On 12/07/2023 04:54, Kampanakis, Panos wrote:
Hi Dennis,
Appendix B.1 talks about 100-200 new ICA and 10 Root certs per year. In the
past I had looked at fluctuations of CCADB and there are daily changes. When
checking in the past, I did not generate the ordered list as per pass 1 on a
daily basis to confirm it, but I confirmed the fluctuations. The commits in
https://github.com/FiloSottile/intermediates/commits/main show it too. Given
that, I am wondering if CCADB is not that stable. Are you confident that ICA
dictionaries (based on CCADB) won't materially change often?
I checked the historical data for the last few years to ballpark a rate
of 100-200 new intermediates per year. A uniform distribution of
arrivals would mean 2 to 4 changes a week, which matches Filippo's
commit frequency [1]. In practice Filippo's commits include removals
(which we don't care about) and batched additions (which we do), but the
numbers seem about right.
In terms of impact, the question is how much usage do those new ICAs see
in their first year. If we expect websites to adopt them equally likely
as existing ICAs then they should make up <5% of the population. I think
in practice they see much slower adoption and so the impact is even
lower, for example a reasonable proportion are vanity certificates with
limited applicability or intended to replace an existing cert in the
future. If we wanted to confirm this we could build the abridged cert
dictionaries for '22 and then use CT to sample the cert chains used by
websites that year. I'll see if I can find the time to put that together.
If there was an appetite for a faster moving dictionary, we could use
the scheme I sketched in the appendix to the draft. But I think we
should try to avoid that complexity if we can.
Best,
Dennis
[1] https://github.com/FiloSottile/intermediates/graphs/commit-activity
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
