Hi everyone. I've already posted a release announcement<https://groups.google.com/a/groups.cabforum.org/g/public/c/lM7XZxUYakc/m/3z9IIqq0AgAJ> for this project on the CABForum Public list, but I imagine there are some folks here who aren't following that list but who might be interested...
Amir wrote<https://www.mail-archive.com/[email protected]/msg01669.html>: "You've had issues with, arguably one of the easiest parts of being a CA, linting. Your issues with linting go back at least six years. Seriously, how do you have so much difficulty with properly implementing pre, and post issuance linting?" Mike Shaver wrote<https://www.mail-archive.com/[email protected]/msg01727.html>: "Finally, conformance to the standards and correct issuance is just not that hard, as regards the things that have been argued to be "too minor to revoke in 5 days". They would virtually all have been caught by decent linting." In my experience, effective integration of linters into a CA's pre-issuance pipeline isn't rocket science, but it's also far from trivial. In recent months on Bugzilla we've seen a number of CAs struggle with, or take a long time to complete, linter integration projects; and now that CABForum has set deadlines in the TLS BRs for when CAs SHOULD<https://github.com/cabforum/servercert/pull/518/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR193> and MUST<https://github.com/cabforum/servercert/pull/518/files#diff-e0ac1bd190515a4f2ec09139d395ef6a8c7e9e5b612957c1f5a2dea80c6a6cfeR194> implement a linting strategy, every TLS-capable CA needs to get on top of this. pkimetal delivers: easier linter integration, a comprehensive linting strategy, and more performant and scalable linting. Open-source project: https://github.com/pkimetal/pkimetal (code, documentation, prebuilt Docker containers) Public instance: https://pkimet.al/ (not recommended for production CA environments) I, for one, look forward to the day when misissuance incidents that could have been "caught by decent linting" are a thing of the past! -- Rob Stradling Distinguished Engineer Sectigo Limited -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729614F57D6CACA7DE0A1AAAAB02%40MW4PR17MB4729.namprd17.prod.outlook.com.
