For the convenience of the thread -- assuming that a 1-year-oriented policy covered the certs up to and including those listed as 2017-10-01, then summing up Kurt's numbers:
* Certs expiring by Oct 2017: 2,088,329 * Certs expiring after Oct 2017: 1,419,593 On Sat, Oct 15, 2016 at 4:28 AM, Kurt Roeckx <[email protected]> wrote: > On Fri, Oct 14, 2016 at 11:23:55PM +0200, Hanno Böck wrote: > > On Fri, 14 Oct 2016 13:21:32 -0700 (PDT) > > Ryan Sleevi <[email protected]> wrote: > > > > > In particular, I'm hoping to expand upon the choice to allow existing > > > certs to continue to be accepted and to not remove the affected roots > > > until 2019. > > > > Hi, > > > > From my understanding the problem here is that the alternative of simply > > whitelisting the existing certificates isn't feasible, because there > > are too many of them. > > > > *however* from what I remember almost all the time the free options of > > startcom/wosign were limited to one year. (I think there was a short > > period of time when it was possible to get 3-year-certs from wosign for > > free, but they removed that shortly afterwards.) > > > > Therefore there should be some middlegroupd option: > > a) Keep the existing root for 1 year and trust that wosign won't > > backdate certificates > > b) After that the vast majority of wosign/startcom certificates will be > > expired. The number of the remaining ones is probably low enough to > > make whitelisting feasible. > > > > I haven't checked CT logs for expiration dates, so this is more a > > guess, but given the history of cert issuance and the reasonable > > assumption most certs used the free option this seems plausible. > > This is what I get for the number of valid certificates: > 2016-10-01 | 196100 > 2016-11-01 | 185740 > 2016-12-01 | 175310 > 2017-01-01 | 168933 > 2017-02-01 | 166109 > 2017-03-01 | 162535 > 2017-04-01 | 157278 > 2017-05-01 | 154630 > 2017-06-01 | 151857 > 2017-07-01 | 147927 > 2017-08-01 | 144076 > 2017-09-01 | 139678 > 2017-10-01 | 138156 > 2017-11-01 | 137849 > 2017-12-01 | 137648 > 2018-01-01 | 132568 > 2018-02-01 | 126031 > 2018-03-01 | 120888 > 2018-04-01 | 110723 > 2018-05-01 | 98605 > 2018-06-01 | 82580 > 2018-07-01 | 69629 > 2018-08-01 | 55843 > 2018-09-01 | 42570 > 2018-10-01 | 37793 > 2018-11-01 | 37541 > 2018-12-01 | 37287 > 2019-01-01 | 35227 > 2019-02-01 | 32453 > 2019-03-01 | 29538 > 2019-04-01 | 25133 > 2019-05-01 | 21264 > 2019-06-01 | 17563 > 2019-07-01 | 14310 > 2019-08-01 | 10892 > 2019-09-01 | 5429 > 2019-10-01 | 124 > 2019-11-01 | 71 > 2019-12-01 | 31 > 2020-01-01 | 2 > 2020-02-01 | 1 > > > Kurt > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
