[SSL Observatory] crlwatch

Seth David Schoen schoen at eff.org
Fri Mar 18 12:22:23 PDT 2011


Jacob Appelbaum writes:

> On 03/18/2011 09:41 AM, Peter Eckersley wrote:
> > This runs largely replicates the functionality of the
> > questions/crl_blacklist/check_crls.py script in the Observatory source code.
> > 
> 
> That seems true. Is there any way to get your code into git somewhere? :-)

We're working on a publicly-visible EFF git server and it should be
available soon.

> > That script only fetches CRLs that pertain to the weak debian keys, though
> > removing the "natual join" clause from its MySQL query in main() will change
> > that.  check_crls.py writes the results into a "revoked" table, which is
> > pretty handy for writing investigative queries.
> 
> Right - I think that in the long run, we should probably stuff all of
> this data into the database.

I agree that it should be pretty interesting to see what changes in
CAs' CRLs over time: for example, it will be useful for someone
investigating the kinds of reasons that CAs revoke (or don't revoke)
certificates, how responsive they are, and how this varies from CA to
CA.  Also, do CAs remove certs from their CRLs (say, when the
underlying cert would have expired normally)?  Looking at one of
Thawte's CRLs, for instance, I don't see very old revoked certs there;
the oldest revocation in the entire CRL has

        Revocation Date: Jan  4 18:25:10 2008 GMT

so it seems plausible that they only refer to certs that would
otherwise still be valid (which is another good reason to archive them
-- so that that history, which bears directly on how well the CA is
doing its job, won't be totally lost to the public!).

-- 
Seth Schoen
Senior Staff Technologist                         schoen at eff.org
Electronic Frontier Foundation                    https://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107



More information about the Observatory mailing list