Thinking about it more, this particular issue is the most annoying one because:
1. There’s not a limited defined set of items that encompass what the OU may include, 2. The OU is generally the dumping ground for information, and 3. There’s no requirement this information is verified other than ensuring it doesn’t have org/address info. Building a rule set to shore up this particular issue is difficult as the parameters are not well defined like they are with domain and identity validation. From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, August 10, 2017 12:24 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Certificates with metadata-only subject fields Can you provide an example of what you believe is a bigger issue that has been masked? Otherwise, it sounds like you're saying "Ignore the obvious errors, because maybe someone will find something non-obvious, and we don't want to miss out" - but that's a deeply flawed argument, and I would hope isn't the substance of what you're saying. Note: I still disagree with you about the artificial ontology; all of these errors equally speak to the CA's ability to execute on Best Practices, such as using available tools that have been evangelized for over a year as something that can (and arguably should) be integrated into issuance pipelines. Discussions at this point are extremely relevant, as they speak to how well the CA is staying abreast of changes, as well as how effectively they're managing their subsidiaries - both issues that are key to public trust. On Thu, Aug 10, 2017 at 2:17 PM, Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> > wrote: I strongly disagree. The discussion around errors like these masks the bigger issues in the noise. If there are bigger issues, let's find those. -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley <mailto:dev-security-policy-bounces%2Bjeremy.rowley> =digicert.com@lists.mozilla .org] On Behalf Of David E. Ross via dev-security-policy Sent: Wednesday, August 9, 2017 4:35 PM To: mozilla-dev-security-pol...@lists.mozilla.org <mailto:mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Certificates with metadata-only subject fields On 8/9/2017 2:54 PM, Jonathan Rudenberg wrote: > >> On Aug 9, 2017, at 17:50, Peter Bowen <pzbo...@gmail.com >> <mailto:pzbo...@gmail.com> > wrote: >> >> The point of certlint was to help identify issues. While I >> appreciate it getting broad usage, I don't think pushing for >> revocation of every certificate that trips any of the Error level checks is productive. > > I agree, and I don't really have a position on the revocation of certificates with errors that do not appear to have any security impact like these. > > Jonathan > > I strongly disagree. Errors like this make me question whether the certification authority is sufficiently competent to be trusted. Small errors can indicate an increased likelihood of serious errors. -- David E. Ross <http://www.rossde.com/> President Trump demands loyalty to himself from Republican members of Congress. I always thought that members of Congress -- House and Senate -- were required to be loyal to the people of the United States. In any case, they all swore an oath of office to be loyal to the Constitution. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org <mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy