In [174]:
import pandas as pd
from collections import OrderedDict

In [175]:
# 5.1 Identifying Trusted Authorities

In [176]:
def get_cert_info(filename):
    unique_certs = set()
    
    with open(filename) as f:
        for line in f:
            orgs = map(str.strip, line.split('|'))

            # start at 1 to skip ultimate subject
            for i in xrange(1, len(orgs)-1):
                intermediate = orgs[i]
                issuer = orgs[i+1]
                
                unique_certs.add(intermediate + " | " + issuer)
                
    print(str(len(unique_certs)) + " certs")
    print
    
    unique_orgs = set()
    unique_countries = set()
    
    for cert in unique_certs:
        issuer_info = map(str.strip, cert.split('|'))[1].split(',')

        unique_orgs.add(issuer_info[-1])
        
        # some orgs don't specify country
        if (len(issuer_info[0]) == 2):
            unique_countries.add(issuer_info[0])
    
    print(str(len(unique_orgs)) + " orgs")
    for org in unique_orgs:
        print org
    print
    
    print(str(len(unique_countries)) + " countries")
    for country in unique_countries:
        print country

In [177]:
get_cert_info('output/first_party_certs.txt')

5 certs

4 orgs
 DigiCert Global Root CA
 USERTrust RSA Certification Authority
 AddTrust External CA Root
 DST Root CA X3

2 countries
SE
US


In [178]:
get_cert_info('output/third_party_certs.txt')

35 certs

22 orgs
 Baltimore CyberTrust Root
 DigiCert Global Root G2
 Go Daddy Root Certificate Authority - G2
 Starfield Class 2 Certification Au
 GlobalSign Domain Validation CA - SHA256 - G2
 Amazon Root CA 1
 GlobalSign Organization Validation CA - SHA256
 DigiCert High Assurance EV Root CA
 Starfield Root Certificate Authority - G2
 COMODO RSA Certification Authority
 SecureTrust CA
 COMODO ECC Certification Authority
 VeriSign Class 3 Public Primary Certification
 Go Daddy Secure Certificate Authority - G2
 Go Daddy Class 2 Certification Aut
 DST Root CA X3
 GlobalSign Root CA
 GlobalSign
 DigiCert Global Root CA
 GlobalSign CloudSSL CA - SHA256 - G3
 AddTrust External CA Root
 Starfield Services Root Certificate Authority

5 countries
BE
IE
SE
US
GB


In [179]:
# 5.2 Sources of Intermediates

In [180]:
def check_result_dict(results):
    for key, value_set in results.iteritems():
        print(key + ": " + str(len(value_set)))

In [181]:
def num_intermediates_per_root(filename):
    authorized_pairs = dict()
    root_ca = set()

    with open(filename) as f:
        for line in f:
            orgs = map(str.strip, line.split('|'))
            root_ca.add(orgs[-1])

            # start at 1 to skip ultimate subject
            for i in xrange(1, len(orgs)-1):
                intermediate = orgs[i]
                issuer = orgs[i+1]

                # add intermediate to issuer authorized set
                if (issuer in authorized_pairs):
                    auth = authorized_pairs[issuer]
                else:
                    auth = set()

                auth.add(intermediate)
                authorized_pairs[issuer] = auth
                
    # aggregate total number approved by root
    aggregated = dict()
    for issuer, intermediates in authorized_pairs.iteritems():
        if (issuer in root_ca):
            # direct intermediates
            aggregated[issuer] = authorized_pairs[issuer]

            # indirect intermediates
            for inter in intermediates:
                if (inter in authorized_pairs):

                    auth = aggregated[issuer] | authorized_pairs[inter]
                    aggregated[issuer] = auth

    check_result_dict(aggregated)

In [182]:
num_intermediates_per_root('output/first_party_certs.txt')

US, DigiCert Inc, www.digicert.com, DigiCert Global Root CA: 2
SE, AddTrust AB, AddTrust External TTP Network, AddTrust External CA Root: 2
Digital Signature Trust Co., DST Root CA X3: 1


In [183]:
num_intermediates_per_root('output/third_party_certs.txt')

