Hi list,
I am currently writing a script to submit certificate chains to the
logs, much like Graham Edgecombe's
(https://github.com/grahamedgecombe/ct-submit).
His script does the job but I wanted a tool with a few
additional checks, such as:
* whether the chain that is submitted is consistent;
* if the chain has a chance to be accepted by checking the get-roots API;
* if the SCT that is returned is valid and signed by the log.
The following quote from Ryan Sleevi, written in the context of the
"Google Aviator incident under investigation" on CT-Policy suggests that
the get-roots/get-anchors response might vary overtime and that some
trust anchors might be removed.
On Sat, Oct 22, 2016 at 12:13 AM, Ryan Sleevi wrote:
I suspect you're more specifically thinking of "What happens when a
single certificate is presented, and the option is either blow MMD or
blow 99% uptime", which is a possible situation, but one would have
hoped that the Log Operator took appropriate steps to avoid that
situation, since a variety of options exist - up to and including no
longer including CAs as accepted by the Log until the Log Operator is
able to scale.
The possible variation of this list is consistent with the mere
existence of this API endpoint. If this list was immutable, it would
make sense to add it to the log metadata that one can find in
log_list.json at the certificate-transparency.org website.
On the other hand, I haven't found any guidance or information regarding
the time to live of this endpoint answers. I definitely might have
missed it, though.
Caching the answer would help prevent my script and others' to harass
the log servers with get-roots/get-anchors calls, each time a new chain
is to be submitted.
Is there a de facto standard for the caching duration? Should I request
the list of acceptable roots each time I submit a new chain, or a batch
of new chains? Should we update the RFC6962-bis get-anchors endpoint
specification to add an output TTL attribute?
Thanks,
Cheers,
Florian Maury