<div dir="ltr"><div><div><div>Quick note: This doesn't operate on anything but end-entities, which Ryan pointed out is not a complete picture itself, either.<br><br></div>It should be straightforward to modify for that, and PRs are welcome if anyone wants to make those changes before I get a chance.<br><br></div>Thanks,<br></div>J.C.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 12:10 PM, J.C. Jones <span dir="ltr"><<a href="mailto:jc@mozilla.com" target="_blank">jc@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>I'm afraid that hasn't been considered, as release of any of the data set would require legal review.<br><br></div>Something I could audit and then run locally would be ideal. I've started such a tool at <a href="https://github.com/jcjones/aia-chaser" target="_blank">https://github.com/jcjones/<wbr>aia-chaser</a> (and just made it mostly work, I think), but it will take a little more time before I can process the data with it.<br><br></div>Review is welcome.<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 10:12 AM, Ryan Sleevi <span dir="ltr"><<a href="mailto:sleevi@google.com" target="_blank">sleevi@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Considering that SSLLabs offers such a tool, has Mozilla considered reaching out to them to exercise a scan of the subset of hosts you're interested in, and sharing that data?</div><div class="m_-2542505525148959829HOEnZb"><div class="m_-2542505525148959829h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 1:08 PM, J.C. Jones <span dir="ltr"><<a href="mailto:jc@mozilla.com" target="_blank">jc@mozilla.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Ryan,<br><br></div>As mentioned in the bug discussion, it's not to be taken that 5.88% is gospel, rather that it's 1) a very noisy indication of the effect fetching would have on total errors, and 2) a call for interested community members to help us do more with the data.<br><br></div><div>More sophisticated analysis is absolutely welcome; we have both the certificate dataset and the hostname dataset which we can operate on. If someone were interested in writing a tool that, given a host, would determine whether AIA fetching would avoid a connection error, I'd be happy to run it and provide the results to the community. <br><br>(Note to implementers, we'd need to probably provide Moz's trusted roots as a configuration item, too)<br><br></div><div>Cheers,<br><br></div><div>J.C.<br></div><div>Crypto Engineering<br></div><div><br><br><br></div><div><br></div><br></div><div class="m_-2542505525148959829m_2021797635280625722HOEnZb"><div class="m_-2542505525148959829m_2021797635280625722h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 9:08 AM, Ryan Sleevi via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">That is most unfortunate.<div><br></div><div>It doesn't look like the code in <a href="https://gist.github.com/mozkeeler/29754494dcdb3b169483595283f29923" target="_blank">https://gist.github.com/moz<wbr>keeler/29754494dcdb3b169483595<wbr>283f29923</a> fully accounts for the value of AIA with respect to finding alternative paths on such connections. That is, it seems like it undercounts for situations such as:</div><div><br></div><div>Leaf -> Intermediate 1 -> Intermediate 2 -> Old CA</div><div> -> Intermediate 1 -> Intermediate 2' -> New CA<br></div><div><div> -> Intermediate 1' -> New CA</div></div><div><br></div><div><br></div><div>The analysis Mozilla performed only appeared to examine the end-entity certificate, as noted in <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c80" target="_blank">https://bugzilla.mozilla.or<wbr>g/show_bug.cgi?id=399324#c80</a> . However, Chrome's experience with AIA is that it is most useful for covering the root key rollover and intermediate rollover scenarios. I can think of a number of CA members who have exercised this code path, but such data was excluded from your analysis.</div><div><br></div><div>I appreciate you looking into this matter, though, and for ensuring the data and tools were publicly available in order to perform such an analysis.</div><div><br></div><div>An alternative methodology to examine would be to examine the supplied chains from the subset of servers (or user error reports) for which you're interested in, and determine whether there exists a path to a known Mozilla trust anchor. For example, you could use the CCADB disclosures, crt.sh dataset (which handedly already groups by ca_id), or directly from Certificate Transparency log servers. For such situations where the server did not supply a path that immediately resolved, but one or more paths was known to Mozilla, you could examine whether or not the AIA identity provided by the common elements in that path (even if the only common element was the leaf) would have provided one or more intermediates known to be valid.</div><div><br></div><div>I do hope you reconsider, because it does appear that the testing methodology was flawed.</div></div><div class="m_-2542505525148959829m_2021797635280625722m_3379486060552724944HOEnZb"><div class="m_-2542505525148959829m_2021797635280625722m_3379486060552724944h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 3, 2017 at 10:51 AM, Gervase Markham via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Participants may be interested in some recent research we did on AIA<br>
chasing:<br>
<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c80" rel="noreferrer" target="_blank">https://bugzilla.mozilla.org/s<wbr>how_bug.cgi?id=399324#c80</a><br>
<br>
The upshot is that Firefox has no plans to implement this feature.<br>
<br>
Gerv<br>
______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/l<wbr>istinfo/public</a><br>
</blockquote></div><br></div>
</div></div><br>______________________________<wbr>_________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org" target="_blank">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" rel="noreferrer" target="_blank">https://cabforum.org/mailman/l<wbr>istinfo/public</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><br></div>