Search API query & Log Server being retired
167 views
Skip to first unread message
Sohail Galaria
Nov 8, 2022, 7:41:33 AM11/8/22
to certificate-transparency
I have recently started working with CT logs and after going through the RFC and quite a few posts on this group, I'm unable to find a Search API that can help me query the CT log server similar to how crt.sh does. I'm basically looking to have something that our users can use to query the CT log server anytime against any certificate field available. If there is something available like that someone can point me to, that would be really helpful.
Secondly, I noticed that the CT log servers are only valid for a year and are retired towards the end of the year, in that case how does the certificate data transition over to the new log server, or we only get results that were added to the new server and not the old one.
Thanks,
Sohail Galaria
Matt Palmer
Nov 8, 2022, 4:53:07 PM11/8/22
to certificate-...@googlegroups.com
On Tue, Nov 08, 2022 at 04:34:15AM -0800, 'Sohail Galaria' via certificate-transparency wrote:
> I have recently started working with CT logs and after going through the
> RFC and quite a few posts on this group, I'm unable to find a Search API
> that can help me query the CT log server similar to how crt.sh does. I'm
> basically looking to have something that our users can use to query the CT
> log server anytime against any certificate field available. If there is
> something available like that someone can point me to, that would be really
> helpful.
There isn't one. Logs are, well, logs, not search appliances. If you want
> I have recently started working with CT logs and after going through the
> RFC and quite a few posts on this group, I'm unable to find a Search API
> that can help me query the CT log server similar to how crt.sh does. I'm
> basically looking to have something that our users can use to query the CT
> log server anytime against any certificate field available. If there is
> something available like that someone can point me to, that would be really
> helpful.
to provide something equivalent to crt.sh, you'll need to ingest the
contents of all logs you're interested in and provide your own
indexing/search capabilities.
> Secondly, I noticed that the CT log servers are only valid for a year and
> are retired towards the end of the year, in that case how does the
> certificate data transition over to the new log server, or we only get
> results that were added to the new server and not the old one.
period of time for certificate expiries. Once that time period is past, the
certificates in that log are no longer relevant (because they are expired,
and hence unuseable), and so there is no value in the log operators keeping
the logs running. Again, if you want historical certificate data, you'll
need to ingest the certificates from the log(s) of interest and store them
yourself.
- Matt
Reply all
Reply to author
Forward
0 new messages