Thanks Andrew! Looks like MS has some offending certificates in there. I reached out to our internal teams to investigate.
Cheers, -Gordon From: 'Ryan Dickson' via CCADB Public <[email protected]> Sent: Wednesday, February 22, 2023 5:51 AM To: Ben Wilson <[email protected]> Cc: Andrew Ayer <[email protected]>; [email protected] Subject: [EXTERNAL] Re: Announcing CRL Watch to Monitor CRL Problems +1. Thank you for making both OCSP Watch<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsslmate.com%2Flabs%2Focsp_watch%2F&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=RyHHYyaY6wjQo%2FKoe6Ec64U2ekQ3SoCSzvrF5QaiQiY%3D&reserved=0> and now CRL Watch <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsslmate.com%2Flabs%2Fcrl_watch%2F&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3Ni9EMpTF7MGGTjh9AjSXQBlmL9Z2zxpWmWR61hW4vo%3D&reserved=0> available to the community, Andrew! On Mon, Feb 20, 2023 at 1:44 PM Ben Wilson <[email protected]<mailto:[email protected]>> wrote: Thanks for doing this, Andrew. It is very helpful. Sincerely yours, Ben On Mon, Feb 20, 2023 at 6:48 AM Andrew Ayer <[email protected]<mailto:[email protected]>> wrote: Now that several root programs require disclosure of CRLs in the CCADB, I've begun regularly crawling disclosed CRLs to look for problems. The list of identified problems can be found here: https://sslmate.com/labs/crl_watch/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsslmate.com%2Flabs%2Fcrl_watch%2F&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3Ni9EMpTF7MGGTjh9AjSXQBlmL9Z2zxpWmWR61hW4vo%3D&reserved=0> CRL Watch is currently tracking problems with 29 distinct issuers. The most common problem is CAs disclosing the wrong URL in the CCADB. Remember, the disclosed CRL should be for certificates issued by the CA, not the CRL that covers the CA certificate. CAs should examine https://sslmate.com/labs/crl_watch/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsslmate.com%2Flabs%2Fcrl_watch%2F&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3Ni9EMpTF7MGGTjh9AjSXQBlmL9Z2zxpWmWR61hW4vo%3D&reserved=0> and address any problems. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:public%[email protected]>. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20230220084828.a2f70e6fa617a4551451f6b5%40andrewayer.name<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fd%2Fmsgid%2Fpublic%2F20230220084828.a2f70e6fa617a4551451f6b5%2540andrewayer.name&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=nDNki0XQrjW6yd%2BxgMm9QRhVGAr7utATbNnKNe9KtoI%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaYKg_R_Dv6NXpu%2Bd%2BPLCOtLpvrofg6npy-je4Xvo6JHxw%40mail.gmail.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fd%2Fmsgid%2Fpublic%2FCA%252B1gtaYKg_R_Dv6NXpu%252Bd%252BPLCOtLpvrofg6npy-je4Xvo6JHxw%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=sAx60lCKsxl9Gj7Q9D1kzZh%2Bq3QJ1pmYYjNuO6%2F4aCw%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O_DCBpx3EoTtKrDsFOP51F6WN5b8TAuKQMXkJUnh%2B8WcA%40mail.gmail.com<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fccadb.org%2Fd%2Fmsgid%2Fpublic%2FCADEW5O_DCBpx3EoTtKrDsFOP51F6WN5b8TAuKQMXkJUnh%252B8WcA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cgbock%40microsoft.com%7C41b4c95ce96f4a8c24cc08db14dbdeda%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638126706808264495%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=txvLOpT%2BPh4cQue6IQLCk2kj8BZTcHEu2S66%2B2OCvgw%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/DM6PR00MB078403C591F063A2B828BBFAA3AA9%40DM6PR00MB0784.namprd00.prod.outlook.com.
