On Fri, Oct 14, 2016 at 11:23:55PM +0200, Hanno Böck wrote: > On Fri, 14 Oct 2016 13:21:32 -0700 (PDT) > Ryan Sleevi <[email protected]> wrote: > > > In particular, I'm hoping to expand upon the choice to allow existing > > certs to continue to be accepted and to not remove the affected roots > > until 2019. > > Hi, > > From my understanding the problem here is that the alternative of simply > whitelisting the existing certificates isn't feasible, because there > are too many of them. > > *however* from what I remember almost all the time the free options of > startcom/wosign were limited to one year. (I think there was a short > period of time when it was possible to get 3-year-certs from wosign for > free, but they removed that shortly afterwards.) > > Therefore there should be some middlegroupd option: > a) Keep the existing root for 1 year and trust that wosign won't > backdate certificates > b) After that the vast majority of wosign/startcom certificates will be > expired. The number of the remaining ones is probably low enough to > make whitelisting feasible. > > I haven't checked CT logs for expiration dates, so this is more a > guess, but given the history of cert issuance and the reasonable > assumption most certs used the free option this seems plausible.
This is what I get for the number of valid certificates: 2016-10-01 | 196100 2016-11-01 | 185740 2016-12-01 | 175310 2017-01-01 | 168933 2017-02-01 | 166109 2017-03-01 | 162535 2017-04-01 | 157278 2017-05-01 | 154630 2017-06-01 | 151857 2017-07-01 | 147927 2017-08-01 | 144076 2017-09-01 | 139678 2017-10-01 | 138156 2017-11-01 | 137849 2017-12-01 | 137648 2018-01-01 | 132568 2018-02-01 | 126031 2018-03-01 | 120888 2018-04-01 | 110723 2018-05-01 | 98605 2018-06-01 | 82580 2018-07-01 | 69629 2018-08-01 | 55843 2018-09-01 | 42570 2018-10-01 | 37793 2018-11-01 | 37541 2018-12-01 | 37287 2019-01-01 | 35227 2019-02-01 | 32453 2019-03-01 | 29538 2019-04-01 | 25133 2019-05-01 | 21264 2019-06-01 | 17563 2019-07-01 | 14310 2019-08-01 | 10892 2019-09-01 | 5429 2019-10-01 | 124 2019-11-01 | 71 2019-12-01 | 31 2020-01-01 | 2 2020-02-01 | 1 Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
