On 9-Jan-09, at 1:27 PM, Benjamin Smedberg wrote:
Perhaps it would help if we had some additional information such as:
what is
the maximum certificate expiration time? That is, if all CAs stopped
using
MD5 *today* and switched to SHA-256, how long would it be before
there were
no unexpired certificates? Is that the upper bound on how long it
would be
before we could disable MD5 and SHA1?
So as I mentioned, I've been collecting certificates for a little
while, and soon I hope to make the code + data public but there are
still some bugs to work out, and every crawl takes a day or so.
Nevertheless, when I sort by year of expiration, across all currently-
valid CA-signed certs I get:
108331 2009
75313 2010
9973 2011
2627 2012
8625 2013
240 2014
12 2015
35 2016
61 2017
83 2018
7 2019
If I restrict to just md5-based signatures, it comes down to:
19441 2009
5810 2010
1981 2011
643 2012
1410 2013
21 2014
(Note the obvious spikes at the 5yr mark.)
This is from about 200k certs, whereas Netcraft typically reports
about a million, and I've had CAs suggest they think the actual number
is closer to 2 million. So this may represent 10-20% of the total
secure web, maybe less, as a sample size.
Still, it's not nothing either, so if we don't mind extrapolating a
bit: it seems to me that end of 2010, while further out than I'd like,
is probably a good upper bound. At that point we'd have about 4000
valid, md5 certs out there we'd be breaking, out of my sample of 200k,
roughly 2% (assuming none of them migrated in the interim).
Cheers,
J
---
Johnathan Nightingale
Human Shield
john...@mozilla.com
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
