How do I know which CAs submit the certificates they issue?
81 views
Skip to first unread message
Gabi Nakibly
Sep 13, 2016, 5:41:33 AM9/13/16
to certificate-transparency
Hi,
I would like to know which public CAs are regularly submitting the certificates they issue to one or more logs (or at least has publicly announced they are doing so). Is there a list of such CAs that can be found on the web?
Thanks,
Gabi
Al Cutter
Sep 13, 2016, 6:09:26 AM9/13/16
to certificate-...@googlegroups.com
Hi Gabi,
the ground-truth, as it were, is in the logs themselves. You might be able to [ab]use the advanced search functionality at https://crt.sh to get a list of all Organization identifiers from issuing certs, but for more detailed info you could use the Golang or Python log scanning code at github.com/google/certificate-transparency to build a tool which does exactly what you want.
Cheers,
Al.
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jacob Hoffman-Andrews
Sep 13, 2016, 12:00:07 PM9/13/16
to certificate-...@googlegroups.com
On 09/13/2016 03:09 AM, 'Al Cutter' via certificate-transparency wrote:
> the ground-truth, as it were, is in the logs themselves.
I think this is not actually ground truth for the question of which CAs
> the ground-truth, as it were, is in the logs themselves.
submit their own certificates, since a third party can submit observed
certificates without involvement of the CAs.
Gabi, I'm not aware of such a list, but I think it would valuable for
you to start one!
Thanks,
Jacob
Al Cutter
Sep 13, 2016, 12:15:23 PM9/13/16
to certificate-...@googlegroups.com
On Tue, Sep 13, 2016 at 4:59 PM, Jacob Hoffman-Andrews <js...@eff.org> wrote:
On 09/13/2016 03:09 AM, 'Al Cutter' via certificate-transparency wrote:
> the ground-truth, as it were, is in the logs themselves.
I think this is not actually ground truth for the question of which CAs
submit their own certificates, since a third party can submit observed
certificates without involvement of the CAs.
Yes that's true, although pre-certificates pretty much have to come from the CAs themselves. I suppose that still doesn't help if there are CAs logging their certs post issuance, but at least you can tell which CAs are actively issuing with embedded SCTs by looking at those in the logs.
Gabi, I'm not aware of such a list, but I think it would valuable for
you to start one!
Thanks,
Jacob
Andrew Ayer
Sep 13, 2016, 6:55:37 PM9/13/16
to certificate-...@googlegroups.com
On Tue, 13 Sep 2016 17:15:21 +0100
"'Al Cutter' via certificate-transparency"
all CAs log EV certs but few log DV and OV certs.
I think the only way to know is to pay attention to announcements by
CAs. I'm maintaining a list (albeit as part of a larger README) of
the CAs which have announced a policy of 100% logging:
https://github.com/SSLMate/certspotter/blob/master/README#L94-L99
Regards,
Andrew
"'Al Cutter' via certificate-transparency"
<certificate-...@googlegroups.com> wrote:
> On Tue, Sep 13, 2016 at 4:59 PM, Jacob Hoffman-Andrews <js...@eff.org>
> wrote:
>
> > On 09/13/2016 03:09 AM, 'Al Cutter' via certificate-transparency
> > wrote:
> > > the ground-truth, as it were, is in the logs themselves.
> >
> > I think this is not actually ground truth for the question of which
> > CAs submit their own certificates, since a third party can submit
> > observed certificates without involvement of the CAs.
> >
>
> Yes that's true, although pre-certificates pretty much have to come
> from the CAs themselves. I suppose that still doesn't help if there
> are CAs logging their certs post issuance, but at least you can tell
> which CAs are actively issuing with embedded SCTs by looking at those
> in the logs.
Just because a CA logs some pre-certs doesn't mean they log everything:
> On Tue, Sep 13, 2016 at 4:59 PM, Jacob Hoffman-Andrews <js...@eff.org>
> wrote:
>
> > On 09/13/2016 03:09 AM, 'Al Cutter' via certificate-transparency
> > wrote:
> > > the ground-truth, as it were, is in the logs themselves.
> >
> > I think this is not actually ground truth for the question of which
> > CAs submit their own certificates, since a third party can submit
> > observed certificates without involvement of the CAs.
> >
>
> Yes that's true, although pre-certificates pretty much have to come
> from the CAs themselves. I suppose that still doesn't help if there
> are CAs logging their certs post issuance, but at least you can tell
> which CAs are actively issuing with embedded SCTs by looking at those
> in the logs.
all CAs log EV certs but few log DV and OV certs.
I think the only way to know is to pay attention to announcements by
CAs. I'm maintaining a list (albeit as part of a larger README) of
the CAs which have announced a policy of 100% logging:
https://github.com/SSLMate/certspotter/blob/master/README#L94-L99
Regards,
Andrew
Ben Laurie
Sep 14, 2016, 9:26:23 AM9/14/16
to certificate-...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages