Add another field to AllCertificateRecordsCSVFormat

[Rob Stradling]

Kathleen, Ben,

I would like to enhance https://crt.sh/mozilla-disclosures to monitor compliance to Mozilla's new CRL URL disclosure requirement that comes into force in about a week and a half from now (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements).  crt.sh already has access to the "Full CRL Issued By This CA" field, but cannot yet access the "JSON Array of Partitioned CRLs" field.

Please could I ask you to append the "JSON Array of Partitioned CRLs" field to https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat?

--

Rob Stradling

Senior Research & Development Scientist

Sectigo Limited

[Rob Stradling]

Hi all.  Kathleen dealt with my request off-list.  The "JSON Array of Partitioned CRLs" field has now been appended to https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.

---

From: 'Rob Stradling' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: 21 September 2022 16:52
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Add another field to AllCertificateRecordsCSVFormat

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com.

[Andrew Ayer]

Thanks Kathleen for adding the field to the report.

I'm trying to process this field, and so far the only well-formed JSON
I've found is the empty array (i.e. "[]"). Numerous CAs have failed to
put double quotes around the URLs, e.g.:

[http://example.com/crl1, http://example.com/crl2]

Another mistake is just making it a comma-separated list, without any
JSON syntax, e.g.:

http://example.com/crl1, http://example.com/crl2

CAs should make sure that they put well-formed JSON in this field, e.g.:

["http://example.com/crl1", "http://example.com/crl2"]

Also, if there is some way to have Salesforce enforce that well-formed
JSON is provided, that would sure be helpful.

Regards,
Andrew

On Fri, 23 Sep 2022 09:54:24 +0000
"'Rob Stradling' via dev-secur...@mozilla.org"

<dev-secur...@mozilla.org> wrote:

> Hi all. Kathleen dealt with my request off-list. The "JSON Array of
> Partitioned CRLs" field has now been appended to
> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.
>
> ________________________________
> From: 'Rob Stradling' via dev-secur...@mozilla.org
> <dev-secur...@mozilla.org> Sent: 21 September 2022 16:52
> To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
> Subject: Add another field to AllCertificateRecordsCSVFormat
>
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
>
> Kathleen, Ben,
>
> I would like to enhance

> https://crt.sh/mozilla-disclosures<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yCQJSenYyJ3o2U%2FCae1vQ1GPo6EqKJHq0Mn%2F8wd4eDQ%3D&reserved=0>

> to monitor compliance to Mozilla's new CRL URL disclosure requirement
> that comes into force in about a week and a half from now

> (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%2341-additional-requirements&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mIi0cZUf9sp4Myr8c%2BUKw8c7nLEv1HiUHpNzl3Q7ycw%3D&reserved=0>).

> crt.sh already has access to the "Full CRL Issued By This CA" field,
> but cannot yet access the "JSON Array of Partitioned CRLs" field.
>
> Please could I ask you to append the "JSON Array of Partitioned CRLs"
> field to

> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fccadb%2FAllCertificateRecordsCSVFormat&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5l0bsEYP1qTo%2FQJi5WEpT5ftEh%2BzQFf1uAPnA1rBMUw%3D&reserved=0>?

>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> Sectigo Limited
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to

> dev-security-po...@mozilla.org<mailto:dev-security-po...@mozilla.org>.

> To view this discussion on the web visit

> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB47293DF31FB62C442C97503FAA4F9%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NBh1BGZD920%2F6EJDKFM5sCf4aOM4Kt5SzJfz2BINwjw%3D&reserved=0>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> dev-security-po...@mozilla.org. To view this discussion
> on the web visit

> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729A09C3DCF46B5BD3592DDAA519%40MW4PR17MB4729.namprd17.prod.outlook.com.

[Ryan Hurst]

Kathleen,

I believe at least part of the problem Andrew mentions is because of Salesforce or some intermediary processing within CCADB tooling.

I had pinged Andrew offline and he mentioned what he was seeing from our JSON was no "" around the URL, we have confirmed what we publish does have these URLs so it appears something is stripping the quotes.

Ryan Hurst

Google Trust Services 

[Kathleen Wilson]

I believe at least part of the problem Andrew mentions is because of Salesforce or some intermediary processing within CCADB tooling.

I had pinged Andrew offline and he mentioned what he was seeing from our JSON was no "" around the URL, we have confirmed what we publish does have these URLs so it appears something is stripping the quotes.

Thanks for bringing this to my attention.

The https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat report has been updated, so the URLs in the JSON have the quotes now.

Thanks,

Kathleen