At 09:53 AM 7/11/2002 +0200, Stefan Kelm wrote: > > > > See <http://www.securityspace.com/s_survey/sdata/200206/certca.html> for > > recent data re SSL certificate market share; Geotrust, at > >I sincerely doubt the numbers presented in this so-called >"survey". How did they get to a number of only 91,136 >secure servers "across all domains"? There are a huge number >of CAs, many of which offer certificates to the public >(see http://www.pki-page.info/#CA). Even if most CAs will >not have a significant market share those numbers would be >different.
For another data point, see this Netcraft survey circa January 2001 - <http://www.netcraft.com/surveys/analysis/https/2001/Jan/CMatch/certs.html> .. it shows approx 108,000 secure servers (they don't total it, and I didn't bother adding up all the CA's with 10 certs in use.) Security Space's numbers for the same timeframe show that they found 58,117 servers - <http://www.securityspace.com/s_survey/sdata/200012/certca.html>. I don't know if the difference means that, between Jan 2001 and Jun 2002, Security Space has discovered the other 40,000 secure servers in use; or if they always see a fraction of what Netcraft does. (Netcraft's current data is available for a yearly subscription at 1200 UKP.) What I find especially telling in the recent Security Space results is the breakdown by "validity" - Valid: 17833 Self-signed: 5275 Unknown signer: 13348 Cert-host mismatch: 32536 Expired: 35071 .. so, less than 20% of the certificates that they find on SSL servers in use on the open Internet are functioning correctly as part of a PKI; even if we assume that every one of the self-signed and unknown signer certs servers are participating in undocumented or private PKIs such that their details are unavailable to surveys like this one, that's still only 40% of the visible SSL servers. The remaining 60% are apparently misconfigured or forgotten. -- Greg Broiles -- [EMAIL PROTECTED] -- PGP 0x26E4488c or 0x94245961 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
