kirei / catt Goto Github PK

Most likely when switching to Blink, Opera stopped maintaining their own trust store:
http://www.opera.com/docs/ca/

The README should be updated in that sense.

The script for fetching the Microsoft trust store takes all certificates including certs that do not have the server-auth EKU, ie. that are not meant to be used for issuing web server certs. This might be the intended behavior but I thought I'd let you know just in case.

Subject: parse-microsoft-authroot.pl

I am looking at the out put of fetch-microsoft-authroot.sh in authroot.json.
The CertFriendlyName looks like that:

"CertFriendlyName" : "C\u0000e\u0000r\u0000t\u0000p\u0000l\u0000u\u0000s\u0000 \u0000R\u0000o\u0000o\u0000t\u0000 \u0000C\u0000A\u0000 \u0000G\u00002\u0000\u0000"

Doing

grep CertFriendlyName authroot.json | sed 's/\\u0000//g'

produces something really "friendly" like:

"CertFriendlyName" : "Certplus Root CA G2"

I am sure that it's easy to get that into the perl script parse-microsoft-authroot.pl. Changing

-$CertFriendlyName =~ s/\x00$//g;
+$CertFriendlyName =~ s/\x00//g;

does the job for me. But it might break other things.

Hi @kirei, thanks a lot for this compilation of truststores! We use it in https://github.com/mozilla/tls-observatory to evaluate certificate trust.
One thing I've been wondering about is the freshness of the data in this repo. The Mozilla CA, for example, is updated monthly upstream but I don't believe this is reflected here. What would it take to have weekly or monthly updates of this repository? Could it be automated somehow?

We need a script that compares to directories (certs and EV info) and produces a report on what has changed between them, preferably as markdown.

Is it the same as the OS X trust store ? There's an unusable list of CA certs here: http://support.apple.com/kb/ht5012 but I couldn't find more info.
README should provide some details about this (if you can figure it out :p)

Thanks!

extract-mozilla-ev.py seems to be not functioning, could you please take a look?

Could you fix extract-mozilla-ev.py? It seems Mozilla has moved vital parts.

Would you be open to a PR adding Adobe's root stores from Acrobat/Reader? Granted, the certificates are used for document signing/revocation/timestamping, and not web browsing. If this is within the scope of your project, I'd be happy to write the script for it.

I have started work on the script, and I have a working proof of concept thus far. Adobe Reader X pulls the certificate list from http://trustlist.adobe.com/tl10.acrobatsecuritysettings automatically. This file is a special PDF file, which is signed by Adobe. (using PDF signing mechanisms) There is one attachment in the PDF file, which is an XML file containing base64-encoded certificates, trust options, and other metadata.