Add another field to AllCertificateRecordsCSVFormat
230 views
Skip to first unread message
Rob Stradling
Sep 21, 2022, 11:52:04 AM9/21/22
to dev-secur...@mozilla.org
Kathleen, Ben,
I would like to enhance https://crt.sh/mozilla-disclosures to
monitor compliance to Mozilla's new CRL URL disclosure requirement that comes into force in about a week and a half from now (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements).
crt.sh already has access to the "Full CRL Issued By This CA" field, but cannot yet access the "JSON Array of Partitioned CRLs" field.
Please could I ask you to append the "JSON Array of Partitioned CRLs" field to https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat?
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
Rob Stradling
Sep 23, 2022, 5:54:30 AM9/23/22
to dev-secur...@mozilla.org
Hi all. Kathleen dealt with my request off-list. The "JSON Array of Partitioned CRLs" field has now been appended to https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.
From: 'Rob Stradling' via dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Sent: 21 September 2022 16:52
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Add another field to AllCertificateRecordsCSVFormat
Sent: 21 September 2022 16:52
To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
Subject: Add another field to AllCertificateRecordsCSVFormat
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com.
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com.
Andrew Ayer
Sep 26, 2022, 1:21:52 PM9/26/22
to dev-secur...@mozilla.org
Thanks Kathleen for adding the field to the report.
I'm trying to process this field, and so far the only well-formed JSON
I've found is the empty array (i.e. "[]"). Numerous CAs have failed to
put double quotes around the URLs, e.g.:
[http://example.com/crl1, http://example.com/crl2]
Another mistake is just making it a comma-separated list, without any
JSON syntax, e.g.:
http://example.com/crl1, http://example.com/crl2
CAs should make sure that they put well-formed JSON in this field, e.g.:
["http://example.com/crl1", "http://example.com/crl2"]
Also, if there is some way to have Salesforce enforce that well-formed
JSON is provided, that would sure be helpful.
Regards,
Andrew
On Fri, 23 Sep 2022 09:54:24 +0000
"'Rob Stradling' via dev-secur...@mozilla.org"
I'm trying to process this field, and so far the only well-formed JSON
I've found is the empty array (i.e. "[]"). Numerous CAs have failed to
put double quotes around the URLs, e.g.:
[http://example.com/crl1, http://example.com/crl2]
Another mistake is just making it a comma-separated list, without any
JSON syntax, e.g.:
http://example.com/crl1, http://example.com/crl2
CAs should make sure that they put well-formed JSON in this field, e.g.:
["http://example.com/crl1", "http://example.com/crl2"]
Also, if there is some way to have Salesforce enforce that well-formed
JSON is provided, that would sure be helpful.
Regards,
Andrew
On Fri, 23 Sep 2022 09:54:24 +0000
"'Rob Stradling' via dev-secur...@mozilla.org"
<dev-secur...@mozilla.org> wrote:
> Hi all. Kathleen dealt with my request off-list. The "JSON Array of
> Partitioned CRLs" field has now been appended to
> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.
>
> ________________________________
> From: 'Rob Stradling' via dev-secur...@mozilla.org
> <dev-secur...@mozilla.org> Sent: 21 September 2022 16:52
> To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
> Subject: Add another field to AllCertificateRecordsCSVFormat
>
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
>
> Kathleen, Ben,
>
> I would like to enhance
> https://crt.sh/mozilla-disclosures<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrt.sh%2Fmozilla-disclosures&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yCQJSenYyJ3o2U%2FCae1vQ1GPo6EqKJHq0Mn%2F8wd4eDQ%3D&reserved=0>
> Hi all. Kathleen dealt with my request off-list. The "JSON Array of
> Partitioned CRLs" field has now been appended to
> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat.
