Add another field to AllCertificateRecordsCSVFormat

85 views
Skip to first unread message

Rob Stradling

unread,
Sep 21, 2022, 11:52:04 AM (6 days ago) Sep 21
to dev-secur...@mozilla.org
Kathleen, Ben,

I would like to enhance https://crt.sh/mozilla-disclosures to monitor compliance to Mozilla's new CRL URL disclosure requirement that comes into force in about a week and a half from now (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements).  crt.sh already has access to the "Full CRL Issued By This CA" field, but cannot yet access the "JSON Array of Partitioned CRLs" field.

Please could I ask you to append the "JSON Array of Partitioned CRLs" field to https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat?

--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

Rob Stradling

unread,
Sep 23, 2022, 5:54:30 AM (4 days ago) Sep 23
to dev-secur...@mozilla.org
Hi all.  Kathleen dealt with my request off-list.  The "JSON Array of Partitioned CRLs" field has now been appended to https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.


From: 'Rob Stradling' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: 21 September 2022 16:52
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Add another field to AllCertificateRecordsCSVFormat
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com.

Andrew Ayer

unread,
Sep 26, 2022, 1:21:52 PM (yesterday) Sep 26
to dev-secur...@mozilla.org
Thanks Kathleen for adding the field to the report.

I'm trying to process this field, and so far the only well-formed JSON
I've found is the empty array (i.e. "[]"). Numerous CAs have failed to
put double quotes around the URLs, e.g.:

[http://example.com/crl1, http://example.com/crl2]

Another mistake is just making it a comma-separated list, without any
JSON syntax, e.g.:

http://example.com/crl1, http://example.com/crl2

CAs should make sure that they put well-formed JSON in this field, e.g.:

["http://example.com/crl1", "http://example.com/crl2"]

Also, if there is some way to have Salesforce enforce that well-formed
JSON is provided, that would sure be helpful.

Regards,
Andrew

On Fri, 23 Sep 2022 09:54:24 +0000
"'Rob Stradling' via dev-secur...@mozilla.org"
<dev-secur...@mozilla.org> wrote:

> Hi all. Kathleen dealt with my request off-list. The "JSON Array of
> Partitioned CRLs" field has now been appended to
> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.
>
> ________________________________
> From: 'Rob Stradling' via dev-secur...@mozilla.org
> <dev-secur...@mozilla.org> Sent: 21 September 2022 16:52
> To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
> Subject: Add another field to AllCertificateRecordsCSVFormat
>
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
>
> Kathleen, Ben,
>
> I would like to enhance
> https://crt.sh/mozilla-disclosures<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yCQJSenYyJ3o2U%2FCae1vQ1GPo6EqKJHq0Mn%2F8wd4eDQ%3D&reserved=0>
> to monitor compliance to Mozilla's new CRL URL disclosure requirement
> that comes into force in about a week and a half from now
> (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%2341-additional-requirements&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mIi0cZUf9sp4Myr8c%2BUKw8c7nLEv1HiUHpNzl3Q7ycw%3D&reserved=0>).
> crt.sh already has access to the "Full CRL Issued By This CA" field,
> but cannot yet access the "JSON Array of Partitioned CRLs" field.
>
> Please could I ask you to append the "JSON Array of Partitioned CRLs"
> field to
> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fccadb%2FAllCertificateRecordsCSVFormat&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5l0bsEYP1qTo%2FQJi5WEpT5ftEh%2BzQFf1uAPnA1rBMUw%3D&reserved=0>?
>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> Sectigo Limited
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> dev-security-po...@mozilla.org<mailto:dev-security-po...@mozilla.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB47293DF31FB62C442C97503FAA4F9%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NBh1BGZD920%2F6EJDKFM5sCf4aOM4Kt5SzJfz2BINwjw%3D&reserved=0>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> dev-security-po...@mozilla.org. To view this discussion
> on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729A09C3DCF46B5BD3592DDAA519%40MW4PR17MB4729.namprd17.prod.outlook.com.

Ryan Hurst

unread,
Sep 26, 2022, 3:13:21 PM (yesterday) Sep 26
to dev-secur...@mozilla.org, Andrew Ayer
Kathleen,

I believe at least part of the problem Andrew mentions is because of Salesforce or some intermediary processing within CCADB tooling.

I had pinged Andrew offline and he mentioned what he was seeing from our JSON was no "" around the URL, we have confirmed what we publish does have these URLs so it appears something is stripping the quotes.

Ryan Hurst
Google Trust Services 

Reply all
Reply to author
Forward
0 new messages