On Tue, Feb 19, 2019 at 9:56 PM Wayne Thayer <[email protected]> wrote:
> Ryan, > > On Mon, Feb 18, 2019 at 4:58 PM Ryan Sleevi via dev-security-policy < > [email protected]> wrote: > >> On Mon, Feb 18, 2019 at 2:49 PM Jakob Bohm via dev-security-policy < >> [email protected]> wrote: >> >> > On 15/02/2019 19:33, Ryan Sleevi wrote: >> > > On Fri, Feb 15, 2019 at 12:01 PM Jakob Bohm via dev-security-policy < >> > > [email protected]> wrote: >> >> And by >> > all means run multiple checkers that purport to check the same >> > things. >> >> >> While I realize there is a tendency to speak in the abstract here, I think >> it’s both valuable and appropriate to highlight that there are no such >> linters in the market, just as there is no “linter market” or “linter >> vendors”. None of the open-source projects purport to cover the same set >> of >> checks - > > > certlint, x509lint, and zlint all detect the problem with the Izenpe > certificate [1]. While I realize that none of these linters perform the > exact same set of checks, there is significant overlap that is in no way > abstract. > > each represents a different and complementary effort to examine >> different elements of the issuance pipeline. >> >> If you are referring to certlint, x509lint, and zlint, can you explain > this statement? > Sure! certlint’s strength is that it checks ASN.1 by virtue of asn1c, and while it has a number of secondary checks for BR compliance, they’re not as aggressively present as with zlint. Zlint is extremely well documented in both its checks of 5280, but particularly excels in its BR compliance aspects - especially with compliance dates. X509lint is the less mature of the three linters, but more broadly targeted 5280 compliance without necessarily emphasizing the BR aspect. There is indeed overlap between the three, but particularly zlint and cablint excel in ways that the other does not. You absolutely would not want one pre and one post - you will miss things between them. > [1] https://crt.sh/?id=1202714390&opt=cablint,x509lint,zlint > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
