[cabf_validation] IP address dates

Ryan Sleevi sleevi at google.com
Tue Sep 4 17:16:58 MST 2018

Here's the summary data from CT that I spoke about on the call, broken down
by associated intermediate issuer (of those w/ BR audits)

747 distinct IPs, 518 distinct certs, DigiCert SHA2 Secure Server CA
498 distinct IPs, 403 distinct certs, GlobalSign Organization Validation CA
- SHA256 - G2
327 distinct IPs, 286 distinct certs, COMODO RSA Organization Validation
Secure Server CA
162 distinct IPs, 232 distinct certs, Cybertrust Japan Public CA G3
115 distinct IPs, 128 distinct certs, DFN-Verein Global Issuing CA

If I group by issuer name (, then I get
847 distinct IPs, 586 distinct certs, DigiCert Inc
498 distinct IPs, 403 distinct certs, GlobalSign nv-sa
343 distinct IPs, 304 distinct certs, COMODO CA Limited
162 distinct IPs, 232 distinct certs, Cybertrust Japan Co., Ltd.
128 distinct IPs, 113 distinct certs, Entrust, Inc.

This is all unexpired certificates issued in the past 825 days - that is,
the upper-bound of those that might be able to reuse information.

So it really doesn't seem to require a long phase-in time at all.

On Tue, Sep 4, 2018 at 7:44 PM Tim Hollebeek via Validation <
validation at cabforum.org> wrote:

> I finally had an opportunity to listen to the Validation WG call from 8/30.
> I agree with Ryan that splitting the dates would be a good thing.  I
> didn’t do that just to keep the ballot simple, but am very open to it.
> The date moved from April to June (day that doesn’t exist, sorry) solely
> because I received comments from one CA suggesting an effective date in
> 2019.  That seemed way too far way from me.  But given some of the problems
> we have had recently with getting ballots passed, I tried to pick a date
> that was a compromise between not too far in the future, and a date CAs
> could support given that they often have other things they need to be
> doing.  I’m not horribly picky about what the date is (as long as it’s not
> 2019!!!), and am encouraged that it sounds like we might be able to agree
> on an earlier date.
> -Tim
> _______________________________________________
> Validation mailing list
> Validation at cabforum.org
> https://cabforum.org/mailman/listinfo/validation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20180904/e31108be/attachment-0001.html>

More information about the Validation mailing list