On Saturday, 7 January 2017 23:22:08 UTC, Lewis Resmond wrote: > May I ask a small offtopic question? How did you examine the certificates? Is > there a mechanism where you can get all the *.pem files so you can check them > with a self developed script?
Certificate Transparency logs keep copies of every certificate they issue an SCT for, hence the name "logs". You can request these copies (DER encoded sorry, not PEM) from a CT log using the get-entries call described in RFC 6962. Currently I have some very crude code that does this, primarily it is currently harvesting certificates from Google's "pilot" log, and then I am running a variety of experiments, some of which I would think of as "public interest" and others not so much. The 7.1.4.2.1 checks are in that "public interest" category. I was already pretty sure I wanted to build a CT log monitor, so this is just paddling in the shallow end before I dive in for real. Depending on the volumes involved public interest stuff will probably either appear here, or on a web pages linked from here. I commend the approach of examining a big pile of real world Web PKI certificates for yourself if you have an interest and the ability to write code. However, if you have statistical questions about the certificates rather than an interest in what's inside each individual certificate - I'd suggest looking at censys.io rather than building a CT log monitor. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
