cancel
Showing results for 
Search instead for 
Did you mean: 
bornheim
Level 7

Can I use the list "Known CAs" for other purposes?

Hi,

there is this McAfee maintained list of known CAs. I would like to use this list in a way which is possibly not intended.

I have a rule which decides if some requests can pass without authentication. This is mostly for Firefox's checks for updates, i.e.

     regex(^(http|https)://[^/]*(addons|download)\.mozilla\.org($|/.*))

Sometimes there are clients which insist to check for CRLs for themselves, namely the Cisco WebEx Client. Dogmatically it hard-failed when the certificate changed and the CRL URI was not on my white list.

On the other hand: exactly this CRL URI is in "Known CAs". What I do not know: can I use this list like in

     URL is in list "Known CAs"

to shorten my manually maintained white list?

Kind regards,

Robert

0 Kudos
4 Replies
McAfee Employee

Re: Can I use the list "Known CAs" for other purposes?

Hi Robert,

That's not possible because the list of "Known CAs", is a list of certificates, not a list of URLs.

What seems more feasible is that subscribed list of URLs be created based upon the known CRLs/OSCP URLs from our "Known CAs".

, may have thoughts on that.

Best Regards,

Jon

0 Kudos
asabban
Level 17

Re: Can I use the list "Known CAs" for other purposes?

Hello,

we do have the CRL URLs in the database, so it should not be a big deal to make a list of CRL URLs. Anyway this will only help bypassing the CRL URLs for CAs we have in the trusted list, it will not help getting access to CRLs apart from that. Maintaining a list with any CRL URL that may exist won't be possible I think.

Best,

Andre

0 Kudos
bornheim
Level 7

Re: Can I use the list "Known CAs" for other purposes?

Hi Andre,

it would be of much help to have only the CRL URLs of the CAs which are in the trusted list.

Actually I do not even want my users to grab CRLs from CAs not in the trusted list whithout me explicitly whitelisting these. :-)

Kind regards,

Robert

0 Kudos
asabban
Level 17

Re: Can I use the list "Known CAs" for other purposes?

Hi Robert,

creating the automatically maintaining list may take some time, so for the meantime I made an export of all CRL URLs into a static list you can import into MWG. Maybe this helps for the meantime.

Best,

Andre

0 Kudos