On Sun, Aug 13, 2017 at 10:38:13PM -0700, Morgan Taylor wrote:
> This might seem like a terribly trivial question, but it's not clear at all
> to me how to query logs by "subject" (i.e. hostname). As far as I can tell
> from the RFC <
https://tools.ietf.org/html/rfc6962>, it's necessary to get
> every single entry and then look through them locally, which sounds
> extremely inefficient. I've also attempted to use the associated github repo
> <
https://tools.ietf.org/html/rfc6962#section-4.6>, only to encounter baffling
> errors
> <
https://security.stackexchange.com/questions/167429/how-to-use-certificate-tranparency-library>.
> Can anyone offer any guidance on this?
Sure.
In short, logs aren't *supposed* to be queried. They're an append-only data
structure built for verifiability. Running a log, as specified, is a large
enough undertaking; requiring comprehensive querying capability would make
it even harder to run a log.
The component of the CT ecosystem you're looking for is called a "monitor".
That downloads certificates from logs, optionally verifies that the log is,
indeed, behaving itself, and then indexes the certificates in whatever way
is appropriate for whatever sort of querying is desired (which can be a lot
more than just by subject, *or* hostname).
As you say, it's a significant effort to run a monitor. You've got to
download a *lot* of data. In general, you probably want to use an existing,
publicly-available monitor such as
https://crt.sh to do all the heavy
lifting for you, and then you can just run your queries. It's only if
you're particularly keen (or have some pretty large-scale or niche
requirements) that you'd look at running your own monitor.
- Matt