Re: TBSCertificate / Certificate Linting APIs

Mon, 04 Sep 2017 06:01:41 -0700

Anyone who's using or planning to use these crt.sh APIs might like to know that I've enhanced them to also run the ZLint certificate linter (from https://github.com/zmap/zlint). 

On 18/08/17 17:39, Rob Stradling via dev-security-policy wrote:
In response to the many BR compliance issues [1] that have been reported here this month, there's been renewed interest in certificate linting. Various CAs have said that they're considering plugging one or more certificate linters into their certificate issuance processes. 


Some CAs, such as those with high certificate issuance rates, will 
probably prefer to run their own local installations of their chosen 
linter(s).  However, other CAs may prefer to use an external linting 
service.



One current problem is that neither certlint/cablint nor x509lint is 
suitable for use prior to certificate issuance - that is, they're only 
currently capable of operating on certificates, not TBSCertificates.



With all of the above in mind, I've created a new crt.sh API that can be 
used to lint TBSCertificates.  It uses crt.sh's existing linting 
capabilities, which are provided by cablint and x509lint.  To workaround 
the limitation described in the previous paragraph, it wraps the 
TBSCertificate into a certificate structure by appending a dummy signature.



I'm planning to integrate this crt.sh API into Comodo's issuance 
processes ASAP.  Other CAs are also welcome to use it (although please 
chat to me first if you're a high-volume issuer!)


API URL: https://crt.sh/linttbscert


To use it, either (1) browse to that URL, paste a base64-encoded 
TBSCertificate, then click "Lint TBSCertificate", or (2) simulate that 
button click by POSTing a URL-encoded "b64tbscert" parameter to the same 
URL.



The API response is tab-separated text, with one line per "issue".  Each 
line contains three items:

   Linter    Severity    Description



P.S. I've also created an equivalent linting API for certificates: 
https://crt.sh/lintcert



[1] https://wiki.mozilla.org/CA/Incident_Dashboard#Open_CA_Compliance_Bugs


--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to