On Tuesday, September 13, 2016 at 7:04:56 AM UTC-7, Peter Bowen wrote: > There is a huge unknown for both of these, and that is StartCom's true > number of issued certs and domains. As far as I know, StartCom has > not logged all their 2015 certs and is probably missing some early > 2016 as well. If it turns out there are a lot more StartCom certs > than currently known, then I think any decision may have to be split > between StartCom and WoSign. However, based on the known data today > that doesn't seem necessary from a pure size perspective.
Just to make sure I'm fully understanding your point - your argument is that it might be necessary to treat StartCom and WoSign differently, if it turned out treating them the same blows out some size budget, but you don't believe, based on the data provided, that it will, is that correct? I agree that we can and should encourage StartCom to log all their certificates, but I don't believe it would or should materially or substantially change the results. For example, we can assume that sites trafficed in the Alexa Top 1M are more likely to be crawled by Google or seen by Censys, right? So the odds of missing some cert are in the long-tail, and not in the core data. We also see a variety of domains using certs from either for purposes that are ostensibly not relevant to browsers - a frequent dead give-away is a cert for autodiscover.[example.com] - which is an Exchange AutoConfiguration server not used by browsers - and mail.[example.com]. I would assert we can be reasonably confident that critical services should generally not be impacted if such a cert was not included. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
