[cabfpub] Clock skew data

Gervase Markham gerv at mozilla.org
Mon Nov 3 12:32:11 MST 2014


A community member who wishes to remain anonymous sent me the following
to share with you. While I continue to maintain that the CAB Forum
should not be basing its decision (on whether to allow short-lived certs
or not) on their perceived practicality, this data is interesting.

<snip>
About the data:
This is based on over 300 million page loads on a single day (measured
00:00:00 to 23:59:59 GMT).  There are several notable biases.  The
data is biased towards the US, Canada, and the European Union, as the
target web sites cover these regions.  All pages were fetched via
SSL/TLS (SSLv3 to TLSv 1.2 supported). The server certificates used
had a Not Before date only 16 days prior to the test date and were
valid for one year plus one day. Therefore, some portion of the
clients were not recorded as they did not successfully connect.  The
skew was measured by comparing the timestamp returned from the Date()
in Javascript with that on the server.  This means that clients that
did not run Javascript were excluded from this data.

The percentiles were calculated in absolute variance, based on 5
minute grouping.
90    <5 minutes
99    <115 minutes (42.2% of the 99% were behind/56.8% were ahead)
99.9  <1530 minutes (25.5 hours) (42.50%/57.4%)
99.99 <76320 minutes (53 days) (42.551%/57.439%)

99.999 <7801330 minutes (2000-01-01) (42.557%/57.442%)
By this point, the negative clock skew has become clustered by
absolute date, suggesting that the systems that were severely skewed
had no persistent clock.
</snip>

Gerv


More information about the Public mailing list