Query Support for CT Logs
346 views
Skip to first unread message
aa_kira
Jul 15, 2016, 5:02:04 AM7/15/16
to certificate-transparency
Another "newbie" here with some off-the-wall questions.
Is there or will there be a capability to submit a query to one (or all existing) CT logs to find out if a rogue CA is mis-issuing certificates, claiming to be "my" CA? If I'm running a small PKI enterprise with a few online Sub-CAs, I don't have enough resources to continuously check on all the other CT Logs that are out there in order to spot someone else's CA misbehaving. An automated capability would really be nice - run a daily script to go check the CT Logs to see if there's been a certificate issued in the name of my PKI/CA.
Will CT support anything like this? Does it already? Is this just a stupid idea and of course there's a better way to do this - ?
Thanks for the feedback.
Eran Messeri
Jul 15, 2016, 5:04:37 AM7/15/16
to certificate-...@googlegroups.com
Hi,
There are some monitors that already support such things - see https://crt.sh.
Tom Fitzhenry operated a monitor that would provide what you're after, but that seems offline now.
Eran
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rob Stradling
Jul 15, 2016, 5:31:13 AM7/15/16
to certificate-...@googlegroups.com
On 15/07/16 10:04, 'Eran Messeri' via certificate-transparency wrote:
> Hi,
>
> There are some monitors that already support such things - see
> https://crt.sh.
At the moment, the best way to automatically run a crt.sh query
> Hi,
>
> There are some monitors that already support such things - see
> https://crt.sh.
regularly is via Atom feed.
e.g. https://crt.sh/atom?q=%25.example.com
> Tom Fitzhenry <https://github.com/tomfitzhenry> operated a monitor that
> would provide what you're after, but that seems offline now.
>
> Eran
>
> On Fri, Jul 15, 2016 at 5:03 AM, aa_kira <ak...@mitre.org
> <mailto:ak...@mitre.org>> wrote:
>
> Another "newbie" here with some off-the-wall questions.
>
> Is there or will there be a capability to submit a query to one (or
> all existing) CT logs to find out if a rogue CA is mis-issuing
> certificates, claiming to be "my" CA? If I'm running a small PKI
> enterprise with a few online Sub-CAs, I don't have enough resources
> to continuously check on all the other CT Logs that are out there in
> order to spot someone else's CA misbehaving. An automated capability
> would really be nice - run a daily script to go check the CT Logs to
> see if there's been a certificate issued in the name of my PKI/CA.
>
> Will CT support anything like this? Does it already? Is this just
> a stupid idea and of course there's a better way to do this - ?
>
> Thanks for the feedback.
>
> --
> You received this message because you are subscribed to the Google
> Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
> certificate-transp...@googlegroups.com
> <mailto:certificate-transp...@googlegroups.com>.
>
> Eran
>
> On Fri, Jul 15, 2016 at 5:03 AM, aa_kira <ak...@mitre.org
> <mailto:ak...@mitre.org>> wrote:
>
> Another "newbie" here with some off-the-wall questions.
>
> Is there or will there be a capability to submit a query to one (or
> all existing) CT logs to find out if a rogue CA is mis-issuing
> certificates, claiming to be "my" CA? If I'm running a small PKI
> enterprise with a few online Sub-CAs, I don't have enough resources
> to continuously check on all the other CT Logs that are out there in
> order to spot someone else's CA misbehaving. An automated capability
> would really be nice - run a daily script to go check the CT Logs to
> see if there's been a certificate issued in the name of my PKI/CA.
>
> Will CT support anything like this? Does it already? Is this just
> a stupid idea and of course there's a better way to do this - ?
>
> Thanks for the feedback.
>
> --
> You received this message because you are subscribed to the Google
> Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to
> certificate-transp...@googlegroups.com
> --
> You received this message because you are subscribed to the Google
> Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to certificate-transp...@googlegroups.com
> <mailto:certificate-transp...@googlegroups.com>.
