Announcing CRL Watch to Monitor CRL Problems

[Andrew Ayer]

Now that several root programs require disclosure of CRLs in the CCADB,
I've begun regularly crawling disclosed CRLs to look for problems.

The list of identified problems can be found here:
https://sslmate.com/labs/crl_watch/

CRL Watch is currently tracking problems with 29 distinct issuers.
The most common problem is CAs disclosing the wrong URL in the CCADB.
Remember, the disclosed CRL should be for certificates issued by
the CA, not the CRL that covers the CA certificate.

CAs should examine https://sslmate.com/labs/crl_watch/ and address
any problems.

Regards,
Andrew

[Ben Wilson]

Thanks for doing this, Andrew.  It is very helpful.

Sincerely yours,

Ben

--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/20230220084828.a2f70e6fa617a4551451f6b5%40andrewayer.name.

[Ryan Dickson]

+1.

Thank you for making both OCSP Watch and now CRL Watch available to the community, Andrew!

To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaYKg_R_Dv6NXpu%2Bd%2BPLCOtLpvrofg6npy-je4Xvo6JHxw%40mail.gmail.com.

[Gordon Bock]

Thanks Andrew! Looks like MS has some offending certificates in there. I reached out to our internal teams to investigate.

 

Cheers,

-Gordon

To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O_DCBpx3EoTtKrDsFOP51F6WN5b8TAuKQMXkJUnh%2B8WcA%40mail.gmail.com.