pkimetal - A PKI Meta-Linter

1,094 views
Skip to first unread message

Rob Stradling

unread,
Jul 30, 2024, 11:23:28 AMJul 30
to dev-secur...@mozilla.org
Hi everyone.  I've already posted a release announcement for this project on the CABForum Public list, but I imagine there are some folks here who aren't following that list but who might be interested...

Amir wrote:
"You've had issues with, arguably one of the easiest parts of being a CA, linting. Your issues with linting go back at least six years. Seriously, how do you have so much difficulty with properly implementing pre, and post issuance linting?"

Mike Shaver wrote:
"Finally, conformance to the standards and correct issuance is just not that hard, as regards the things that have been argued to be "too minor to revoke in 5 days". They would virtually all have been caught by decent linting."

In my experience, effective integration of linters into a CA's pre-issuance pipeline isn't rocket science, but it's also far from trivial.  In recent months on Bugzilla we've seen a number of CAs struggle with, or take a long time to complete, linter integration projects; and now that CABForum has set deadlines in the TLS BRs for when CAs SHOULD and MUST implement a linting strategy, every TLS-capable CA needs to get on top of this.

pkimetal delivers: easier linter integration, a comprehensive linting strategy, and more performant and scalable linting.

Open-source project: https://github.com/pkimetal/pkimetal (code, documentation, prebuilt Docker containers)

Public instance: https://pkimet.al/ (not recommended for production CA environments)

I, for one, look forward to the day when misissuance incidents that could have been "caught by decent linting" are a thing of the past!

--
Rob Stradling
Distinguished Engineer
Sectigo Limited

Ryan Hurst

unread,
Jul 30, 2024, 11:42:27 AMJul 30
to Rob Stradling, dev-secur...@mozilla.org
Rob,

Thanks for this excellent project.

Ryan

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729614F57D6CACA7DE0A1AAAAB02%40MW4PR17MB4729.namprd17.prod.outlook.com.

Ben Laurie

unread,
Jul 30, 2024, 11:46:31 AMJul 30
to Rob Stradling, dev-secur...@mozilla.org
Awesome!

But I have to ask: what is going on here?

Mike Shaver

unread,
Jul 30, 2024, 12:57:08 PMJul 30
to Rob Stradling, dev-secur...@mozilla.org
This is fabulous, thank you! Look forward to poking at it.

Mike

Rob Stradling

unread,
Jul 30, 2024, 4:38:11 PMJul 30
to Ben Laurie, dev-secur...@mozilla.org
Hi Ben.  I forget exactly what prompt I gave the image generator, but it's supposed to be a cartoon lint roller pretending to be a brave knight, clad in armour (metal, obviously) to bravely fight the good fight of WebPKI policy compliance!  Standing atop its vanquished foe (a pile of clothes, representing a marauding band of noncompliant TBSCertificates), it proudly displays the battle wounds (linter "findings") sustained during its noble quest.  😉


From: Ben Laurie <be...@google.com>
Sent: 30 July 2024 16:46
To: Rob Stradling <r...@sectigo.com>
Cc: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Re: pkimetal - A PKI Meta-Linter
 
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Reply all
Reply to author
Forward
0 new messages