Currently using the wrong CA DB

James-E-A / cerdicator

Enhanced TLS indicator with an emphasis on information about the Root Certificate Authority from which the connection's authenticity is derived

https://addons.mozilla.org/en-US/firefox/addon/cerdicator/

1 stars 3 forks source link

Currently using the wrong CA DB #21

Closed James-E-A closed 3 years ago

James-E-A commented 3 years ago

What the project is using now, IncludedCACertificateReport, is a list of all root certificate authorities recognized by Mozilla.
What we should be using is the list of those “…with the Websites (TLS/SSL) Trust Bit Enabled”.

However, the file they provide about the latter has some drawbacks:

It lacks crucial geopolitical exposure information
We can't use it without an ASN.1-parsing library, so will have to put in work to leverage it

James-E-A commented 3 years ago

We can't use it without an ASN.1-parsing library, so will have to put in work to leverage it

This is actually false: all we gotta do is de-base64 the blobs themselves and SHA-256 them wholesale to key the (geopolitically-informative) CCADB off. This will be super EZ

James-E-A commented 3 years ago

Resolved by 89e4f6f99e4587ee0db42386672b142c277a26c6