Definitive list of what is in OneCRL

NEW
Assigned to

Status

()

P2
enhancement
2 years ago
11 months ago

People

(Reporter: kwilson, Assigned: mgoodwin, NeedInfo)

Tracking

({stale-bug})

51 Branch
stale-bug
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-backlog])

(Reporter)

Description

2 years ago
Please provide a way for everyone to easily see the definitive list of what is in OneCRL.

It would be most excellent if this can be viewed via an https URL that I can copy into my wiki pages, such as https://wiki.mozilla.org/CA:RevokedSubCAcerts
(Reporter)

Updated

2 years ago
Assignee: nobody → mgoodwin

Comment 1

2 years ago
The OneCRL data is available here (it's an HTTPS URL, but it's not exactly easy to read!:
https://firefox.settings.services.mozilla.com/v1/buckets/blocklists/collections/certificates/records

Since crt.sh already fetches the OneCRL data from the above URL, I figured I may as well create this page (note: it's not quite finished)...

https://crt.sh/mozilla-onecrl

OneCRL doesn't contain the actual cert, but since that's kinda useful information for a "definitive list", this new crt.sh page links to the actual cert (if crt.sh has a copy of it).
(Reporter)

Comment 2

2 years ago
Thanks Rob! That is very helpful!

I added both of those links to https://wiki.mozilla.org/CA:RevokedSubCAcerts

I'm going to leave this bug open, because we still need a publicly-readable version-controlled repository that is the source of truth for what we consider to be in OneCRL.

Comment 3

2 years ago
(In reply to Kathleen Wilson from comment #2)
> Thanks Rob! That is very helpful!
> 
> I added both of those links to https://wiki.mozilla.org/CA:RevokedSubCAcerts

Thanks.  I've completed https://crt.sh/mozilla-onecrl now, but let me know if you'd like to see any further changes to it.

> I'm going to leave this bug open, because we still need a publicly-readable
> version-controlled repository that is the source of truth for what we
> consider to be in OneCRL.

Sure.

Comment 4

2 years ago
BTW, the 3 certs added to OneCRL in bug #1300747 were added again in bug #1312150.  Please would somebody remove the duplicates?
(Assignee)

Comment 5

2 years ago
(In reply to Rob Stradling from comment #4)
> BTW, the 3 certs added to OneCRL in bug #1300747 were added again in bug
> #1312150.  Please would somebody remove the duplicates?

Yes, I'll get that sorted.
(In reply to Rob Stradling from comment #3)
> Thanks.  I've completed https://crt.sh/mozilla-onecrl now, but let me know
> if you'd like to see any further changes to it.

<cough>

> could not find function "x509_name_print" in file "/usr/lib64/postgresql-9.5/lib64/libx509pq.so"
> 
> PL/pgSQL function web_apis(text,text[],text[]) line 1754 at assignment

(As of just now.) But thanks for building this!

Gerv

Comment 7

2 years ago
(In reply to Gervase Markham [:gerv] from comment #6)
> (In reply to Rob Stradling from comment #3)
> > Thanks.  I've completed https://crt.sh/mozilla-onecrl now, but let me know
> > if you'd like to see any further changes to it.
> 
> <cough>
> 
> > could not find function "x509_name_print" in file "/usr/lib64/postgresql-9.5/lib64/libx509pq.so"
> > 
> > PL/pgSQL function web_apis(text,text[],text[]) line 1754 at assignment

Sorry about that.  I didn't expect crt.sh's front-end servers to be calling that code, because they should be serving a pre-generated version of the page.  I've just tweaked some settings to make it behave properly.

> (As of just now.) But thanks for building this!

You're welcome.  :-)
Priority: -- → P1
Whiteboard: [psm-assigned]
(In reply to Kathleen Wilson from comment #2) 
> I'm going to leave this bug open, because we still need a publicly-readable
> version-controlled repository that is the source of truth for what we
> consider to be in OneCRL.

Kathleen: can you elaborate on why we need this?

Presumably there's a data store somewhere backing oneCRL. Where is it, and is it publicly available? mgoodwin?

Gerv
Flags: needinfo?(mgoodwin)
Flags: needinfo?(kwilson)
(Reporter)

Comment 10

a year ago
(In reply to Gervase Markham [:gerv] from comment #9)
> (In reply to Kathleen Wilson from comment #2) 
> > I'm going to leave this bug open, because we still need a publicly-readable
> > version-controlled repository that is the source of truth for what we
> > consider to be in OneCRL.
> 
> Kathleen: can you elaborate on why we need this?

I think it is good programming practice to have a version-controlled snapshot of each release of OneCRL. And it would be helpful (though not necessary) if it was human-readable. 

Today I use https://crt.sh/mozilla-onecrl and look at the listed Bugzilla bugs to see when an entry was added to OneCRL. This is extremely useful, but it's not really what we should be using as our version-controlled history.


> 
> Presumably there's a data store somewhere backing oneCRL. Where is it, and
> is it publicly available? mgoodwin?


A very small number of us have access to an admin interface where I think we can see the history of when entries were added to OneCRL, but the data is not human-readable, and I think you have to inspect each entry individually. JC has written some scripts that he uses to parse the data in order to verify OneCRL updates before approving them.
Flags: needinfo?(kwilson)
Priority: P1 → P2
Whiteboard: [psm-assigned] → [psm-backlog]
You need to log in before you can comment on or make changes to this bug.