[cabfpub] crt.sh and linting (was Re: Proposed new ballot on IP Addresses in SANs)
Rob Stradling
rob.stradling at comodo.com
Tue Apr 26 09:20:28 UTC 2016
On 26/04/16 08:34, Kurt Roeckx wrote:
> On Mon, Apr 25, 2016 at 03:56:40PM -0700, Ryan Sleevi wrote:
<snip>
>> The non-compliance of CAs to RFC5280 and related have caused significant
>> hurdles in improving Chrome's certificate validation code, as we're
>> constantly having to work through not only the spec, but examine other
>> implementations to see what sorts of voodoo and dark-magic have been imbued
>> to work around matters of non-compliance. I'm sure, from the CA side, this
>> can be appreciated in terms of not understanding how browsers build
>> certificate chains, so I would hope we can all agree that objective
>> standards - like 5280 is meant to be (and the underlying ASN.1
>> specifications like X.690) - help the industry move at a faster, better
>> pace.
>
> OpenSSL also wants to be more strict in what it accepts, which is
> one reason why I started with my x509lint, which results you can
> now also see on crt.sh.
Indeed you can. :-)
https://crt.sh/?a=1 now lets you see linting results from cablint,
x509lint, or both linters together.
Let the linter wars begin! ;-)
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list