On Wed, Sep 21, 2016 at 2:21 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 12/09/16 22:46, Ryan Sleevi wrote:
>> Consider if we start with the list of certificates issued by StartCom
>> and WoSign, assuming the two are the same party (as all reasonable
>> evidence suggests). Extract the subjectAltName from every one of
>> these certificates, and then compare against the Alexa Top 1M. This
>> yields more than 60K certificates, at 1920K in a 'naive' whitelist.
>> However, if you compare based on base domain (as it appears in
>> Alexa), you end up with 18,763 unique names, with a much better
>> compressibility. For example, when compared with Chrome's Public
>> Suffix List DAFSA implementation (as one such compressed data
>> structure implementation), this ends up occupying 126K of storage.
> Can you tell us how many unique base domains (PSL+1) there are across
> WoSign and StartCom's entire certificate corpus, and what that might
> look like as a DAFSA?
I'm not sure about a DAFSA, but I wrote a semi-naive implementation of
a compressed trie and got 1592272 bytes. That is assuming each issuer
has its own trie. It could be optimized to be smaller if it was just
a single trie of eTLD+1 for all issuers.
dev-security-policy mailing list