2) Most people don't set 'iodef'.
Those domains that do use CAA records tend to use the 'issue' and 'issuewild' records, but only minuscule fraction (0.9% of all TLDs' domains; 3.2% of the Top 1M Domains) set 'iodef'.
Top-level
2) Most people don't set 'iodef'. Those domains that do use CAA records tend to use the 'issue' and 'issuewild' records, but only minuscule fraction (0.9% of all TLDs' domains; 3.2% of the Top 1M Domains) set 'iodef'. 8 comments
And finally, and most importantly: 4) A small number of CAs dominate. Only 7 Certificate Authorities account for over 99% of all CAA 'issue'/'issuewild' records (10 CAs for 99% of the Top 1M Domains). 3 alone account for over 75%: Comodo, DigiCert, and Let's Encrypt. Even though this only covers the small percentage of domains that do set CAA records, I would not be surprised if the overall use of CAs across all domains followed a similar -- and similarly centralized -- distribution. (In some markets, regional players will play a bigger role; once again the inability to get access to all ccTLD zones makes this difficult to assess.) So no, you probably could replace your giant trust bundle with fewer than... 20 or so root CA certs and not notice a difference, I'd guess. But whether that's a good thing, whether it's wise for the entire internet to place all -- well, >99% -- of its certificates/eggs into fewer than 10 CAs/baskets seems more than questionable. And that's it for today - thanks for playing "Whose Cert Is It Anyway?" โ๏ธ This thread is available as a blog post here: P.S.: This was the third blog post in a series on the centralization of the internet. Part 1, covering NS records, can be found here: Or, as a Twitter thread: Part 2, covering MX records, can be found here: Or as a Mastodon thread: |
3) Extensions are not widely used.
The dominance of the 'cansignhttpexchanges' parameter here surprised me, but could be explained by being pushed without industry agreement by Google as part of their "Accelerated Mobile Pages" (AMP) framework?