I wish there was a study of the certs issued by newly introduced CAs in CCADB and how quickly they ramp up. I am concerned that a 1 year old dictionary could end up slowing down a good amount of destinations. But again, that slowdown does not mean an outage. And servers could ensure they get their certs issued or cross-issued by relatively mature CAs if they do not want PQ Sig related slowdowns.
Btw, in 3.1.1 I noticed - "Remove all intermediate certificates which are not signed by root certificates still in the listing." That could eliminate some 2+ ICA cert chains. Any reason why? -----Original Message----- From: Dennis Jackson <ietf=40dennis-jackson...@dmarc.ietf.org> Sent: Wednesday, July 12, 2023 1:01 PM To: Kampanakis, Panos <kpa...@amazon.com>; TLS List <tls@ietf.org> Subject: RE: [EXTERNAL][TLS] Abridged Certificate Compression (dictionary versioning) CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. On 12/07/2023 04:54, Kampanakis, Panos wrote: > Hi Dennis, > > Appendix B.1 talks about 100-200 new ICA and 10 Root certs per year. In the > past I had looked at fluctuations of CCADB and there are daily changes. When > checking in the past, I did not generate the ordered list as per pass 1 on a > daily basis to confirm it, but I confirmed the fluctuations. The commits in > https://github.com/FiloSottile/intermediates/commits/main show it too. Given > that, I am wondering if CCADB is not that stable. Are you confident that ICA > dictionaries (based on CCADB) won't materially change often? I checked the historical data for the last few years to ballpark a rate of 100-200 new intermediates per year. A uniform distribution of arrivals would mean 2 to 4 changes a week, which matches Filippo's commit frequency [1]. In practice Filippo's commits include removals (which we don't care about) and batched additions (which we do), but the numbers seem about right. In terms of impact, the question is how much usage do those new ICAs see in their first year. If we expect websites to adopt them equally likely as existing ICAs then they should make up <5% of the population. I think in practice they see much slower adoption and so the impact is even lower, for example a reasonable proportion are vanity certificates with limited applicability or intended to replace an existing cert in the future. If we wanted to confirm this we could build the abridged cert dictionaries for '22 and then use CT to sample the cert chains used by websites that year. I'll see if I can find the time to put that together. If there was an appetite for a faster moving dictionary, we could use the scheme I sketched in the appendix to the draft. But I think we should try to avoid that complexity if we can. Best, Dennis [1] https://github.com/FiloSottile/intermediates/graphs/commit-activity _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
