For the convenience of the thread -- assuming that a 1-year-oriented policy
covered the certs up to and including those listed as 2017-10-01, then
summing up Kurt's numbers:

* Certs expiring by Oct 2017: 2,088,329
* Certs expiring after Oct 2017: 1,419,593

On Sat, Oct 15, 2016 at 4:28 AM, Kurt Roeckx <k...@roeckx.be> wrote:

> On Fri, Oct 14, 2016 at 11:23:55PM +0200, Hanno Böck wrote:
> > On Fri, 14 Oct 2016 13:21:32 -0700 (PDT)
> > Ryan Sleevi <r...@sleevi.com> wrote:
> >
> > > In particular, I'm hoping to expand upon the choice to allow existing
> > > certs to continue to be accepted and to not remove the affected roots
> > > until 2019.
> >
> > Hi,
> >
> > From my understanding the problem here is that the alternative of simply
> > whitelisting the existing certificates isn't feasible, because there
> > are too many of them.
> >
> > *however* from what I remember almost all the time the free options of
> > startcom/wosign were limited to one year. (I think there was a short
> > period of time when it was possible to get 3-year-certs from wosign for
> > free, but they removed that shortly afterwards.)
> >
> > Therefore there should be some middlegroupd option:
> > a) Keep the existing root for 1 year and trust that wosign won't
> > backdate certificates
> > b) After that the vast majority of wosign/startcom certificates will be
> > expired. The number of the remaining ones is probably low enough to
> > make whitelisting feasible.
> >
> > I haven't checked CT logs for expiration dates, so this is more a
> > guess, but given the history of cert issuance and the reasonable
> > assumption most certs used the free option this seems plausible.
>
> This is what I get for the number of valid certificates:
>  2016-10-01 | 196100
>  2016-11-01 | 185740
>  2016-12-01 | 175310
>  2017-01-01 | 168933
>  2017-02-01 | 166109
>  2017-03-01 | 162535
>  2017-04-01 | 157278
>  2017-05-01 | 154630
>  2017-06-01 | 151857
>  2017-07-01 | 147927
>  2017-08-01 | 144076
>  2017-09-01 | 139678
>  2017-10-01 | 138156
>  2017-11-01 | 137849
>  2017-12-01 | 137648
>  2018-01-01 | 132568
>  2018-02-01 | 126031
>  2018-03-01 | 120888
>  2018-04-01 | 110723
>  2018-05-01 |  98605
>  2018-06-01 |  82580
>  2018-07-01 |  69629
>  2018-08-01 |  55843
>  2018-09-01 |  42570
>  2018-10-01 |  37793
>  2018-11-01 |  37541
>  2018-12-01 |  37287
>  2019-01-01 |  35227
>  2019-02-01 |  32453
>  2019-03-01 |  29538
>  2019-04-01 |  25133
>  2019-05-01 |  21264
>  2019-06-01 |  17563
>  2019-07-01 |  14310
>  2019-08-01 |  10892
>  2019-09-01 |   5429
>  2019-10-01 |    124
>  2019-11-01 |     71
>  2019-12-01 |     31
>  2020-01-01 |      2
>  2020-02-01 |      1
>
>
> Kurt
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to