On Mon, Sep 12, 2016 at 2:46 PM, Ryan Sleevi <[email protected]> wrote: > > Consider if we start with the list of certificates issued by StartCom and > WoSign [...] Extract the subjectAltName from every one of these certificates, > and then compare against the Alexa Top 1M. This yields more than 60K > certificates, at 1920K in a 'naive' whitelist. > > However, if you compare based on base domain (as it appears in Alexa), you > end up with 18,763 unique names, with a much better compressibility. For > example, when compared with Chrome's Public Suffix List DAFSA implementation > (as one such compressed data structure implementation), this ends up > occupying 126K of storage. > > 126K may be within the range of acceptable to ship within a binary. Further, > there are a number of things that can be done to reduce this overhead:
I did a couple of similar tests. First, I used the PSL, excluding the "private" portion, to get the base domains for each issuer under a WoSign or StartCom root. Then I turned the result into a serialized tree with minimal optimizations and compressed the result with lzma. Using the certs currently in CT logs, I got a 1.5MB data file. I did the same thing only including base domains which also are base domains in the Alexa top million file, and got 97KB There is a huge unknown for both of these, and that is StartCom's true number of issued certs and domains. As far as I know, StartCom has not logged all their 2015 certs and is probably missing some early 2016 as well. If it turns out there are a lot more StartCom certs than currently known, then I think any decision may have to be split between StartCom and WoSign. However, based on the known data today that doesn't seem necessary from a pure size perspective. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
