servercert
x509-limbo
servercert | x509-limbo | |
---|---|---|
11 | 4 | |
171 | 45 | |
4.7% | - | |
6.3 | 9.1 | |
17 days ago | 6 days ago | |
CSS | C++ | |
- | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
servercert
- Web page annoyances that I don't inflict on you here
- SSL certificate lifetimes are going down. Dates proposed. 45 days by 2027
- CA/Browser Forum SC-081: Introduce Schedule of Reducing Validity Periods
- WebPKI – Introduce Schedule of Reducing Validity (Of TLS Server Certificates)
-
We Spent $20 to Achieve RCE and Accidentally Became the Admins of .MOBI
The current CAB Forum Baseline Requirements call for "Multi-Perspective Issuance Corroboration" [1] i.e. make sure the DNS or HTTP challenge looks the same from several different data centres in different countries.
[1] https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
-
DigiCert Revocation Incident (Cname Domain Validation)
There's no prohibition against issuing certificates for names on the Public Suffix List.
BR 3.2.2.6 prohibits issuing a wildcard certificate for an entire public suffix unless the "Applicant proves its rightful control of the entire Domain Namespace" (without specifying how this should be done - arguably, publishing a DNS record would qualify) but also says that CAs should use the "ICANN DOMAINS" section of the PSL only, not the "PRIVATE DOMAINS" section, so domains for dynamic DNS providers and the like wouldn't be included in any case. [https://github.com/cabforum/servercert/blob/main/docs/BR.md#...]
-
All I Know About Certificates – Certificate Authority
That's because some people came along and produced a parallel standard [1] adding loads more rules, clarifications and constraints to convert X509 into something approximately fit for purpose.
[1] https://github.com/cabforum/servercert
-
Does my site need HTTPS?
This is permitted: https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
But it hasn't really caught on; a lot of registrars don't seem to want the complexity of being (or integrating with) a CA, and vice versa.
-
Let's Encrypt: Issue with TLS-ALPN-01 Validation Method
It is unfortunate. It's required: https://github.com/cabforum/servercert/blob/main/docs/BR.md#...
-
MarkMonitor left 60k domains for the taking
No, they don't have to MitM the CA's domain validation request. While they have brief control over the website, they use domain validation method 3.2.2.4.18 (Agreed-Upon Change to Website v2)[1] or 3.2.2.4.19 (Agreed-Upon Change to Website - ACME)[2] to legitimately complete domain validation by making a change to the website.
[1] https://github.com/cabforum/servercert/blob/cda0f92ee70121fd...
x509-limbo
-
All I Know About Certificates – Certificate Authority
> One thing I would be interested in is if there were any differences between rust-webpki and BoringSSL itself.
Adding BoringSSL as a harness would probably be pretty easy! We have an existing OpenSSL harness[1] that would probably be straightforward to adapt.
We could also probably improve the visualization of differences between implementations: right now you can find them either by looking at individual testcases[2] or on each harness's "anomalies" page[3], but it'd be cool to have a more unified UI.
[1]: https://github.com/C2SP/x509-limbo/blob/main/harness/openssl...
[2]: https://x509-limbo.com/testcases/rfc5280/#rfc5280akileaf-mis...
[3]: https://x509-limbo.com/anomalous-results/rust-webpki/
-
Differ: Tool for testing and validating transformed programs
Differential fuzzing is woefully underutilized -- our experience is that it consistently[1] finds[2] bugs that "traditional" fuzzing techniques struggle to discover, and that the primary obstacles to its adoption are harness and orchestration complexity. DIFFER goes a long way towards overcoming those obstacles!
(FD: My company.)
[1]: https://github.com/trailofbits/mishegos
[2]: https://x509-limbo.com/
-
We build X.509 chains so you don't have to
Thank you! I'll add that to https://github.com/C2SP/x509-limbo/issues/174.
What are some alternatives?
devcert-cli - A CLI wrapper for devcert, to manage development SSL/TLS certificates and domains
osv - Open source vulnerability DB and triage service. [Moved to: https://github.com/google/osv.dev]
cert-gen - Generate CA and self-signed SSL certificates usable in your browser for local development.
frankencert - Frankencert - Adversarial Testing of Certificate Validation in SSL/TLS Implementations
pykka - 🌀 Pykka makes it easier to build concurrent Python applications.
pkilint - A framework for verifying PKI structures
devcert - Local HTTPS development made easy
syzkaller - syzkaller is an unsupervised coverage-guided kernel fuzzer
acme-dns - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.
Regshot - Regshot is a small, free and open-source registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product
duckduckgo-locales - Translation files for <a href="https://duckduckgo.com"> </a>
cryptography - cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.