-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using CCADB as the source of truth #37
Comments
I think this will help with situations like #39 where we had stale unused name constraint constants, and a manually encoded constraint that was incorrect. I think it would be better to have code generate the name constraint DER from the CCADB report (though there is some work to do verifying the upstream format matches my expectations, particularly for how multiple permitted subtrees would be expressed). Similarly we won't need to maintain the excluded CA list by hand. The CCADB report includes current trust status and distrust dates. |
+1 from me
I think having It makes sense for me that the -utils crate could live in the rustls org and be published on crates.io in the usual way? |
Switching to CCADB seems like a good idea. Personally I appreciate the sort of more compact approach of having a fairly self-contained BTW, do the CCADB records somehow carry the imposed name constraints, or do we still have to bring those in manually? |
That's reasonable. I think it would be better from a code review perspective to build a purpose built generator in this repo vs trying to post-hoc review the more substantial amount of code that's spread across the ccadb-utils crates.
The IncludedCACertificateReportPEMCSV report that I propose we use as our data source for the webpki roots does include a "Mozilla Applied Constraints" column. Presently the only record that has a value in that column is the Government of Turkey, Kamu Sertifikasyon Merkezi (Kamu SM) root from #39. It's listed with the "Mozilla Applied Constraints" value of Mechanically I've worked out how to convert that value to a DER encoded name constraint with a permitted subtree base dNSName of ".tr" but I have two open questions that should be brought to the CCADB operators before we rely on that process:
|
https://groups.google.com/a/ccadb.org/g/public/c/TlDivISPVT4/m/jbWGuM4YAgAJ |
PTAL: #41
I went ahead and added the code I've written to use yasna to build the DER encoding of the name constraints from the stringified Mozilla Imposed Name Constraints field. I think it's safe to use in the current state, the If there are changes in the upstream CSV to add/update additional Mozilla Imposed Name Constraints the codegen integration test will begin to fail based on the produced diff and we can investigate whether the DER generation code needs to be adjusted. We'll always have a human in the loop for updates to the authoritative data. |
I think it makes sense to transition the webpki-roots generation process to use ccadb as its source of truth. There are a few advantages in my mind:
mkcert.org
service called out as potentially problematic as a dependency in Question: what assurance do you offer the Root CA store is 'trustworthy' #25.With this goal in mind I've been (slowly, on the side) creating a set of CCADB related tools over in cpu/ccadb-utils:
ccadb-csv
crate is a very thin abstraction around raw CSV reports available on CCADB. It does no parsing above destructuring CSV records and presents the content "as-is", in string form.ccadb-csv-fetch
crate is a small binary for fetching the CSV reports to disk. It bakes in exactly one trust anchor, trying to minimize the trust surface required for acquiring metadata from CCADB.ccadb-webpki-roots
crate converts the CCADB Mozilla included roots report into a.rs
for use insidewebpki-roots
.ccadb-crl-fetch
crate for downloading disclosed CRLs, mostly as a test corpus.Some open questions I'd like to discuss:
ccadb-utils
as part of a build process in this repo.ccadb-utils
repo into the Rustls organization and use it as part of the build process in this repo.ccadb-utils
repo into this repo.I think I lightly prefer keeping the tooling in a separate repository (and have no strong feelings about whether it lives in the rustls org or not) and using it as a dev-dependency in this repo. If we go this route I would love reviews on the code in
ccadb-utils
- it was written solo and could probably use polish/love from more experienced rustaceans.My thinking is that there's likely to be continued value in having a richer way to work with the CCADB and we can consolidate that work in a separate repo as opposed to having to maintain the webpki-roots specific parts here, and the rest elsewhere. As one example of a future use-case there's in-progress work in the TLS working group to use CCADB data to execute certificate compression (draft-jackson-tls-cert-abridge).
The text was updated successfully, but these errors were encountered: