[cabfperf] Recommended Max Number of SANs in a Certificate

[Rick Andrews]

I think imposing a maximum is a bad idea. Some customers want 100 or more SANs. I'm sure they're aware of the performance implications, yet they want them anyway. I can't think of a good security argument for denying them. So if it's just performance, I think we must stick to recommendations for best performance, not requirements.

From: performance-bounces at cabforum.org [mailto:performance-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, May 01, 2014 9:58 AM
To: 'Wayne Thayer'; performance at cabforum.org
Subject: Re: [cabfperf] Recommended Max Number of SANs in a Certificate

We currently recommend a maximum of 25.  However, we have some customers that need more because of their particular server configuration.  I think it'd be more productive to discuss individual certificate components than adopt a total size limitation and let the CAs figure out how to make it work.

From: performance-bounces at cabforum.org<mailto:performance-bounces at cabforum.org> [mailto:performance-bounces at cabforum.org] On Behalf Of Wayne Thayer
Sent: Thursday, May 1, 2014 10:56 AM
To: performance at cabforum.org<mailto:performance at cabforum.org>
Subject: [cabfperf] Recommended Max Number of SANs in a Certificate

Certificates with dozens of SAN entries have become common, in part due to the popularity of CDNs that use these certs to conserve scarce IPv4 addresses. This data can increase the size of the certificate by 25% or more. Should we recommend a maximum number of SANs in a certificate? If so, what should that number be? Or should we look at the total size of the certificate rather than individual fields?

Thanks,

Wayne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/performance/attachments/20140501/5828436b/attachment-0001.html