On Sat, Jul 9, 2022 at 6:49 AM Graham Leggett <minf...@sharp.fm> wrote: > Please don’t invent another format, or try and truncate the data. This is a > huge headache when troubleshooting.
I hear you, and I agree that correlating these things across machines is something we should be making easier. I'm just not convinced that the particular format you've proposed, with a new set of rules for quoting and escaping, needs to be part of this patch. (And I think there are good reasons to truncate unverified cert data, so there'd have to be clear benefits to offset the risk of opening it up.) Searching Google for "issuer rdnSequence" comes up with mostly false positives related to LDAP filtering and certificate dumps, and the true positives seem to be mail threads that you've participated in. Do many LDAP servers log certificate failures in this format by default? (For that matter, does httpd?) The discussion at the time you added this to httpd [1] seemed to be making the point that this was a niche format, suited mostly for interaction with LDAP filters -- and Kaspar additionally pointed out that it's not a canonical format, so all of our implementations would have to have an ad hoc agreement to choose exactly one encoding. If you're using randomized serial numbers, you should be able to grep for those by themselves and successfully match many different formats, no? To me, that seems good enough for a first patch, considering we don't currently log any of this information. --Jacobfi [1] https://lists.apache.org/thread/1665qc4mod7ppp58qk3bqc2l3wtl3lkn
