Skip to content

add component to fetch all URLs from CCADB #88

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

add component to fetch all URLs from CCADB #88

wants to merge 10 commits into from

Conversation

jsha
Copy link
Contributor

@jsha jsha commented Mar 4, 2025
edited
Loading

It checks that all CRLs:

  • Are not too old
  • Have an issuingDistributionPoint that matches the URL from which they
    were fetched
  • Have a valid signature based on their issuer SKID from CCADB
    (full issuer certificates for ISRG are embedded in this binary)
  • Don't have duplicate serial numbers across different CRLs

@jsha jsha marked this pull request as ready for review March 7, 2025 23:31
@jsha
Copy link
Contributor Author

jsha commented Mar 7, 2025

For convenient comparison, here's what we check in boulder-observer, which is just "does it fetch and parse":

https://github.com/letsencrypt/boulder/blob/2ac1ac0f39f3b30f7cf90e151be10f8c69d1c86d/observer/probers/crl/crl.go#L31-L57

inahga
inahga reviewed Jun 26, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inahga inahga inahga left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jsha @inahga