I'm a Go crypto/x509 maintainer. When we make changes to the parser/chain builder, we need to take into account parts of the ecosystem we're going to break by making a change.
Generally we do this by using one of the various different repositories of searchable CT data (crt.sh, etc) to look at what trusted leaves, intermediates, or roots violate the test case, and determine if it's safe to do so. One example here is e.g. the zero serial number, or serial number length checks, which seem entirely reasonable to implement, until you realize that like 75% of the ecosystem relies on a root that violates said assumptions.
Ideally, where possible, it'd be extremely valuable to provide links to these types of searches, either showing the leaves, intermediates, roots that are affected, or that there are none. This would make the process of determining what can reasonably be fixed and what can't significantly simpler.
I'm a Go crypto/x509 maintainer. When we make changes to the parser/chain builder, we need to take into account parts of the ecosystem we're going to break by making a change.
Generally we do this by using one of the various different repositories of searchable CT data (crt.sh, etc) to look at what trusted leaves, intermediates, or roots violate the test case, and determine if it's safe to do so. One example here is e.g. the zero serial number, or serial number length checks, which seem entirely reasonable to implement, until you realize that like 75% of the ecosystem relies on a root that violates said assumptions.
Ideally, where possible, it'd be extremely valuable to provide links to these types of searches, either showing the leaves, intermediates, roots that are affected, or that there are none. This would make the process of determining what can reasonably be fixed and what can't significantly simpler.