> On Oct 11, 2017, at 5:33 AM, Daniel Margolis <[email protected]> wrote: > > Are people generally already all migrated to SANs? Are we likely to have > people who have an existing cert that relies on CN matching?
My DANE survey database has a copy of the certificate of every MX host found to have TLSA records (~172k domains, or 4.5k MX hosts). If we surmise that SMTP certificates of domains adopting DANE are at all representative of domains likely to adopt STS, then the below table may be indicative. After skipping self-signed certs, and CAs that have issued 3 certificates or fewer (likely all private) the table lists: * "IP#": The number observed MX host depth 0 certificates observed issued by the CA (counted by number of IP addresses with that certificate, so multi-homed hosts or hosts with the same certificate "inflate" the count). The rows are sorted by decreasing "IP#". * "S": 1 for certificates with a SAN extension, 0 without. * The issuer CA DN. Out of 2982 observed certificates behind the rows in the table only 4 have no SAN. The exceptions are: * 4 issued by "C=NL, ST=Noord-Brabant, L=Raamsdonksveer, O=WebMeneer.NL, OU=CERTS, CN=bOnK/emailAddress=<...>" Don't know whether that's a public CA or not. That said, neither RFC7162 nor RFC6698 proscribes matching CNs, so STS would be setting a new precedent. In 7672 we have: https://tools.ietf.org/html/rfc7672#section-3.2.3 which says that CN-ID is only to be used when no DNS-ID SANS are present. -- Viktor. IP# S Issuer ---- - ------ 2299 1 C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 211 1 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA 50 1 C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 1 DV Server CA 50 1 C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 33 1 O=CAcert Inc., OU=http://www.CAcert.org, CN=CAcert Class 3 Root 23 1 C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA 23 1 C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA 19 1 C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA - G2 18 1 C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 3 OV Server CA 17 1 C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3 17 1 C=CN, O=WoSign CA Limited, CN=WoSign CA Free SSL Certificate G2 16 1 C=US, O=GeoTrust Inc., CN=RapidSSL SHA256 CA - G3 13 1 C=IL, O=StartCom Ltd., OU=StartCom Certification Authority, CN=StartCom Class 2 IV Server CA 12 1 O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/[email protected] 10 1 C=US, O=Symantec Corporation, OU=Symantec Trust Network, OU=Domain Validated SSL, CN=Symantec Basic DV SSL CA - G2 10 1 C=US, O=GeoTrust Inc., CN=GeoTrust SHA256 SSL CA 9 1 C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 9 1 C=US, O=thawte, Inc., OU=Domain Validated SSL, CN=thawte DV SSL CA - G2 9 1 C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4 9 1 C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G2 8 1 C=NL, O=KPN B.V., CN=KPN PKIoverheid Organisatie CA - G2 8 1 C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 7 1 C=US, O=thawte, Inc., OU=Domain Validated SSL, CN=thawte DV SSL SHA256 CA 7 1 C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL SHA256 CA - G2 7 1 C=ES, O=StartCom CA, OU=StartCom Certification Authority, CN=StartCom BR SSL ICA 6 1 C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 6 1 C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA 6 1 C=RU, ST=SPB, L=Saint-Petersburg, O=IVSOR Corporation, OU=Internet Services, CN=IVSOR Corporation Root CA for Internet Services 6 1 C=DE, ST=Bayern, L=Erlangen, O=Universitaet Erlangen-Nuernberg, OU=RRZE, CN=FAU-CA/[email protected] 6 1 C=DE, O=T-Systems International GmbH, OU=T-Systems Trust Center, ST=Nordrhein Westfalen/postalCode=57250, L=Netphen/street=Untere Industriestr. 20, CN=TeleSec ServerPass DE-2 5 1 C=US, O=thawte, Inc., CN=thawte SSL CA - G2 5 1 C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3 5 1 C=US, O=GeoTrust Inc., CN=GeoTrust EV SSL CA - G4 5 1 C=FI, O=IKI, OU=kivinen, CN=Tero Kivinen 2016 CA Key 5 1 C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA 5 1 C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2 4 1 C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority 4 1 C=GB, ST=West Yorkshire, L=Clayton West, O=Homeunix, OU=Plugs and Sockets, CN=Homeunix_CA/[email protected] 4 1 C=FI, O=IKI, OU=Mail, CN=Mail 2013 CA 4 1 C=DE, O=Regionales Hochschulrechenzentrum Kaiserslautern, CN=RHRK-CA - G02/[email protected] 4 1 C=DE, O=PKI-1-Verwaltung, OU=Bund, CN=CA IVBB Deutsche Telekom AG 12 4 1 C=DE, O=Max-Planck-Gesellschaft, CN=MPG CA/[email protected] 4 0 C=NL, ST=Noord-Brabant, L=Raamsdonksveer, O=WebMeneer.NL, OU=CERTS, CN=bOnK/[email protected] _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
