On Wed, Sep 21, 2016 at 2:21 AM, Gervase Markham <[email protected]> wrote: > On 12/09/16 22:46, Ryan Sleevi wrote: >> Consider if we start with the list of certificates issued by StartCom >> and WoSign, assuming the two are the same party (as all reasonable >> evidence suggests). Extract the subjectAltName from every one of >> these certificates, and then compare against the Alexa Top 1M. This >> yields more than 60K certificates, at 1920K in a 'naive' whitelist. >> >> However, if you compare based on base domain (as it appears in >> Alexa), you end up with 18,763 unique names, with a much better >> compressibility. For example, when compared with Chrome's Public >> Suffix List DAFSA implementation (as one such compressed data >> structure implementation), this ends up occupying 126K of storage. > > Can you tell us how many unique base domains (PSL+1) there are across > WoSign and StartCom's entire certificate corpus, and what that might > look like as a DAFSA?
I'm not sure about a DAFSA, but I wrote a semi-naive implementation of a compressed trie and got 1592272 bytes. That is assuming each issuer has its own trie. It could be optimized to be smaller if it was just a single trie of eTLD+1 for all issuers. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