>
> ________________________________
> From: 'Rob Stradling' via dev-secur...@mozilla.org
> <dev-secur...@mozilla.org> Sent: 21 September 2022 16:52
> To: dev-secur...@mozilla.org <dev-secur...@mozilla.org>
> Subject: Add another field to AllCertificateRecordsCSVFormat
>
>
> CAUTION: This email originated from outside of the organization. Do
> not click links or open attachments unless you recognize the sender
> and know the content is safe.
>
>
> Kathleen, Ben,
>
> I would like to enhance
> to monitor compliance to Mozilla's new CRL URL disclosure requirement
> that comes into force in about a week and a half from now
> (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#41-additional-requirements<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mozilla.org%2Fen-US%2Fabout%2Fgovernance%2Fpolicies%2Fsecurity-group%2Fcerts%2Fpolicy%2F%2341-additional-requirements&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=mIi0cZUf9sp4Myr8c%2BUKw8c7nLEv1HiUHpNzl3Q7ycw%3D&reserved=0>).
> that comes into force in about a week and a half from now
> crt.sh already has access to the "Full CRL Issued By This CA" field,
> but cannot yet access the "JSON Array of Partitioned CRLs" field.
>
> Please could I ask you to append the "JSON Array of Partitioned CRLs"
> field to
> https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fccadb-public.secure.force.com%2Fccadb%2FAllCertificateRecordsCSVFormat&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=5l0bsEYP1qTo%2FQJi5WEpT5ftEh%2BzQFf1uAPnA1rBMUw%3D&reserved=0>?
> but cannot yet access the "JSON Array of Partitioned CRLs" field.
>
> Please could I ask you to append the "JSON Array of Partitioned CRLs"
> field to
>
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> Sectigo Limited
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> dev-security-po...@mozilla.org<mailto:dev-security-po...@mozilla.org>.
>
> --
> Rob Stradling
> Senior Research & Development Scientist
> Sectigo Limited
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB47293DF31FB62C442C97503FAA4F9%40MW4PR17MB4729.namprd17.prod.outlook.com<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fa%2Fmozilla.org%2Fd%2Fmsgid%2Fdev-security-policy%2FMW4PR17MB47293DF31FB62C442C97503FAA4F9%2540MW4PR17MB4729.namprd17.prod.outlook.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Crob%40sectigo.com%7C844a95351942442323f708da9be93b2b%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637993723270265361%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NBh1BGZD920%2F6EJDKFM5sCf4aOM4Kt5SzJfz2BINwjw%3D&reserved=0>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> dev-security-po...@mozilla.org. To view this discussion
> on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/MW4PR17MB4729A09C3DCF46B5BD3592DDAA519%40MW4PR17MB4729.namprd17.prod.outlook.com.
> --
> You received this message because you are subscribed to the Google
> Groups "dev-secur...@mozilla.org" group. To unsubscribe from
> this group and stop receiving emails from it, send an email to
> dev-security-po...@mozilla.org. To view this discussion
> on the web visit
Ryan Hurst
Sep 26, 2022, 3:13:21 PM9/26/22
to dev-secur...@mozilla.org, Andrew Ayer
Kathleen,
I believe at least part of the problem Andrew mentions is because of Salesforce or some intermediary processing within CCADB tooling.
I had pinged Andrew offline and he mentioned what he was seeing from our JSON was no "" around the URL, we have confirmed what we publish does have these URLs so it appears something is stripping the quotes.
Ryan Hurst
Google Trust Services
Kathleen Wilson
Oct 12, 2022, 4:53:22 PM10/12/22
to dev-secur...@mozilla.org, ryan....@gmail.com, Andrew Ayer
I believe at least part of the problem Andrew mentions is because of Salesforce or some intermediary processing within CCADB tooling.I had pinged Andrew offline and he mentioned what he was seeing from our JSON was no "" around the URL, we have confirmed what we publish does have these URLs so it appears something is stripping the quotes.
Thanks for bringing this to my attention.
The
https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat
report has been updated, so the URLs in the JSON have the quotes now.
Thanks,
Kathleen
Reply all
Reply to author
Forward
0 new messages