David Adrian

`feature/TLSv1.3` probably needs to be redone from scratch, I don't believe it merges cleanly.

Requirements that predate the BRs or were included in the first version of the BRs use util.ZeroDate so that they are ran against all certificates.

Unfortunately, the best way to find a protocol/subprotocol combination is to look in the code at https://github.com/zmap/ztag/blob/master/ztag/transforms. Find the file corresponding to the protocol you're interested in, and then see...

I don't think we should do this until we can guarantee that this will be "stomped" by vendor-specific tags.

It seems like `Source` shouldn't define Scope. Might this make more sense as either as new subdirectory for OCSP lints, or a new property on the lint struct used for...

Just so I can document this on tldr.fail---where is the socket read buffer configured in this context? Is that an Envoy, TLS Inspector, or kernel setting (or somewhere else)? I...

I don't know if this is still the case, but at the time: - SystemCertPool required cgo and caused a bunch of compile errors on platforms we didn't have CI...

I think there's a lot of open questions and things to work out / change, however: 1. The idea of out-of-process and optionally hardware backed keys _that are origin bound...

> origin binding in the protocol similar WebAuthn (meaning this isn't just a plain sign/encrypt-arbitrary-data kind of API anymore) I don't see why origin binding would affect the functionality of...