[ga] As an FYI: SSL Certificates In Use Today Aren't All Valid

["Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>]

All,

  Given the direction DNSSEC is going this information should be
taken into serious consideration obviously.  I also hope that NIST
is on top of this.

See:
http://www.esecurityplanet.com/features/article.php/3890171/SSL-Certificates-In-Use-Today-Arent-All-Valid.htm

which posits that only 3% of SSL certs in use today are valid.  The figures
seem a bit suspicious though, for example they claim 23 million SSL sites
while the same article quotes Netcraft as claiming there are 1.5 million SSL
certs in use (the Netcraft figures may be for CA-issued certs only, since they
quote Verisign as a percentage of that total).  Still, 3% seems pretty low,
could this be due to something like virtual hosting and the client not sending
the hostname, thereby getting the wrong cert?  Even with that though, I 
wouldn't have expected a 97% invalidity rate but would have expected a 
50 - 60% invalidity rate which is still far too high.


Regards,

Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 300+k members/stakeholders and growing, 
strong!)
"Obedience of the law is the greatest freedom" -
   Abraham Lincoln

"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt

"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing  (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng.  INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827