On Wed, October 17, 2012 11:07 am, Carl Wallace wrote: <snip> > I don't doubt any of this, but still think a crawler tool would be > sufficient in many (if not most) cases. It'd probably be instructive to > run for the site operators in the worst case. Note, I did not suggest > that a user report feature was not a good or necessary thing, only that a > builder tool for the site operator to run without bothering any users > would be nice to have in the toolbox too. Thinking about it, they may > well be the same tool if the user reporting tool is aggressive enough.
Ah, I misunderstood your point to be suggesting that a crawler would be sufficient, and reporting would be unnecessary. I'm a big fan of the crawler - both for purposes of pinning and for purposes of generally understanding the nature of the web PKI. Public datasets such as the EFF SSL Observatory data [1], along with private datasets such as those that inform tools such as Qualys' SSL Labs [2] or the Google's Certificate Catalog [3], would go a good deal to establish what the known-possible certificate hierarchies are. I just thing there will be a tail of oddities and legacy that are only picked up by reporting. [1] https://www.eff.org/observatory [2] https://www.ssllabs.com/ [3] http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
