[I apologise for not replying to the original email(s), but I've just subscribed to this list.]
JeffH wrote: > That explanation hints that most all the certs represented in the dataset > would > be "valid" certs. However, there's ~150k more entries in the dbase than > the ~720K valid certs he observed. Though, there's ~150k apparently > "self-signed" > certs in the dbase, so perhaps that's what's filling out the dbase. The term "potentially valid" would be more accurate. The purpose of the survey was to investigate how is an average SSL server configured and for that we wanted to look at those servers that someone at least tried to configure properly. There are so many invalid certificates out there, so taking the configuration of all SSL servers would pollute the data. I defined "potentially valid" as residing on a domain name that matches the certificate. Trust was not a factor, and that's why there are self-signed certificates in the database. In addition, there's only one certificate per domain name and IP address. The 720K certificates were obtained from the 119M data set of domain name registrations. The additional 150K were obtained by looking at the Alexa's top 1M sites, as well as by data mining web site names from the certificates we obtained. The fact that there's about 150K self-signed certificates is a coincidence. -- Ivan Ristic ModSecurity Handbook [http://www.modsecurityhandbook.com] SSL Labs [https://www.ssllabs.com/ssldb/] _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
