[cabfperf] Recommended Max Number of SANs in a Certificate
Brian Smith
brian at briansmith.org
Thu May 1 11:10:32 MST 2014
On Thu, May 1, 2014 at 10:31 AM, Rick Andrews <Rick_Andrews at symantec.com>wrote:
> +1 I was just composing a similar reply. For example, an EV cert that will
> need 3 SCTs may overflow the initial congestion window with 25 SANs. Better
> to focus on the final size of the cert.
>
I also agree with Rick and the others that say that we shouldn't recommend
any specific maximum number of SANs.
There are four main reasons I can think of off the top of my head for
having a lot of SANs in a certificate:
1. The server administrator doesn't want to manage lots of certificates so
he/she uses one certificate for every service.
2. The server administrator is transitioning from wildcard certificates (so
the use of a massive number of SANs in a cert is temporary).
3. The server wants to take advantage of the connection coalescing feature
of SPDY & HTTP/2, which requires the sharing of a cert across hostnames.
4. The server is constrained by the number of IPv4 addresses available and
is using certs with lots of SANs to work around clients that do not support
SNI.
In each case, a fixed limit (recommendation or otherwise) on the max number
of SANs seems to get in the way of the server administrator without helping
him/her much.
However, in the case of #4, I do think that we can and should make a
different recommendation: When the client does support SNI, then use the
SNI information to select a certificate with a properly-scoped set of SANs
instead of a cert with a massive number of SANs for unrelated hostnames
designed for non-SNI-supporting browsers. I think such a recommendation
makes sense for performance because the vast majority of clients will
receive the smaller certs. But, it also makes sense for security since
separate customers can be isolated from each other better (e.g. no
coalescing of connections between different customers' websites) and
because it reduces friction to revoking certificates (e.g. if I switch my
front-end hosting from CloudFlare to something else, I'd like CloudFlare to
have all certificates that include my hostname revoked).
Cheers,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/performance/attachments/20140501/bec6fcd5/attachment.html
More information about the Performance
mailing list