- Wed 31 July 2024
- misc
A week ago I wrote an article about LetsEncrypt ending OCSP service.
After reflecting on my surprise at the CRL for LetsEncrypt being so small, several people asked me about the CRLs for other CAs. After all, CRLs are stereotypically big and clunky and OCSP was developed to address this problem (transmitting the same information but only in small chunks on demand), so they must be huge, right?
It turns out that CRLs that we're interested in don't go with the root CA (the one that's in your browser trust store), they go with the subordinate (or "intermediate") CA that directly signs certificates for end users (or web servers if you like). This poses a problem because it means that you can't just dump out your browser trust store and go looking for CRL distribution endpoints. A cursory check of the CA/Browser Forum's Baseline Requirements didn't find a requirement for using subordinate CAs in order to be in a broswer trust store, but as a matter of risk management and good hygiene everyone seems to do this. Indeed, I've seen auditors ding an enterprise CA for not having an intermediate, so it must be hardcoded as a best practice requirement somewhere, by someone, I just don't know who or where offhand.
My friend Jose Nazario was able to come up with a list of CRL endpoints for the top 50 most popular intermediate CAs seen recently in the wild, and we report on them here as a snapshot in time as of today, 2024-07-31.
Note that we are currently experiencing an anomaly in the DigiCert ecosystem which will result in unusually high numbers for DigiCert CRLs until certs fall off the CRL via the natural expiration process. Note too that the vast majority of the CRLs go back slightly longer than 13 months, which comports with the maximum browser cert lifetime currently offered. As I pointed out a week ago, there is little point in including revoked certificates that would appear invalid even without a CRL as their lifetime has expired.
The interesting number here when countering the "CRLs are clunky" argument is the "Download Size" field (measured in bytes). The largest download we found was 15.6 megabytes, but that was quite an outlier; the next runner up was 12.3 megabytes, the median was 89.7 kilobytes, and the smallest was 337 bytes - four of the 50 most popular CAs had no revoked certs in their CRLs.
In 2024 even the largest CRLs are smaller than many ad impressions. Between shorter maximum certificate validity time and the proliferation of much faster bandwidth than when PKI was designed, CRLs do not represent a scale problem anymore. Since they are cryptographically signed by their issuer, they may be distributed (even unencrypted - it seems that distribution of the CRLs themselves has escaped the "we must encrypt all the things" zeitgeist, no doubt in order to avoid circular dependencies) via a CDN with no erosion of trust if scaling on the distribution side is a concern.
| URL | Common Name | Count | Download Size | Revoked Count | Oldest Date | Newest Date |
|---|---|---|---|---|---|---|
| http://crl.r2m02.amazontrust.com/r2m02.crl | Amazon RSA 2048 M02 | 16472403 | 577376 | 16481 | 2023-06-25T00:16:24Z | 2024-07-31T07:57:24Z |
| http://crl.r2m03.amazontrust.com/r2m03.crl | Amazon RSA 2048 M03 | 16471425 | 514747 | 14692 | 2023-08-03T18:16:28Z | 2024-07-31T08:17:12Z |
