[cabfperf] Recommended Max Number of SANs in a Certificate

Yngve N. Pettersen yngve at spec-work.net
Mon May 26 01:51:23 MST 2014 

Hi,

Here are numbers for the certificates gathered during the past 4 years.  
(25, 50, 75 percentile, max; among certs that have these).

I tried to compile numbers for the past two years, but I will have to  
rework the analyze code to handle that (performance was very bad), and I  
don't think I will have time for that during the next week or so, at least.

These are for CA-issued certificates (the difference to all certs seems to  
be small).

Issuer DN length: 96, 115, 189, 318 bytes
Subject DN length: 12, 159,211, 6599 bytes
Certificate lengths: 1200, 1350, 1472, 19157 bytes

SAN count : 2,2,2 (85%), 386
SAN length: 15,19,23,71 Characters (just single names)
SAN Length: 28,38,51, 21692 Characters (combined lengths, just names)

Certificate policies: 2,2,2(78%),20
Certificate policies length: 54, 61,69, 942  (OpenSSL decoded text, *not*  
DER)
CPS fields: 1,1,1 (98%), 10
CPS length: 28, 37, 43, 101
Explicit text fields: 1,1,1 (98%),2
Explicit texr len: 100, 163, 251 (86%), 737
Organization textfield: 1,1,1 (84%), 2
organization text len: 22,34,41 (99%), 162

Name constraint len: 116, 285, 1156, 4510 (just 22 certs)

Server Certificate message count: 2,2, 3 (90%), 15 (in last scan)
Server certificate message length (2 cert messages)  2348, 2555,2748,  
14507 (in last scan)
Server certificate message length (3 cert messages)  3320, 3639, 3909,  
10790 (in last scan)

Chain lengths: 3,3,3 (96%), 6 (to root)

RSA keylengths: 1024 (37%), 2048, 2048 (98%), 16384
No ECC sites

FYI, in the scan from last week 2048+ bit RSA keys were 100% of the  
CA-issued sample



On Tue, 20 May 2014 00:18:52 +0200, Wayne Thayer <wthayer at godaddy.com>  
wrote:

> Thanks Yngve, this is great info. If we agree on a specific list of data  
> that we're interested in, can you provide it?
>
> Based on Ryan Hurst's original message, I'll suggest that we're looking  
> for 25th, 50th, and 75th percentile of the size of the following fields:
> - issuer
> - subject
> - certificate policies
> - SAN
> - public key, split out by the type of key
> - total certificate size
>
> Thanks,
>
> Wayne
> -----Original Message-----
> From: performance-bounces at cabforum.org  
> [mailto:performance-bounces at cabforum.org] On Behalf Of Yngve N. Pettersen
> Sent: Thursday, May 15, 2014 7:20 PM
> To: performance at cabforum.org
> Subject: Re: [cabfperf] Recommended Max Number of SANs in a Certificate
>
>
> Hello all,
>
> I took a quick look in my TLS Prober database, which contain about 3  
> million certs collected in the past 4 years or so. The sample set is  
> biased toward Alexa top million sites, about 500K servers sampled in  
> each scan.
>
> The highest number of SAN entries in a certificate in my list was 1108,  
> most (that have any) have less than 25 (99% of those with SAN entries;  
> 90% have 1 or 2 entries, 95% have 5 or less). (2/3 of the sample did not  
> have SAN entries, and was not counted). I'll note though that there are  
> probably going to be few servers that require a lot of names in a  
> certificate, and those would not change the numbers much.
>
> The longest name entry was 81 characters, almost all are less than 50  
> characters and the majority (85%) less than 25 characters long.
>
> The longest concatenated string length of a SAN section was ~18K, most  
> less than 100 characters.
>
> Almost all subject DNs are 500 bytes or less, the majority (3/4) is 200  
> bytes or less. There are 160 in the sample with length of 10-20KB
>
> The majority (7/10) of certificates are between 1000 and 2000 bytes  
> long, with most of the rest (less than 3/10) being 500-1000 bytes (This  
> does include non-CA issued certificates). About 1500 certs are 10 or  
> more, one was 50+KB
>
>
>
>
> On Thu, 15 May 2014 19:54:55 +0200, Mehner, Carl <Carl.Mehner at usaa.com>
> wrote:
>
>> Perhaps Ivan Ristic over at SSL Pulse will add it by request?
>>
>> https://www.trustworthyinternet.org/ssl-pulse/
>>
>>
>>
>> Much of the data that would be in the CT dataset looks to be compiled
>> there already.
>>
>> The only thing missing is the size of DN/SANs. If Ivan could drum up a
>> box-and-whiskers chart with SAN size data (or just hostname if no SANs
>> [even though that’s against the BRs]) we would have what we need.
>>
>>
>>
>>
>>
>> Carl Mehner
>


-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

More information about the Performance mailing list