[SSL Observatory] Adding CRLs to the Observatory?
Jacob Appelbaum
jacob at appelbaum.net
Sat Mar 19 23:30:02 PDT 2011
On 03/19/2011 07:55 PM, Peter Gutmann wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
>> In my quest to find CRLs, I've received a patch to add a number of previously
>> unknown CRLs:
>>
>> https://github.com/okoeroo/crlwatch/commit/59bcfeb42252563614572e5aa35bdca7751c212d#commitcomment-307742
>
> Just out of interest, where are these coming from? I imagine you can mine the
> cert database for CRLDPs, but if these are from another source should they be
> regarded as "visible" for observatory purposes?
Those came from some large grid computing cluster. I suppose that the
leaf certificate for many .edu domains internally refers to those CRLS.
>If a CRL gets issued in a
> tall forest and no-one sees it, does it revoke a cert?
>
I think we shouldn't mark it as seen until we've seen it in the wild.
Doesn't it make sense to try to find and archive them anyway?
We can still detect revocation events, even if we don't see the leaf
certs, I think.
All the best,
Jake
More information about the Observatory
mailing list