| http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl | DigiCert SHA2 Secure Server CA | 6956117 | 9321814 | 266239 | 2023-06-23T13:01:07Z | 2024-07-30T20:40:32Z |
| http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl | DigiCert SHA2 Secure Server CA | 6956117 | 9321814 | 266239 | 2023-06-23T13:01:07Z | 2024-07-30T20:40:32Z |
| http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2004.crl | Microsoft Azure RSA TLS Issuing CA 04 | 6202342 | 11341 | 203 | 2023-12-14T20:29:13Z | 2024-07-31T17:33:59Z |
| http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2003.crl | Microsoft Azure RSA TLS Issuing CA 03 | 6196136 | 10925 | 195 | 2023-12-14T20:29:13Z | 2024-07-31T17:34:00Z |
| http://crl.comodoca.com/cPanelIncCertificationAuthority.crl | cPanel, Inc. Certification Authority | 5524876 | 66722 | 1863 | 2023-07-28T19:53:02Z | 2024-07-31T01:14:07Z |
| http://crl3.digicert.com/CloudflareIncECCCA-3.crl | Cloudflare Inc ECC CA-3 | 4404958 | 337 | 2 | 2024-05-27T15:35:40Z | 2024-05-27T15:37:09Z |
| http://crl4.digicert.com/CloudflareIncECCCA-3.crl | Cloudflare Inc ECC CA-3 | 4404958 | 337 | 2 | 2024-05-27T15:35:40Z | 2024-05-27T15:37:09Z |
| http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2007.crl | Microsoft Azure RSA TLS Issuing CA 07 | 4056465 | 13577 | 246 | 2023-12-14T22:59:12Z | 2024-07-31T17:35:56Z |
| http://www.microsoft.com/pkiops/crl/Microsoft%20Azure%20RSA%20TLS%20Issuing%20CA%2008.crl | Microsoft Azure RSA TLS Issuing CA 08 | 3988623 | 9105 | 160 | 2023-12-14T22:59:29Z | 2024-07-29T18:25:21Z |
| http://crl3.digicert.com/CloudflareIncRSACA-2.crl | Cloudflare Inc RSA CA-2 | 2206586 | 457 | 0 | ||
| http://crl4.digicert.com/CloudflareIncRSACA-2.crl | Cloudflare Inc RSA CA-2 | 2206586 | 457 | 0 | ||
| http://validation.identrust.com/crl/hydrantidcao1.crl | HydrantID Server CA O1 | 2065390 | 293420 | 6185 | 2023-07-10T15:57:21Z | 2024-07-31T20:46:44Z |
| http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl | GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | 1706768 | 25299 | 653 | 2023-07-03T16:33:18Z | 2024-07-30T03:06:08Z |
| http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl | GeoTrust Global TLS RSA4096 SHA256 2022 CA1 | 1706768 | 25299 | 653 | 2023-07-03T16:33:18Z | 2024-07-30T03:06:08Z |
| http://igcgfti-ca1.francetelecom.com/crl/orangedevices_stellar_auth3_ca.crl | Orange Devices Auth Stellar 3 CA | 1664067 | 1763 | 14 | 2017-09-06T09:10:07Z | 2017-09-15T08:28:19Z |
| http://crl3.digicert.com/CiscoMerakiCA.crl | Cisco Meraki CA | 1201214 | 452 | 0 | ||
| http://crl4.digicert.com/CiscoMerakiCA.crl | Cisco Meraki CA | 1201214 | 452 | 0 | ||
| http://crl3.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | 1179284 | 12345792 | 341353 | 2023-06-24T16:41:40Z | 2024-07-31T20:36:52Z |
| http://crl4.digicert.com/DigiCertGlobalG2TLSRSASHA2562020CA1-1.crl | DigiCert Global G2 TLS RSA SHA256 2020 CA1 | 1179283 | 12230166 | 338797 | 2023-06-23T07:50:27Z | 2024-07-30T20:36:17Z |
| http://crl.digicert.cn/DigiCertBasicRSACNCAG2.crl | DigiCert Basic RSA CN CA G2 | 1110268 | 2702 | 60 | 2023-07-12T01:49:17Z | 2024-07-16T02:36:03Z |
| http://crl.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crl | Sectigo RSA Organization Validation Secure Server CA | 1045321 | 2925385 | 80227 | 2022-07-19T12:42:03Z | 2024-07-31T01:33:29Z |
