Suggestion: mirroring revocation lists, too

[stapelberg]

Different countries have different revocation lists, too, which are becoming more important as more and more security breaches result in certificates that should not be considered valid.

For example, in Switzerland, the admin.ch /trust/v2/revocationList API end point yields a list with 50.000 certificates.

[jnischler]

good point

is there already a list of known revocation lists out there ?

will have a look at the swiss list asap

thanks

[stapelberg]

is there already a list of known revocation lists out there ?

Unfortunately, I’m not aware of a list. Perhaps if searching/asking around, we could gather a few revocation lists?

will have a look at the swiss list asap

Thanks! Let me know if you get stuck or have something to review :)

[kaihendry]

Was curious how this hCert trustlist revokes / blacklists abusive authorities.

Just remove from trust list?

I can't see any revocation lists...

[stapelberg]

That’s what this issue is about. While some governments publish their trust lists, the revocation lists are either not public or hard to find.

This repository is just a mirror of public trust lists, there is no editorial control, i.e. no revocation process.

[kaihendry]

I noticed via eu-digital-green-certificates/dgc-participating-countries#10 (comment)

curl -s "https://www.npkd.nl/files/nl-health-csca-certificates/C=NL,O=Kingdom%20of%20the%20Netherlands,OU=Ministry%20of%20Health%20Welfare%20and%20Sport,SERIALNUMBER=1,CN=CSCA%20Health%20NL.cer" | openssl x509 -noout -text -inform DER | grep crl
                  URI:http://crl.npkd.nl/CRLs/NL-Health.crl

That certs can have the Certificate Revocation List (crl) URL embedded into it. Could that be perhaps scripted to pull out the crls and dump it in this repo too?

Sorry, just thinking how to solve this problem aloud.

[stapelberg]

Thanks for the pointer. Maybe @jnischler can comment on the best way to script this?