On 21/09/16 10:21, Gervase Markham wrote: > On 12/09/16 22:46, Ryan Sleevi wrote: >> Consider if we start with the list of certificates issued by StartCom >> and WoSign, assuming the two are the same party (as all reasonable >> evidence suggests). Extract the subjectAltName from every one of >> these certificates, and then compare against the Alexa Top 1M. This >> yields more than 60K certificates, at 1920K in a 'naive' whitelist. >> >> However, if you compare based on base domain (as it appears in >> Alexa), you end up with 18,763 unique names, with a much better >> compressibility. For example, when compared with Chrome's Public >> Suffix List DAFSA implementation (as one such compressed data >> structure implementation), this ends up occupying 126K of storage. > > Can you tell us how many unique base domains (PSL+1) there are across > WoSign and StartCom's entire certificate corpus,
Hi Gerv. I ran some queries earlier today on the crt.sh DB, to find all CNs, dNSNames and iPAddresses in all unexpired certs whose issuer names include either "WoSign" or "StartCom". Then I cross-referenced that with the latest PSL data to discover the unique base domains: WoSign: Unique CNs/dNSNames: 395,222 Unique Base Domains: 118,785 Unique IP Addresses: 154 StartCom: Unique CNs/dNSNames: 706,020 Unique Base Domains: 249,841 Unique IP Addresses: 0 > and what that might look like as a DAFSA? I don't know how to answer that question, but hopefully the lists of unique base domains that I generated will help... https://gist.githubusercontent.com/robstradling/813138699b8527c1af58b4aa784c2d8f/raw/902883344a973103020c35a905d6c25bd4994887/wosign_base_domains.txt https://gist.githubusercontent.com/robstradling/813138699b8527c1af58b4aa784c2d8f/raw/902883344a973103020c35a905d6c25bd4994887/startcom_base_domains.txt -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
