Jeff and all, Are you saying that self-singed certs are not valid? If so, how on earth did they get into the dbase?
-----Original Message----- >From: =JeffH <[email protected]> >Sent: Oct 15, 2010 4:01 PM >To: IETF cert-based identity <[email protected]> >Subject: [certid] some info from SSL labs cert survey data > >I've done some modest poking around the SSL labs cert survey data, below's >some >numbers. > >First, the dataset has 867361 domains along with data extracted from their >certs (one row per domain). The details on how Ivan selected the domains are >here.. > ><http://blog.ivanristic.com/2010/07/ssl-server-survey-so-whats-with-the-22m-invalid-certificates-claim.html> > >That explanation hints that most all the certs represented in the dataset >would >be "valid" certs. However, there's ~150k more entries in the dbase than the >~720K valid certs he observed. Though, there's ~150k apparently "self-signed" >certs in the dbase, so perhaps that's what's filling out the dbase. > > >Here's some quick numbers.. > > > >all 867361 have a "CN=" in the subject name (CN-ID). > >None appear to have more than one CN-ID > > > >392497 (45%) use the subjectAltName field for at least one altName (of some >type (I haven't yet investigated whether he gathered more than only DNS-IDs >(but upon quick browsing it looks like they are most all DNS-IDs))) > >6487 (0.75%) have > 5 altNames (of some type) > >145 (0.02%) have > 50 altNames (of some type) > > > >33831 (4%) use a wildcard in their name in some fashion (they sometimes are >in >CN-ID, or subjectAltName, or both it appears upon quick browsing) > > > > >153113 (18%) have a null trustAnchor field - suggesting they are self-signed(?) > >99673 (11%) have subjectCommonName == issuerCommonName -- most self-signed(?) > >52929 (6%) have subjectCommonName != issuerCommonName and a null trustAnchor >field. > >0 have subjectCommonName == issuerCommonName and a non-null >trustAnchor field. > > >There are 86 distinct trustAnchor names in the data set. > > > >HTH, > >=JeffH > > > > > > > > > > > > > > > > > > >_______________________________________________ >certid mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/certid Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail [email protected] Phone: 214-244-4827 _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
