adds or modifies checks to enforce the proposed > ballot text. > > > > Such a ballot would not necessarily have to be written by the ballot > author (this is what endorsers are for!), and zlint already has > capabilities to not start enforcing a lint until a specified Effective Date > in the future, so incorporating upcoming ballot requirements into zlint > ahead of time should be fairly easy and straightforward. > > > > We know that we certainly plan to do this for any future ballots we > propose. What we don't know is how we would go about actually encouraging > this behavior. Just setting new community norms about asking for such PRs > during the discussion period? Adding something to our bylaws to require > such a PR in the official ballot proposal? Do others have ideas? > > > > Thanks, > > Samantha Frank & Aaron Gable > _______________________________________________ > Servercert-wg mailing list > [email protected] > https://lists.cabforum.org/mailman/listinfo/servercert-wg >
_______________________________________________ Servercert-wg mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/servercert-wg
