[cabfperf] Recommended Max Number of SANs in a Certificate

Wayne Thayer wthayer at godaddy.com
Mon May 19 15:18:52 MST 2014 

Thanks Yngve, this is great info. If we agree on a specific list of data that we're interested in, can you provide it?

Based on Ryan Hurst's original message, I'll suggest that we're looking for 25th, 50th, and 75th percentile of the size of the following fields:
- issuer
- subject
- certificate policies
- SAN
- public key, split out by the type of key
- total certificate size

Thanks,

Wayne
-----Original Message-----
From: performance-bounces at cabforum.org [mailto:performance-bounces at cabforum.org] On Behalf Of Yngve N. Pettersen
Sent: Thursday, May 15, 2014 7:20 PM
To: performance at cabforum.org
Subject: Re: [cabfperf] Recommended Max Number of SANs in a Certificate


Hello all,

I took a quick look in my TLS Prober database, which contain about 3 million certs collected in the past 4 years or so. The sample set is biased toward Alexa top million sites, about 500K servers sampled in each scan.

The highest number of SAN entries in a certificate in my list was 1108, most (that have any) have less than 25 (99% of those with SAN entries; 90% have 1 or 2 entries, 95% have 5 or less). (2/3 of the sample did not have SAN entries, and was not counted). I'll note though that there are probably going to be few servers that require a lot of names in a certificate, and those would not change the numbers much.

The longest name entry was 81 characters, almost all are less than 50 characters and the majority (85%) less than 25 characters long.

The longest concatenated string length of a SAN section was ~18K, most less than 100 characters.

Almost all subject DNs are 500 bytes or less, the majority (3/4) is 200 bytes or less. There are 160 in the sample with length of 10-20KB

The majority (7/10) of certificates are between 1000 and 2000 bytes long, with most of the rest (less than 3/10) being 500-1000 bytes (This does include non-CA issued certificates). About 1500 certs are 10 or more, one was 50+KB




On Thu, 15 May 2014 19:54:55 +0200, Mehner, Carl <Carl.Mehner at usaa.com>
wrote:

> Perhaps Ivan Ristic over at SSL Pulse will add it by request?
>
> https://www.trustworthyinternet.org/ssl-pulse/
>
>
>
> Much of the data that would be in the CT dataset looks to be compiled 
> there already.
>
> The only thing missing is the size of DN/SANs. If Ivan could drum up a 
> box-and-whiskers chart with SAN size data (or just hostname if no SANs 
> [even though that’s against the BRs]) we would have what we need.
>
>
>
>
>
> Carl Mehner

More information about the Performance mailing list