TBSCertificate / Certificate Linting APIs

Skip to first unread message

Rob Stradling

Aug 18, 2017, 12:40:09 PM8/18/17
to mozilla-dev-s...@lists.mozilla.org
In response to the many BR compliance issues [1] that have been reported
here this month, there's been renewed interest in certificate linting.
Various CAs have said that they're considering plugging one or more
certificate linters into their certificate issuance processes.

Some CAs, such as those with high certificate issuance rates, will
probably prefer to run their own local installations of their chosen
linter(s). However, other CAs may prefer to use an external linting

One current problem is that neither certlint/cablint nor x509lint is
suitable for use prior to certificate issuance - that is, they're only
currently capable of operating on certificates, not TBSCertificates.

With all of the above in mind, I've created a new crt.sh API that can be
used to lint TBSCertificates. It uses crt.sh's existing linting
capabilities, which are provided by cablint and x509lint. To workaround
the limitation described in the previous paragraph, it wraps the
TBSCertificate into a certificate structure by appending a dummy signature.

I'm planning to integrate this crt.sh API into Comodo's issuance
processes ASAP. Other CAs are also welcome to use it (although please
chat to me first if you're a high-volume issuer!)

API URL: https://crt.sh/linttbscert

To use it, either (1) browse to that URL, paste a base64-encoded
TBSCertificate, then click "Lint TBSCertificate", or (2) simulate that
button click by POSTing a URL-encoded "b64tbscert" parameter to the same

The API response is tab-separated text, with one line per "issue". Each
line contains three items:
Linter Severity Description

P.S. I've also created an equivalent linting API for certificates:

[1] https://wiki.mozilla.org/CA/Incident_Dashboard#Open_CA_Compliance_Bugs

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

Reply all
Reply to author
0 new messages