[SSL Observatory] Fresh observatory data ? Survey other ports/protocols ?

Andy Isaacson adi at hexapodia.org
Thu Apr 28 16:49:34 PDT 2011


On Thu, Apr 28, 2011 at 06:30:21PM -0400, George Macon wrote:
> On 4/28/11 6:01 PM, Andy Isaacson wrote:
> > Perhaps adding a CLI tool to the Mozilla tree so that we can check it
> > out and build it, or something like that?
> > 
> > If we were to just copy stuff out of Mozilla's tree, it'll diverge from
> > their code over time.  That would be sad, I think.
> 
> The script I wrote earlier to look at unqualified names already uses the
> Mozilla command line tools certutil and vfychain. The code parses the
> results, but isn't modular and only cert verification is currently
> implemented.
> 
> It might be a good idea to define an abstract interface to these tools
> so that openssl, NSS, pyasn1, and whatever someone comes up with next
> can be easily switched in and out. Do you already have such a thing in
> progress in relation to your work with pyasn1?

No, I haven't put any work into an abstract interface; I'm just going to
have my WSGI code use pyasn1 to parse the certificates extracted from
the Observatory output files and provide that in various formats (JSON
to start, others as needed).

I think the glue is simple enough that abstracting it would be more work
than benefit.  The biggest benefit to testing NSS's certificate parsing,
to me, is that we learn about corner cases where the different parsers
give different results, and abstract interfaces will tend to obscure
precisely those differences. :)

I'm looking forward to the first CA signed certificate to exploit a
parser bug for NSS code execution. :)

-andy



More information about the Observatory mailing list