| http://crl.microsoft.com/pkiinfra/CRL/AME%20Infra%20CA%2006.crl | AME Infra CA 06 | 715739 | 105127 | 2006 | 2023-08-11T21:17:00Z | 2024-07-26T00:42:51Z |
| http://crl.microsoft.com/pkiinfra/CRL/AME%20Infra%20CA%2002(4).crl | AME Infra CA 02 | 715162 | 103116 | 1967 | 2023-09-01T02:28:38Z | 2024-07-29T02:16:52Z |
| http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl | DigiCert TLS RSA SHA256 2020 CA1 | 590903 | 2099582 | 59211 | 2023-06-26T15:53:05Z | 2024-07-30T22:18:37Z |
| http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl | DigiCert TLS RSA SHA256 2020 CA1 | 590903 | 2099582 | 59211 | 2023-06-26T15:53:05Z | 2024-07-30T22:18:37Z |
| http://crl.microsoft.com/pkiinfra/CRL/AME%20Infra%20CA%2005.crl | AME Infra CA 05 | 538817 | 89579 | 1707 | 2023-08-25T20:55:00Z | 2024-07-26T00:42:58Z |
| http://crl.microsoft.com/pkiinfra/CRL/AME%20INFRA%20CA%2001(4).crl | AME INFRA CA 01 | 526542 | 89700 | 1709 | 2023-09-01T02:36:23Z | 2024-07-26T00:43:04Z |
| http://crl06.actalis.it/Repository/AUTHDV-G3/getLastCRL | Actalis Domain Validation Server CA G3 | 422592 | 447772 | 10794 | 2023-07-04T06:41:09Z | 2024-07-31T20:36:04Z |
| http://cdp.rapidssl.com/RapidSSLTLSRSACAG1.crl | RapidSSL TLS RSA CA G1 | 330495 | 393649 | 10794 | 2023-06-27T17:01:43Z | 2024-07-31T03:31:39Z |
| http://crl.comodoca.com/COMODORSAOrganizationValidationSecureServerCA.crl | COMODO RSA Organization Validation Secure Server CA | 325173 | 15606255 | 439248 | 2022-07-18T17:33:37Z | 2024-07-31T01:18:28Z |
| http://crl.entrust.net/level1k.crl | Entrust Certification Authority - L1K | 281758 | 3260187 | 77857 | 2023-06-30T17:27:14Z | 2024-07-31T22:57:41Z |
We found several CRL endpoints which were not resolvable - in each case because they had a TLD that was nonexistent.
The most popular was http://pki-crl.itn.ftgroup/crl/orangedevices_stellar_auth3_ca.crl with a count of 1664067 found in the wild
Then there were several of the from crl[N].ame.gbl... -
http://crl1.ame.gbl/crl/AME%20Infra%20CA%2006.crl,
http://crl2.ame.gbl/crl/AME%20Infra%20CA%2006.crl,
http://crl3.ame.gbl/crl/AME%20Infra%20CA%2006.crl,
and http://crl4.ame.gbl/crl/AME%20Infra%20CA%2006.crl all four with a count of 715739.
Also http://crl1.ame.gbl/crl/AME%20Infra%20CA%2002(4).crl,
http://crl2.ame.gbl/crl/AME%20Infra%20CA%2002(4).crl,
http://crl3.ame.gbl/crl/AME%20Infra%20CA%2002(4).crl,
and http://crl4.ame.gbl/crl/AME%20Infra%20CA%2002(4).crl all with a count of 715162.
Also http://crl1.ame.gbl/crl/AME%20Infra%20CA%2005.crl,
http://crl2.ame.gbl/crl/AME%20Infra%20CA%2005.crl,
http://crl3.ame.gbl/crl/AME%20Infra%20CA%2005.crl, and
http://crl4.ame.gbl/crl/AME%20Infra%20CA%2005.crl
all with a count of 538817.
And then there were
http://crl1.ame.gbl/crl/AME%20INFRA%20CA%2001(4).crl,
http://crl2.ame.gbl/crl/AME%20INFRA%20CA%2001(4).crl,
http://crl3.ame.gbl/crl/AME%20INFRA%20CA%2001(4).crl,
and http://crl4.ame.gbl/crl/AME%20INFRA%20CA%2001(4).crl,
all with a count of 526542.
It's a fairly bad sign of sloppiness when the hostnames for the CRLs for 17 out of the top 50 subordinate CAs don't resolve - 16 of them by the same company! We suspect that these passed QA (if any) because of support for partial domain names in resolvers (the "search" directive in resolv.conf) and wonder if any of the usual suspects have anything to say about CRL publishing endpoints that can't be resolved.