[certid] some info from SSL labs cert survey data
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 15 October 2010 21:00 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 8CAFE3A6BCC for <certid@core3.amsl.com>;
Fri, 15 Oct 2010 14:00:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.192
X-Spam-Level:
X-Spam-Status: No,
score=-101.192 tagged_above=-999 required=5 tests=[AWL=-0.786, BAYES_20=-0.74,
IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oj0PMY6IN5Jm for
<certid@core3.amsl.com>; Fri, 15 Oct 2010 14:00:34 -0700 (PDT)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com
[67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id 668DE3A6D28 for
<certid@ietf.org>; Fri, 15 Oct 2010 14:00:34 -0700 (PDT)
Received: (qmail 20903 invoked by uid 0); 15 Oct 2010 21:01:56 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy3.bluehost.com with SMTP; 15 Oct 2010 21:01:56 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=bEpMAewMPUv/gUs7fv6l/n5FZLh+pkl3FEzqyrDXzICsqlvFW6pc0wry5IG1At3+iAZb3TWVq7u4movCDBzUunJBS9pYPugHadQDSr4YqlVFGAKbxfcC9Zg/gvCHJTc9;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1P6rPY-000624-2R for
certid@ietf.org; Fri, 15 Oct 2010 15:01:56 -0600
Message-ID: <4CB8C142.4030003@KingsMountain.com>
Date: Fri, 15 Oct 2010 14:01:54 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [certid] some info from SSL labs cert survey data
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2010 21:00:35 -0000
I've done some modest poking around the SSL labs cert survey data, below's some numbers. First, the dataset has 867361 domains along with data extracted from their certs (one row per domain). The details on how Ivan selected the domains are here.. <http://blog.ivanristic.com/2010/07/ssl-server-survey-so-whats-with-the-22m-invalid-certificates-claim.html> That explanation hints that most all the certs represented in the dataset would be "valid" certs. However, there's ~150k more entries in the dbase than the ~720K valid certs he observed. Though, there's ~150k apparently "self-signed" certs in the dbase, so perhaps that's what's filling out the dbase. Here's some quick numbers.. all 867361 have a "CN=" in the subject name (CN-ID). None appear to have more than one CN-ID 392497 (45%) use the subjectAltName field for at least one altName (of some type (I haven't yet investigated whether he gathered more than only DNS-IDs (but upon quick browsing it looks like they are most all DNS-IDs))) 6487 (0.75%) have > 5 altNames (of some type) 145 (0.02%) have > 50 altNames (of some type) 33831 (4%) use a wildcard in their name in some fashion (they sometimes are in CN-ID, or subjectAltName, or both it appears upon quick browsing) 153113 (18%) have a null trustAnchor field - suggesting they are self-signed(?) 99673 (11%) have subjectCommonName == issuerCommonName -- most self-signed(?) 52929 (6%) have subjectCommonName != issuerCommonName and a null trustAnchor field. 0 have subjectCommonName == issuerCommonName and a non-null trustAnchor field. There are 86 distinct trustAnchor names in the data set. HTH, =JeffH
- [certid] some info from SSL labs cert survey data =JeffH
- Re: [certid] some info from SSL labs cert survey … Peter Saint-Andre
- Re: [certid] some info from SSL labs cert survey … Jeffrey A. Williams