Re: Digest for certificate-transparency@googlegroups.com - 6 updates in 2 topics

[Victor Valle]

On Jun 13, 2018, at 9:19 PM, certificate-...@googlegroups.com wrote:

certificate-...@googlegroups.com

Google Groups

Topic digest
View all topics

• How to query logs programmatically? - 4 Updates
• Newbie questions about the cert logs - 2 Updates

How to query logs programmatically?

mikee...@gmail.com: Jun 13 07:34AM -0700 Is there a way for an application to check a public log programmatically for one particular certificate? We have an application that talks to a third party and we want to verify that the third party is using a valid certificate when the application communicates with it. I want to be able to query a public log without setting up my own server to download the public logs to query.

Ben Laurie <be...@google.com>: Jun 13 05:38PM +0100 Not in the CT logs themselves (yet). Some of the monitoring tools offer that API, though.

Rob Percival <robpe...@google.com>: Jun 13 09:48AM -0700 Have you looked at the user agent section of the Getting Started page on certificate-transparency.org <https://www.certificate-transparency.org/getting-started#TOC-User-Agent>? That mentions a couple of things that an application can do to verify that a certificate it receives has been logged.

mikee...@gmail.com: Jun 13 12:18PM -0700 Thanks for the answer Ben! As of right now we are not interested in setting up a monitoring server for just this one application that talks to a third party. We were hoping that there would be a way to look up the certificate in a public log for this third party domain before the communication takes place by just adding a some lines of code to the application. I will keep an eye on this project for future developments.   On Wednesday, June 13, 2018 at 11:38:47 AM UTC-5, Ben Laurie wrote:

Back to top

Newbie questions about the cert logs

Adam Wasserman <ad...@adamwasserman.net>: Jun 13 07:36AM -0700 Hi all,   I am new to cert transparency, and I don't understand something I am seeing:   I am using Cali Dog's CertStream to monitor new cert issuance and I am seeing multiple X509LogEntries for a single host (I filtered out PreCerts).   Below are few examples of what I mean, the layout is: hostname source log update type message type authority fingerprint serial number, and I added a timestamp of when I it was read from the certstream   The host, source, and CA is the same, and the fingerprint and serial number is different. At first I thought it might be some kind of propagation between logs, but in the example below the polled log is the same in all three cases...   I would really like to understand what I am looking at. I was hoping someone could take the time to explain it :)   Thx in advance, Adam   zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA <http://ocsp.comodoca4.comca/> Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 03:9D:02:34:E8:E7:DF:DC:10:19:24:8A:2C:A9:93:E9:20:71:95:93, 4514A395208FD36ADB8582D9394EE1CE, 2018-06-08 18-27-20   zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA <http://ocsp.comodoca4.comca/> Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 06:13:3E:FB:F5:01:5D:BD:02:E9:DC:E2:05:C3:D4:38:64:03:DD:68, D2C3635EFF70175FC53A20F09724CA65, 2018-06-08 18-27-26   zz5b0zbooks.ml, Google 'Pilot' log, X509LogEntry, certificate_update, OCSP - URI:http://ocsp.comodoca4.comCA <http://ocsp.comodoca4.comca/> Issuers - URI:http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt, 87:67:E5:37:67:5E:57:1A:5F:B7:C7:C5:4F:92:6F:13:1D:9E:2B:98, DE706E2A682BBB580B63725941E49195, 2018-06-08 18-27-20

Alex Cohn <al...@alexcohn.com>: Jun 13 11:41AM -0500 Those are three different certificates (https://crt.sh/?id=509845763, https://crt.sh/?id=509911866, and https://crt.sh/?id=509867989, respectively), issued by Comodo to CloudFlare. Each covers a slightly different set of domains - look at the "X509v3 Subject Alternative Name" extension; they're mostly, but not entirely identical.   CloudFlare acquires certificates covering their customers' domains as part of their Free SSL offering. They combine batches of customer domains onto one certificate; I'm guessing this is to reduce the number of keys they have to distribute to their edge caches. You're seeing them add/remove domains from this certificate; since certificates are immutable, Comodo issues and logs an entirely new certificate every time.   HTH, Alex   p.s. Depending on your use case, I'd recommend against excluding pre-certificates from your search - not all CAs log the final certificate (I believe DigiCert, GoDaddy, and Amazon don't), so you'll miss some final certificates unless a third party finds and submits them.   On Wed, Jun 13, 2018 at 9:37 AM Adam Wasserman <ad...@adamwasserman.net> wrote:

Back to top

You received this digest because you're subscribed to updates for this group. You can change your settings on the group membership page. To unsubscribe from this group and stop receiving emails from it send an email to certificate-transp...@googlegroups.com.