[SSL Observatory] Adding CRLs to the Observatory?
Peter Eckersley
pde at eff.org
Sun Mar 20 12:20:37 PDT 2011
On Sun, Mar 20, 2011 at 03:55:56PM +1300, Peter Gutmann wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
> >In my quest to find CRLs, I've received a patch to add a number of previously
> >unknown CRLs:
> >
> >https://github.com/okoeroo/crlwatch/commit/59bcfeb42252563614572e5aa35bdca7751c212d#commitcomment-307742
>
> Just out of interest, where are these coming from? I imagine you can mine the
> cert database for CRLDPs,
That's how the revocation-checking scripts in the Observatory work (just
check CRLDPs). The scripts Jake published also look at some Netscape-defined
revocation fields.
> but if these are from another source should they be
> regarded as "visible" for observatory purposes? If a CRL gets issued in a
> tall forest and no-one sees it, does it revoke a cert?
No. If you want to approximate "real world" revocation, you need to join the
CRLDPs in the certs against the revocation table. And of course, there are
plenty of devices (phones!) where revocation just doesn't happen.
--
Peter Eckersley pde at eff.org
Senior Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the Observatory
mailing list