Add historical certificate lineage analysis

2026-05-14 20:37:52 +00:00 · 2026-03-29 13:32:23 +02:00 · 2026-03-29 13:32:23 +02:00 · 21e32dbd30
commit 21e32dbd30
parent ba0ef192a9
3 changed files with 1088 additions and 3 deletions
--- a/13
+++ b/13
@ -5,7 +5,7 @@ CACHE_TTL ?= 0
 DNS_CACHE_TTL ?= 86400
 MAX_CANDIDATES ?= 10000

-.PHONY: bootstrap install init-config inventory purpose consolidated monograph all
+.PHONY: bootstrap install init-config inventory purpose lineage consolidated monograph all

 bootstrap:
 	python3 -m venv .venv
@ -33,6 +33,15 @@ purpose:
 		--markdown-output output/corpus/certificate-purpose-assessment.md \
 		--json-output output/corpus/certificate-purpose-assessment.json

+lineage:
+	$(PYTHON) ct_lineage_report.py \
+		--domains-file $(DOMAINS) \
+		--cache-ttl-seconds $(CACHE_TTL) \
+		--max-candidates-per-domain $(MAX_CANDIDATES) \
+		--markdown-output output/corpus/certificate-lineage-report.md \
+		--latex-output output/corpus/certificate-lineage-report.tex \
+		--pdf-output output/corpus/certificate-lineage-report.pdf
+
 consolidated:
 	$(PYTHON) ct_master_report.py \
 		--domains-file $(DOMAINS) \
@ -56,4 +65,4 @@ monograph:
 		--appendix-latex-output output/corpus/appendix-inventory.tex \
 		--appendix-pdf-output output/corpus/appendix-inventory.pdf

-all: init-config purpose monograph
+all: init-config purpose lineage monograph
--- a/README.md
+++ b/README.md
@ -104,6 +104,26 @@ Outputs:
 - `output/corpus/certificate-purpose-assessment.md`
 - `output/corpus/certificate-purpose-assessment.json`

+### Historical lineage analysis
+
+This report extends the analysis across current and expired certificates to study:
+
+- repeated issuance under the same Subject CN
+- Subject CN with different Subject DN over time
+- Subject CN with different issuing CA or vendor over time
+- Subject CN with different SAN profiles over time
+- issuance bursts and step-change start dates
+
+```bash
+make lineage
+```
+
+Outputs:
+
+- `output/corpus/certificate-lineage-report.md`
+- `output/corpus/certificate-lineage-report.tex`
+- `output/corpus/certificate-lineage-report.pdf`
+
 ### Shorter executive report

 ```bash
@ -118,7 +138,7 @@ Outputs:

 ### Full operator run

-This creates the local config if missing, then runs the purpose assessment and the full monograph:
+This creates the local config if missing, then runs the purpose assessment, historical lineage analysis, and the full monograph:

 ```bash
 make all
@ -191,6 +211,18 @@ If you do not want to use `make`, the equivalent commands are:
  --pdf-output output/corpus/consolidated-corpus-report.pdf
 ```

+### Historical lineage report
+
+```bash
+.venv/bin/python ct_lineage_report.py \
+  --domains-file domains.local.txt \
+  --cache-ttl-seconds 0 \
+  --max-candidates-per-domain 10000 \
+  --markdown-output output/corpus/certificate-lineage-report.md \
+  --latex-output output/corpus/certificate-lineage-report.tex \
+  --pdf-output output/corpus/certificate-lineage-report.pdf
+```
+
 ### Full monograph

 ```bash
@ -211,6 +243,7 @@ If you do not want to use `make`, the equivalent commands are:

 - `ct_scan.py`: core CT scan, leaf verification, grouping, and detailed inventory report
 - `ct_usage_assessment.py`: EKU and KeyUsage assessment
+- `ct_lineage_report.py`: historical Subject CN, Subject DN, issuer, SAN, and issuance-burst analysis
 - `ct_dns_utils.py`: DNS scanning and provider-signature logic
 - `ct_master_report.py`: shorter consolidated report
 - `ct_monograph_report.py`: publication-grade monograph with appendices
--- a/ct_lineage_report.py
+++ b/ct_lineage_report.py