[Servercert-wg] Ballot SC-75 - Pre-sign linting

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Jun 3 11:22:46 UTC 2024



On 3/6/2024 12:25 μ.μ., Rob Stradling wrote:
> > Do people have strong feelings against RECOMMENDing linting of 
> currently-valid certificates when linting software gets updated, with 
> a threshold of 90 days after the update of the linting software?
>
> ISTM that some people tend to read "SHOULD" or "RECOMMENDED" as "we 
> strongly urge you to do this thing, but don't worry if you don't 
> because it's 100% optional".  IMHO, this interpretation is nearer to 
> "MAY" than to the real definition of "SHOULD".
>
> "SHOULD" needs to be understood as "100% required, except for 'valid 
> reasons in particular circumstances'" (quoting RFC2119), and I think 
> I'm right in saying that in CABForum documents we often use "SHOULD" 
> to define requirements that we anticipate will become "MUST" 
> requirements in the future.
>
> With that in mind, I do not support RECOMMENDing something that is 
> known to be technologically infeasible for high-volume certificate 
> issuers.

Thanks for the feedback Rob. These "high-volume certificate issuers" ARE 
within the "particular circumstances" and IMHO within the spirit and 
letter of RFC 2119. When I first recommended a SHOULD, I interpreted 
this to be 100% required, except for valid reasons in particular 
circumstances. In any case, I will not insist on a SHOULD if ppl have 
strong objections.


>
> > CAs with such large volumes could perform sampling and pick a 
> smaller number of certificates for linting during the linter update
>
> Imposing a minimum percentage sample size (even as low as 1%) might be 
> challenging for some high-volume CAs.  Perhaps we could solve that by 
> letting CAs pick their own sample sizes, but TBH I'm not convinced 
> that sampling is the best or only approach.

This is a pretty standard audit practice when there are technical or 
other practical barriers in auditing large numbers of 
artifacts/populations. CAs (including high-volume CAs) are already 
required to perform a 3% sampling of issued certificates per quarter. 
The expectation of the requirement is to highlight that the CA should 
make sure they have not misissued certificates due to their at-the-time 
linter having bugs or not including specific lints that the update now 
supports. It could be left for the CA to decide whether to lint the 100% 
of valid certificates or a 3% (or zero, if they can justify the exceptions).

>
> ISTM that the goals here are (1) to avoid rolling out buggy linters to 
> production CA systems and (2) to assist linter developers with 
> discovering and fixing bugs in linters.  So why don't we encourage CAs 
> to look closely at the changelog of each new linter version and then 
> do targeted testing of the lints that have been added or changed?  
> i.e., white box testing instead of black box testing.  Perhaps we 
> could even encourage CAs to review the changes to the linter's source 
> code too.  I think these sorts of approaches are more likely to 
> uncover linter bugs, and more quickly.
>
> But...
> Whilst it's great to encourage the CA community to collectively engage 
> in helping to improve the quality of linters, I'm not convinced it's 
> appropriate to define any sort of "SHOULD" requirement in the BRs 
> relating to this.  Similarly, whilst it's great to encourage the CA 
> community to collectively engage in supporting the CT ecosystem, we 
> don't have a "The CA SHOULD operate a CT log" requirement specified 
> anywhere.

I also agree that the BRs are not the right place to enforce 
requirements/expectations for CAs to contribute collectively in linting 
or other tools.

Dimitris.

>
> ------------------------------------------------------------------------
> *From:* Servercert-wg <servercert-wg-bounces at cabforum.org> on behalf 
> of Dimitris Zacharopoulos (HARICA) via Servercert-wg 
> <servercert-wg at cabforum.org>
> *Sent:* 03 June 2024 06:13
> *To:* Aaron Gable <aaron at letsencrypt.org>; CA/B Forum Server 
> Certificate WG Public Discussion List <servercert-wg at cabforum.org>
> *Subject:* Re: [Servercert-wg] Ballot SC-75 - Pre-sign linting
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
>
>
> On 1/6/2024 12:20 π.μ., Aaron Gable wrote:
>
>     On Wed, May 29, 2024 at 10:57 PM Dimitris Zacharopoulos (HARICA)
>     via Servercert-wg <servercert-wg at cabforum.org
>     <mailto:servercert-wg at cabforum.org>> wrote:
>
>         While we're in this vein, it would also be useful to add a
>         recommendation for CAs to lint all non-expired, non-revoked
>         certificates whenever they install an update of their linting
>         software.
>
>           * "The CA SHOULD perform Linting on the corpus of its
>             non-expired, non-revoked Subscriber Certificates whenever
>             it updates the Linting software".
>
>         What do people think about these proposals?
>
>
>     Just chiming in to say that I don't love this proposal, for a few
>     reasons.
>
>     1. Linting software has not always had a great track record of
>     applying new lints (based on new requirements) only to
>     certificates issued after a certain date. Running a new linting
>     tool over old certificates frequently raises warnings or errors
>     which were not actually errors at the time of issuance. Zlint has
>     support for this behavior, but it is not used consistently across
>     all lints in their corpus. A quick glance at pkilint's source does
>     not seem to show any support for this behavior, but I easily could
>     be wrong.
>
>
> Linters can be expected to throw false positives and it's the CA's 
> responsibility to interpret those results properly. Linting the 
> non-expired, non-revoked certificates is usually a "one-off" task 
> (linting software is usually not updated so frequently) and if the CA 
> decides that a certain lint is a false positive, it could be excluded 
> for that run. In most cases though, updated linters may catch past 
> compliance matters and mis-issuances that are correctly detected and 
> reported. It's always best to risk some false positives (which you can 
> document and move on) than to risk missing real misissuances which 
> will ultimately be revealed by third parties scanning the CT logs.
>
>
>     2. Some CAs have very large certificate corpuses, e.g. Let's
>     Encrypt has 400 million currently-valid certificates. Some linting
>     tools are very slow, e.g. pkilint's `lint_pkix_cert` takes 300ms
>     per run. At that rate, re-linting LE's whole corpus would take
>     /four years/. I'm sure there are speedups to be had, but they'd
>     have to be several orders of magnitude to make that feasible.
>
>
> I believe this is a valid case for CAs that have large certificate 
> volumes and linting every single currently-valid certificate is not a 
> viable option, which is why this is a SHOULD requirement. Even so, 
> based on audit methodologies, LE and other CAs with such large volumes 
> could perform sampling and pick a smaller number of certificates for 
> linting during the linter update.
>
>
>     3. Any large systems engineer knows that streaming processing and
>     batch processing infrastructure are very different, with wholly
>     different software and hardware setups to make each efficient. I
>     think it is much more important to incentivize stream-linting
>     (i.e. as issuance happens), and that it would be counterproductive
>     to require CAs to invest in both at the same time.
>
>
> I'm probably thinking about this a bit differently because linting can 
> be executed in multiple ways. It's the same software that can be 
> executed in the issuance pipeline (pre-sign linting) and after the 
> issuance pipeline (post-sign linting). In the latter case, it can be 
> executed in batch mode that checks multiple certificates. The ballot 
> certainly puts more weight on the stream-linting process but also 
> recommends post-sign linting, at least when the linting software gets 
> updated. I believe this is a good balance that puts all the 
> expectations of using linting tools in the BRs.
>
> Do people have strong feelings against RECOMMENDing linting of 
> currently-valid certificates when linting software gets updated, with 
> a threshold of 90 days after the update of the linting software?
>
>
> Dimitris.
>
>
>
>     Thanks,
>     Aaron
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20240603/2cd973c4/attachment.html>


More information about the Servercert-wg mailing list