On 12/09/16 22:46, Ryan Sleevi wrote:
> Consider if we start with the list of certificates issued by StartCom
> and WoSign, assuming the two are the same party (as all reasonable
> evidence suggests). Extract the subjectAltName from every one of
> these certificates, and then compare against the Alexa Top 1M. This
> yields more than 60K certificates, at 1920K in a 'naive' whitelist.
> However, if you compare based on base domain (as it appears in
> Alexa), you end up with 18,763 unique names, with a much better
> compressibility. For example, when compared with Chrome's Public
> Suffix List DAFSA implementation (as one such compressed data
> structure implementation), this ends up occupying 126K of storage.
Can you tell us how many unique base domains (PSL+1) there are across
WoSign and StartCom's entire certificate corpus, and what that might
look like as a DAFSA?
dev-security-policy mailing list