[SSL Observatory] crlwatch

Jesse Burns jesse at isecpartners.com
Fri Mar 18 13:10:06 PDT 2011


Yeah - the observatory doesn't collect CRLs yet - I think archiving this would be good for a number of purposes. Not the least of which is judging how much of the X509 universe we can see in the observatory for each CA. If we see that X% of CRLs are for observable certs and 100%-X%  are hidden from us, we can get an idea about how much hidden certificate "mass" - or "dark matter" there  is.... Sorry to stretch the analogy so far, but I really do think there is a lot to learn here.

Jesse

-----Original Message-----
From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On Behalf Of Peter Eckersley
Sent: Friday, March 18, 2011 9:41 AM
To: Jacob Appelbaum
Cc: observatory at eff.org
Subject: Re: [SSL Observatory] crlwatch

This runs largely replicates the functionality of the questions/crl_blacklist/check_crls.py script in the Observatory source code.

That script only fetches CRLs that pertain to the weak debian keys, though removing the "natual join" clause from its MySQL query in main() will change that.  check_crls.py writes the results into a "revoked" table, which is pretty handy for writing investigative queries.

Note that check_crls.py is lazy about what it downloads: it won't re-fetch a CRL if there's already a copy of it in the current directory.

On Fri, Mar 18, 2011 at 01:04:38AM -0700, Jacob Appelbaum wrote:
> Hi,
> 
> I've started a new project that may be a useful observatory sub-project:
> https://github.com/ioerror/crlwatch
> 
> The goal of the crlwatch project is to track which CRLs are known and 
> accessible on the public internet, to download, cache, and to analyze 
> the CRL content on a regular basis.
> 
> All the best,
> Jacob

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993



More information about the Observatory mailing list