> You received this message because you are subscribed to the Google
> Groups "certificate-transparency" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to certificate-transp...@googlegroups.com
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
Martin Rublik
Jul 15, 2016, 5:35:00 AM7/15/16
to certificate-...@googlegroups.com
On Fri, Jul 15, 2016 at 11:04 AM, 'Eran Messeri' via certificate-transparency <certificate-...@googlegroups.com> wrote:
Hi,There are some monitors that already support such things - see https://crt.sh.Tom Fitzhenry operated a monitor that would provide what you're after, but that seems offline now.Eran
Hi,
You might be also inteested in ct-observatory project https://www.ct-observatory.org/ by University of Bonn
Martin
aa_kira
Sep 7, 2016, 10:17:20 PM9/7/16
to certificate-transparency
Is it necessary to have stood up a full CT framework (log, monitor, auditor servers) in order to go query or "monitor" other CT logs? I would like to confirm this one way or another as one of the biggest reasons for employing CT in any manner is to be able to check all the other CT logs that are out there to see if some CA or other attacker is issuing certificates in the name of my PKI/CAs.
As a corollary question: if I have stood up a CT framework, does my Monitor only look at my Log or can it be configured to do what I'm talking about above and do a continual monitoring of all CT logs that exist?
Does Google have a URL where all existing CT log servers (from all CAs that are participating like DigiCert, Symantec, etc.) are identified?
Thank you!
Matt Palmer
Sep 8, 2016, 2:19:45 AM9/8/16
to certificate-...@googlegroups.com
On Wed, Sep 07, 2016 at 07:17:19PM -0700, aa_kira wrote:
> Is it necessary to have stood up a full CT framework (log, monitor, auditor
> servers) in order to go query or "monitor" other CT logs?
No. You only need the component(s) of the CT ecosystem that you actually
> Is it necessary to have stood up a full CT framework (log, monitor, auditor
> servers) in order to go query or "monitor" other CT logs?
want to run.
> As a corollary question: if I have stood up a CT framework, does my
> Monitor only look at my Log or can it be configured to do what I'm talking
> about above and do a continual monitoring of all CT logs that exist?
monitor. What any specific implementation does is up to that
implementation.
> Does Google have a URL where all existing CT log servers (from all CAs that
> are participating like DigiCert, Symantec, etc.) are identified?
Also, a CA doesn't need to run a log, and a log doesn't have to be run by a
CA. Frankly, I'm not entirely sure why most of them are running logs. It
doesn't seem like a valuable use of their time.
- Matt
Onno Zweers
Nov 2, 2016, 5:44:43 AM11/2/16
to certificate-transparency
You could monitor a search result page like https://crt.sh/?q=%25example.com with www.followthatpage.com. It will send you an email when there are changes. Follow That Page can check pages up to every ten minutes, but I wouldn't do that for crt.sh because the crt.sh webmasters might block Follow That Page if there's too much traffic. But once a day will probably suffice for what you want.
Disclaimer: I'm admin of Follow That Page. But I do want the same thing: to be alerted when rogue certs are published for my domains.
Kind regards
Onno
Op vrijdag 15 juli 2016 11:02:04 UTC+2 schreef aa_kira:
Disclaimer: I'm admin of Follow That Page. But I do want the same thing: to be alerted when rogue certs are published for my domains.
Kind regards
Onno
Op vrijdag 15 juli 2016 11:02:04 UTC+2 schreef aa_kira:
Santhan Raj
Nov 30, 2016, 2:28:57 AM11/30/16
to certificate-transparency
<snip> I would like to confirm this one way or another as one of the biggest reasons for employing CT in any manner is to be able to check all the other CT logs that are out there to see if some CA or other attacker is issuing certificates in the name of my PKI/CAs. <snip>
Is your question about monitoring the CT logs for certs issued for "your domain" or certs issued "in the name of your CA"? If its the latter, it won't be possible for _some CA_ to pretend to be _your CA_ since CT log servers check chain up to a valid root.
Reply all
Reply to author
Forward
0 new messages