Re: [certid] some info from SSL labs cert survey data
"Jeffrey A. Williams" <jwkckid1@ix.netcom.com> Fri, 15 October 2010 21:48 UTC
Return-Path: <jwkckid1@ix.netcom.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 622CF3A6BC4 for <certid@core3.amsl.com>;
Fri, 15 Oct 2010 14:48:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.44
X-Spam-Level:
X-Spam-Status: No, score=-0.44 tagged_above=-999 required=5 tests=[AWL=-0.441,
BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdlGaLoWIPkm for
<certid@core3.amsl.com>; Fri, 15 Oct 2010 14:48:48 -0700 (PDT)
Received: from elasmtp-dupuy.atl.sa.earthlink.net
(elasmtp-dupuy.atl.sa.earthlink.net [209.86.89.62]) by core3.amsl.com
(Postfix) with ESMTP id 0A1793A68E0 for <certid@ietf.org>;
Fri, 15 Oct 2010 14:48:48 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=ix.netcom.com;
b=K5NkTBCHfQJjp7VatcVSPj098ibNiqWo18uhKrwgA1e+m6Lr6XMBk2YQ+p2E6osn;
h=Message-ID:Date:From:Reply-To:To:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:X-Mailer:X-ELNK-Trace:X-Originating-IP;
Received: from [209.86.224.35] (helo=elwamui-huard.atl.sa.earthlink.net) by
elasmtp-dupuy.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from
<jwkckid1@ix.netcom.com>) id 1P6sAE-0002A9-2S; Fri, 15 Oct 2010 17:50:10 -0400
Received: from 99.93.224.206 by webmail.earthlink.net with HTTP;
Fri, 15 Oct 2010 17:50:09 -0400
Message-ID: <11037043.1287179409946.JavaMail.root@elwamui-huard.atl.sa.earthlink.net>
Date: Fri, 15 Oct 2010 16:50:09 -0500 (GMT-05:00)
From: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>,
IETF cert-based identity <certid@ietf.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EarthLink Zoo Mail 1.0
X-ELNK-Trace: c8e3929e1e9c87a874cfc7ce3b1ad11381c87f5e519606880cfd3295444d9bc941e26febf3feb49a350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 209.86.224.35
Subject: Re: [certid] some info from SSL labs cert survey data
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: "Jeffrey A. Williams" <jwkckid1@ix.netcom.com>
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Oct 2010 21:48:49 -0000
Jeff and all, Are you saying that self-singed certs are not valid? If so, how on earth did they get into the dbase? -----Original Message----- >From: =JeffH <Jeff.Hodges@KingsMountain.com> >Sent: Oct 15, 2010 4:01 PM >To: IETF cert-based identity <certid@ietf.org> >Subject: [certid] some info from SSL labs cert survey data > >I've done some modest poking around the SSL labs cert survey data, below's some >numbers. > >First, the dataset has 867361 domains along with data extracted from their >certs (one row per domain). The details on how Ivan selected the domains are here.. > ><http://blog.ivanristic.com/2010/07/ssl-server-survey-so-whats-with-the-22m-invalid-certificates-claim.html> > >That explanation hints that most all the certs represented in the dataset would >be "valid" certs. However, there's ~150k more entries in the dbase than the >~720K valid certs he observed. Though, there's ~150k apparently "self-signed" >certs in the dbase, so perhaps that's what's filling out the dbase. > > >Here's some quick numbers.. > > > >all 867361 have a "CN=" in the subject name (CN-ID). > >None appear to have more than one CN-ID > > > >392497 (45%) use the subjectAltName field for at least one altName (of some >type (I haven't yet investigated whether he gathered more than only DNS-IDs >(but upon quick browsing it looks like they are most all DNS-IDs))) > >6487 (0.75%) have > 5 altNames (of some type) > >145 (0.02%) have > 50 altNames (of some type) > > > >33831 (4%) use a wildcard in their name in some fashion (they sometimes are in >CN-ID, or subjectAltName, or both it appears upon quick browsing) > > > > >153113 (18%) have a null trustAnchor field - suggesting they are self-signed(?) > >99673 (11%) have subjectCommonName == issuerCommonName -- most self-signed(?) > >52929 (6%) have subjectCommonName != issuerCommonName and a null trustAnchor >field. > >0 have subjectCommonName == issuerCommonName and a non-null >trustAnchor field. > > >There are 86 distinct trustAnchor names in the data set. > > > >HTH, > >=JeffH > > > > > > > > > > > > > > > > > > >_______________________________________________ >certid mailing list >certid@ietf.org >https://www.ietf.org/mailman/listinfo/certid Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail jwkckid1@ix.netcom.com Phone: 214-244-4827
- [certid] some info from SSL labs cert survey data =JeffH
- Re: [certid] some info from SSL labs cert survey … Peter Saint-Andre
- Re: [certid] some info from SSL labs cert survey … Jeffrey A. Williams