diff options
| -rw-r--r-- | Makefile | 11 | ||||
| -rw-r--r-- | README.md | 33 | ||||
| -rw-r--r-- | index.md | 108 | ||||
| -rw-r--r-- | scanning.md | 17 |
4 files changed, 169 insertions, 0 deletions
diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..218a7df --- /dev/null +++ b/Makefile @@ -0,0 +1,11 @@ +HTML = index.html README.html scanning.html + +all: html + +html: $(HTML) + +publish: $(HTML) index.org doc/tnc15talk.pdf + scp $^ devp.ct.nordu.net:/var/www/ + +%.html: %.md + markdown $< > $@ diff --git a/README.md b/README.md new file mode 100644 index 0000000..800e038 --- /dev/null +++ b/README.md @@ -0,0 +1,33 @@ +# Download + + git clone https://git.nordu.net/plop.git + git clone https://git.nordu.net/catlfish.git + +## Docker + +To run catlfish in an LXC container on Debian or Ubuntu, you need +lxc-docker 1.4.1 or newer: + + sudo cat > /etc/apt/sources.list.d/docker.list <<EOF + deb https://get.docker.com/ubuntu docker main + EOF + sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9 + sudo apt-get update + sudo apt-get install lxc-docker + +Build a catlfish development docker image based on Debian jessie: + + git clone https://git.nordu.net/catlfish-dockerfiles.git + cd catlfish-dockerfiles + make catlfish-dev + +There is currently no good description of how to configure a +docker-based system. The best way forward is probably to look at +[the Makefile](https://git.nordu.net/?p=catlfish.git;a=blob_plain;f=Makefile;hb=HEAD) +and +[doc/minimalsystem.txt](https://git.nordu.net/?p=catlfish.git;a=blob_plain;f=doc/minimalsystem.txt;hb=HEAD). + +## Bare + +See [catlfish/doc/minimalsystem.txt](https://git.nordu.net/?p=catlfish.git;a=blob_plain;f=doc/minimalsystem.txt;hb=HEAD). + diff --git a/index.md b/index.md new file mode 100644 index 0000000..f0d61ac --- /dev/null +++ b/index.md @@ -0,0 +1,108 @@ +What is catlfish? +================= + +Catlfish is an implementation of a +[Certificate Transparency](https://www.certificate-transparency.org/) +log. + +The code +======== + +Current status +-------------- + +- There is no release for production use yet. +- Most current BETA release is catlfish-0.8.0. +- It's functional, RFC6962 compliant, distributable, Docker enabled. + +Running it +---------- + +If you want to run your own log, you will need +[plop](https://git.nordu.net/?p%3Dplop.git%3Ba%3Dsummary) and +[catlfish](https://git.nordu.net/?p%3Dcatlfish.git%3Ba%3Dsummary) +from NORDUnet. + + git clone https://git.nordu.net/plop.git + git clone https://git.nordu.net/catlfish.git + +For build instructions, see [README](https://www.ct.nordu.net/README.html). + +Understanding it +---------------- + +- [caltfish design doc](https://git.nordu.net/?p%3Dcatlfish.git%3Ba%3Dblob_plain%3Bf%3Ddoc/design.txt%3Bhb%3DHEAD) +- [plop database design](https://git.nordu.net/?p%3Dplop.git%3Ba%3Dblob_plain%3Bf%3Ddoc/db.md%3Bhb%3DHEAD) + +Public test logs +================ + +- https://plausible.ct.nordu.net/ + - onion service: http://plausibe7ba4mlsu.onion/ + - log key: [pemfile](https://www.ct.nordu.net/plausible-logkey.pem) + - started: 2015-04-17 + - note: should produce a new STH about once per hour + - note: running the latest release of catlfish (or newer) +- NOTE: flimsy.ct.nordu.net:8080 is not around anymore + +Roadmap +======= + +Please see +[catlfish Road Map](https://project.nordu.net/browse/CATLFISH#selectedTab%3Dcom.atlassian.jira.plugin.system.project%253Aroadmap-panel) +in the bug tracker. + +Points of contact +================= + +Mailing list +------------ + +- [catlfish](https://segate.sunet.se/cgi-bin/wa?A0%3Dcatlfish) + +You have to be subscribed to the list in order to send email to the +list. Use the address catlfish -at- nordu.net to post to the list. + +If you prefer email over the +[web interface](https://segate.sunet.se/cgi-bin/wa?A0%3Dcatlfish) for +joining the list, send an email to +[listserv@segate.sunet.se](mailto:listserv@segate.sunet.se) with +"subscribe catlfish" in the email body. + +Bug tracker +----------- + +We're using Jira, see +[project catlfish](https://project.nordu.net/browse/catlfish). + +You can open a ticket by sending email to catlfish-bugs -at- +nordu.net. + +In order to add more info to tickets you need to be logged in and use +the web interface. The following federations are accepted: Kalmar, +Google+, Facebook. A number of nordic universities are accepted in +addition to these federations, see the +[login page](https://crowd.nordu.net/Shibboleth.sso/DS/nordu.net?target%3Dhttps%253A%252F%252Fcrowd.nordu.net%252Fcrowd%252Fplugins%252Fservlet%252Fssocookie%253FredirectTo%253Dhttps%253A%252F%252Fproject.nordu.net%252Fsecure%252FDashboard.jspa) +for the complete list. + +Chat +---- + +IRC: #ct @ OFTC.net + +Other resources +=============== + +External +-------- + +- The IETF ['trans' working group](https://datatracker.ietf.org/wg/trans/charter/) +- Googles [Certificate Transparency](https://www.certificate-transparency.org/) web page + +Presentations and abstracts +--------------------------- + +- [Catlfish -- An Implementation of Certificate Transparency in GN3+ (PDF)](https://www.ct.nordu.net/tnc15talk.pdf), abstract submitted to [TNC15](https://tnc15.terena.org/) +- [Public append-only logs (PDF)](https://www.ct.nordu.net/publogs-finse15.pdf), a presentation (May 2015) at [FRISC Finse Winter School](https://www.frisc.no/arrangementer/finse-winter-school-2015/) +- [Certificate Transparency (PDF)](https://www.ct.nordu.net/init15.pdf), a presentation (Nov 2015) at [Tech Day by Init](https://www.init.se/events/129-events/309-tech-day-by-init-2015) +- [Append-only verifiable logs for transparency and distributed trust (PDF)](https://www.ct.nordu.net/logs-tnc16-abstract.pdf), abstract submitted to [TNC16](https://tnc16.geant.org/) diff --git a/scanning.md b/scanning.md new file mode 100644 index 0000000..b5733e1 --- /dev/null +++ b/scanning.md @@ -0,0 +1,17 @@ +# We're scanning the internet (IPv4) for X.509 certificate chains + +As part of project [catlfish](https://www.ct.nordu.net), we are +scanning the internet for X.509 certificate chains. We will put them +all into our +[Certificate Transparency](http://www.certificate-transparency.org/) +log. + +If you look closely at your network and find TCP connection attempts +to port 443 from 130.229.192.10, that's us. For hosts allowing TCP to +port 443, we will try to establish a TLS session. If that succeeds we +will gather the X.509 certificate data sent to us as part of the TLS +handshake, send a "HEAD /index.html" and then disconnect. + +If you have questions or comments, or if you want your netblock(s) to +be exempted from scanning, please contact linus at nordu.net (8C4C +D511 095E 982E B0EF BFA2 1E8B F349 2329 1265). |