BE, GlobalSign nv-sa, GlobalSign CloudSSL CA - SHA256 - G3: 5
US, DigiCert Inc, www.digicert.com, DigiCert Global Root CA: 5
SE, AddTrust AB, AddTrust External TTP Network, AddTrust External CA Root: 5
IE, Baltimore, CyberTrust, Baltimore CyberTrust Root: 2
US, Starfield Technologies, Inc., Starfield Class 2 Certification Au: 2
BE, GlobalSign nv-sa, GlobalSign Organization Validation CA - SHA256: 5
Digital Signature Trust Co., DST Root CA X3: 1
GlobalSign Root CA - R2, GlobalSign, GlobalSign: 1
BE, GlobalSign nv-sa, Root CA, GlobalSign Root CA: 6
US, Arizona, Scottsdale, GoDaddy.com, Inc., http://certs.godaddy.com/repositor, Go Daddy Secure Certificate Authority - G2: 2
US, The Go Daddy Group, Inc., Go Daddy Class 2 Certification Aut: 2
US, SecureTrust Corporation, SecureTrust CA: 1
BE, GlobalSign nv-sa, GlobalSign Domain Validation CA - SHA256 - G2: 6
US, DigiCert Inc, www.digicert.com, DigiCert High Assurance EV Root CA: 2
US, Arizona, Scottsdale, Starfield Technologies, Inc., Starfi

In [184]:
# 5.3 Distribution of Trust

In [185]:
def get_cert_counts(filename):
    cert_counts = dict()
    
    with open(filename) as f:
        for line in f:
            orgs = map(str.strip, line.split('|'))

            # start at 1 to skip ultimate subject
            for i in xrange(1, len(orgs)-1):
                intermediate = orgs[i]
                issuer = orgs[i+1]
                cert = intermediate + " | " + issuer
                
                if (cert in cert_counts):
                    freq = cert_counts[cert] + 1
                else:
                    freq = 1
                
                cert_counts[cert] = freq
    
    desc_cert_counts = OrderedDict(sorted(cert_counts.items(), key=lambda t: t[1], reverse=True))
    
    for cert, count in desc_cert_counts.iteritems():
        print(cert + ": " + str(count))

In [186]:
get_cert_counts('output/first_party_certs.txt')

US, New Jersey, Jersey City, The USERTRUST Network, USERTrust RSA Certification Authority | SE, AddTrust AB, AddTrust External TTP Network, AddTrust External CA Root: 257
US, MI, Ann Arbor, Internet2, InCommon, InCommon RSA Server CA | US, New Jersey, Jersey City, The USERTRUST Network, USERTrust RSA Certification Authority: 257
US, Let's Encrypt, Let's Encrypt Authority X3 | Digital Signature Trust Co., DST Root CA X3: 30
US, DigiCert Inc, www.digicert.com, GeoTrust RSA CA 2018 | US, DigiCert Inc, www.digicert.com, DigiCert Global Root CA: 1
US, DigiCert Inc, www.digicert.com, RapidSSL RSA CA 2018 | US, DigiCert Inc, www.digicert.com, DigiCert Global Root CA: 1


In [187]:
get_cert_counts('output/third_party_certs.txt')

US, Google Trust Services, Google Internet Authority G3 | GlobalSign Root CA - R2, GlobalSign, GlobalSign: 578
US, DigiCert Inc, www.digicert.com, DigiCert SHA2 High Assurance Server CA | US, DigiCert Inc, www.digicert.com, DigiCert High Assurance EV Root CA: 376
US, DigiCert Inc, DigiCert SHA2 Secure Server CA | US, DigiCert Inc, www.digicert.com, DigiCert Global Root CA: 291
US, Let's Encrypt, Let's Encrypt Authority X3 | Digital Signature Trust Co., DST Root CA X3: 287
US, Arizona, Scottsdale, GoDaddy.com, Inc., http://certs.godaddy.com/repositor, Go Daddy Secure Certificate Authority - G2 | US, Arizona, Scottsdale, GoDaddy.com, Inc., Go Daddy Root Certificate Authority - G2: 157
US, Arizona, Scottsdale, GoDaddy.com, Inc., Go Daddy Root Certificate Authority - G2 | US, The Go Daddy Group, Inc., Go Daddy Class 2 Certification Aut: 157
BE, GlobalSign nv-sa, GlobalSign CloudSSL CA - SHA256 - G3 | BE, GlobalSign nv-sa, Root CA, GlobalSign Root CA: 156
BE, GlobalSign nv-sa, Root CA, Glob