info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
TBSCertificate / Certificate Linting APIs
384 views
Skip to first unread message
Rob Stradling
Aug 18, 2017, 12:40:09 PM8/18/17
to mozilla-dev-s...@lists.mozilla.org
In response to the many BR compliance issues [1] that have been reported
here this month, there's been renewed interest in certificate linting.
Various CAs have said that they're considering plugging one or more
certificate linters into their certificate issuance processes.
Some CAs, such as those with high certificate issuance rates, will
probably prefer to run their own local installations of their chosen
linter(s). However, other CAs may prefer to use an external linting
service.
One current problem is that neither certlint/cablint nor x509lint is
suitable for use prior to certificate issuance - that is, they're only
currently capable of operating on certificates, not TBSCertificates.
With all of the above in mind, I've created a new crt.sh API that can be
used to lint TBSCertificates. It uses crt.sh's existing linting
capabilities, which are provided by cablint and x509lint. To workaround
the limitation described in the previous paragraph, it wraps the
TBSCertificate into a certificate structure by appending a dummy signature.
I'm planning to integrate this crt.sh API into Comodo's issuance
processes ASAP. Other CAs are also welcome to use it (although please
chat to me first if you're a high-volume issuer!)
API URL: https://crt.sh/linttbscert
To use it, either (1) browse to that URL, paste a base64-encoded
TBSCertificate, then click "Lint TBSCertificate", or (2) simulate that
button click by POSTing a URL-encoded "b64tbscert" parameter to the same
URL.
The API response is tab-separated text, with one line per "issue". Each
line contains three items:
Linter Severity Description
P.S. I've also created an equivalent linting API for certificates:
https://crt.sh/lintcert
[1] https://wiki.mozilla.org/CA/Incident_Dashboard#Open_CA_Compliance_Bugs
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
here this month, there's been renewed interest in certificate linting.
Various CAs have said that they're considering plugging one or more
certificate linters into their certificate issuance processes.
Some CAs, such as those with high certificate issuance rates, will
probably prefer to run their own local installations of their chosen
linter(s). However, other CAs may prefer to use an external linting
service.
One current problem is that neither certlint/cablint nor x509lint is
suitable for use prior to certificate issuance - that is, they're only
currently capable of operating on certificates, not TBSCertificates.
With all of the above in mind, I've created a new crt.sh API that can be
used to lint TBSCertificates. It uses crt.sh's existing linting
capabilities, which are provided by cablint and x509lint. To workaround
the limitation described in the previous paragraph, it wraps the
TBSCertificate into a certificate structure by appending a dummy signature.
I'm planning to integrate this crt.sh API into Comodo's issuance
processes ASAP. Other CAs are also welcome to use it (although please
chat to me first if you're a high-volume issuer!)
API URL: https://crt.sh/linttbscert
To use it, either (1) browse to that URL, paste a base64-encoded
TBSCertificate, then click "Lint TBSCertificate", or (2) simulate that
button click by POSTing a URL-encoded "b64tbscert" parameter to the same
URL.
The API response is tab-separated text, with one line per "issue". Each
line contains three items:
Linter Severity Description
P.S. I've also created an equivalent linting API for certificates:
https://crt.sh/lintcert
[1] https://wiki.mozilla.org/CA/Incident_Dashboard#Open_CA_Compliance_Bugs
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
0 new messages