An analysis of CRL sizes from various CAs
chasersystems.comSome initial observations:
• Google's CRLs from the same intermediate CA (same public key) have different URLs and different content when pulled from different hosts (google.com, youtube.com).
• DigiCert has sharded according to 'assurance' class, algorithm, year and acquisition's name.
• Sectigo also has sharded according to 'assurance' class [1].
• GlobalSign has sharded by the yearly quarter presumably.
• HTTP Cache-Control maxage (or s-maxage), 'Expires' and 'Next Update' within the CRL file are not in sync.
• Some CAs other than Let's Encrypt also do not publish CRL URLs in the leaf certificates.
[1] https://www.sectigo.com/knowledge-base/detail/Sectigo-Interm...
We collected some data on the viability of only CRLs as the future (phasing out OCSP) - motivated by Let's Encrypt's announcement today [1].
Data is on CRL availability, number of entries, expiry & refresh times, etc. from various x509 leaf server SSL certificates.
What analysis was done or are we just talking about the data gathering?
We'll be working on that in the coming days. Thought the data at this point was a good start.