from Hacker News

An analysis of CRL sizes from various CAs

by new23d on 7/24/24, 3:36 PM with 4 comments

  • by new23d on 7/24/24, 4:06 PM

    Some initial observations:

    • Google's CRLs from the same intermediate CA (same public key) have different URLs and different content when pulled from different hosts (google.com, youtube.com).

    • DigiCert has sharded according to 'assurance' class, algorithm, year and acquisition's name.

    • Sectigo also has sharded according to 'assurance' class [1].

    • GlobalSign has sharded by the yearly quarter presumably.

    • HTTP Cache-Control maxage (or s-maxage), 'Expires' and 'Next Update' within the CRL file are not in sync.

    • Some CAs other than Let's Encrypt also do not publish CRL URLs in the leaf certificates.

    [1] https://www.sectigo.com/knowledge-base/detail/Sectigo-Interm...

  • by new23d on 7/24/24, 3:36 PM

    We collected some data on the viability of only CRLs as the future (phasing out OCSP) - motivated by Let's Encrypt's announcement today [1].

    Data is on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.

    [1] https://news.ycombinator.com/item?id=41046956

  • by threesevenths on 7/24/24, 7:22 PM

    What analysis was done or are we just talking about the data gathering?