Reports for all TLS-trusted roots and intermediates

[Aaron Gable]

I'd like to request the creation of two new reports in CCADB:

1) A list of all (root) CA Certificates which are Included in any of the four tracked root programs (Apple, Google Chrome, Microsoft, Mozilla). Today I see reports for Microsoft, Mozilla, Microsoft && Mozilla, and Microsoft || Mozilla, but not reports which include the Apple and Chrome inclusion bits.

2) A list of all Subordinate CA Certificates which chain up to any CA Certificate returned by the first report. This may be identical to the existing "All Public Intermediate Certs" report, but it looks to me like that only filters on revocation status, not on whether the cert chains up to a publicly-trusted root, and thus I believe the existing report may include intermediates which chain up to no-longer-trusted roots.

I believe that these reports would be useful as a one-stop-shop for the overall state of the webpki. Additionally, I think they would be very useful to CT log operators as lists of all roots that the CT log should accept submissions for.

Do others think these reports would be useful? What all needs to happen in order for them to be created?

Thanks!

Aaron

[Kurt Seifried]

I've been wanting that report/list for 10+ years. See my complaints in the past (and still) about the UI for example that doesn't allow you to easily export the data or find the actual company behind various CA entities. Transparency and availability of good data should be a core mission of the CCADB, no? I also can't imagine any legitimate CA not wanting this to exist as a public resource either.

--
You received this message because you are subscribed to the Google Groups "public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CAEmnErfsTm_gE2sOpeiq0ZQ2LiMGjhSt-zxoZfhDgx4NYDqvjQ%40mail.gmail.com.

--

Kurt Seifried (He/Him)
ku...@seifried.org

[Rob Stradling]

> ...Included in any of the four tracked root programs (Apple, Google Chrome, Microsoft, Mozilla).

> ...

> A list of all Subordinate CA Certificates

> ...

> I believe that these reports would be useful as a one-stop-shop for the overall state of the webpki.

Hi Aaron.  It's certainly reasonable to treat CCADB's dataset as authoritative regarding which Root Certificates are in which Root Programs, because CCADB is increasingly tightly integrated with, and administered by representatives of, those Root Programs.  However, for Subordinate CA Certificates, sadly CCADB's dataset is currently incomplete...

There are currently 69 Subordinate CA Certificates known to crt.sh that are trusted for serverAuth on Apple's platforms but that have not yet been disclosed to CCADB (see https://crt.sh/apple-disclosures#undisclosed), which falls short of Apple's disclosure requirement.

There are currently 301 Subordinate CA Certificates known to crt.sh that are trusted for serverAuth on Microsoft's platforms but that have not yet been disclosed to CCADB (see https://crt.sh/microsoft-disclosures#undisclosed), which falls short of Microsoft's disclosure requirement.

IINM, Chrome's policy does not currently require Subordinate CA Certificates to be disclosed to CCADB.

---

From: 'Aaron Gable' via public <pub...@ccadb.org>
Sent: 28 November 2022 18:48
To: CCADB Public List <pub...@ccadb.org>
Subject: Reports for all TLS-trusted roots and intermediates

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--