I've done some modest poking around the SSL labs cert survey data, below's some
numbers.
First, the dataset has 867361 domains along with data extracted from their
certs (one row per domain). The details on how Ivan selected the domains are here..
<http://blog.ivanristic.com/2010/07/ssl-server-survey-so-whats-with-the-22m-invalid-certificates-claim.html>
That explanation hints that most all the certs represented in the dataset would
be "valid" certs. However, there's ~150k more entries in the dbase than the
~720K valid certs he observed. Though, there's ~150k apparently "self-signed"
certs in the dbase, so perhaps that's what's filling out the dbase.
Here's some quick numbers..
all 867361 have a "CN=" in the subject name (CN-ID).
None appear to have more than one CN-ID
392497 (45%) use the subjectAltName field for at least one altName (of some
type (I haven't yet investigated whether he gathered more than only DNS-IDs
(but upon quick browsing it looks like they are most all DNS-IDs)))
6487 (0.75%) have > 5 altNames (of some type)
145 (0.02%) have > 50 altNames (of some type)
33831 (4%) use a wildcard in their name in some fashion (they sometimes are in
CN-ID, or subjectAltName, or both it appears upon quick browsing)
153113 (18%) have a null trustAnchor field - suggesting they are self-signed(?)
99673 (11%) have subjectCommonName == issuerCommonName -- most self-signed(?)
52929 (6%) have subjectCommonName != issuerCommonName and a null trustAnchor
field.
0 have subjectCommonName == issuerCommonName and a non-null
trustAnchor field.
There are 86 distinct trustAnchor names in the data set.
HTH,
=JeffH
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
