-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Indicate known certificates in sent mails feature #90
base: master
Are you sure you want to change the base?
Conversation
Why send a notification for a certificate with a known key? How would you respond to such a notification? |
By the mail subject I can filter them easily. And I'd rather get them to see system is still working. Others may see that different, so maybe you need some configuration options. For me that's the near-optimum solution:
Without these I'd typically get no mails (for years) and thus system breaking would likely go unnoticed. P.S. Test run works fine for a known cert. Not yet checked for an unknown one. |
Works as expected on my system properly marking the mails with the correct key-names. P.S. Maybe it would be a good note in the README, that this tools causes (currently) approx 130GB traffic per day. |
Anything wrong with this? |
|
No. #97 would be no alternative for me. I wonder about the rationale behind the question. My change is the minimal change necessary to get a desired result. certspotter currently sends a mail for all certificates, so that's nothing new, I only added a flagging with the additional information. Also the added code is nearly an 1:1 copy of watchlist with minor adaptions to the different purpose (most of it removal of code). That was especially done so reviewing is easy and straightforward. All the discussion here indicates that a more complex and error prone solution is preferred, which is strange to me.
You mean that I ignore the certspotter mail sending feature completely and send my own mail (because I see no way to influence the mail which is sent)? |
Could you explain why not?
Yes. Note |
My own issued certificates aren't superfluous. I want to know that information. It tell's me:
Yes sure I can create hooks, store that information there or mail it or whatever, but nowadays most of the monitoring feedback goes by email, so that's simply the most elegant way. |
Thanks for expanding on that. It sounds useful and I agree that #97 wouldn't solve it. Your PR includes the ability to name keys. What's the purpose of that? |
When tracking all certs for a domain (my default), the certspotter mail will inform you about a new certificate for e.g. my.tld. Now I may have multiple different certificates generated for my.tld (ATM my list contains 44). E.g. one for the www server, one for the mail server, one for the bugtracker and version control, one for monitoring system and so on. One generated certificate can contain one or multiple names, but usually it has only one key assigned to it. So the name provided in the keylist can be used to represent that key (for me it's usually the name of the key). I made no limitation to what the name can be, as others may have different opinions about what's useful there (i.e. there could be multiple keys for the same domain on different servers, then the name could be the issuing server). E.g. you get "Certificate Discovered for .myt.tld (known as mail.my.tld)" and thus know that the mail cert and not the www cert was renewed. |
P.S. My proposed approach is identical to "3 1 1" TLSA records. |
Fixes #88. I switched from direct parameters to sha256 of the pubkey.
Note that is the first time I do something in go, so it's probably not the best solution (i.e. see todo comment).
Short perl script to create the keylist from public keys and rsa/ec private keys.
Final test is still running. I'll update in case I find an error.