On 2011-12-04 12:09, Ondrej Mikle wrote: [...] > I re-did the count of CAs whose CRLs had 'CA Compromise' as revocation reason, > about month after Peter Eckersley did. Result was the same (counting "trusted" > CAs). Plus few others (some seemed to be internal company CAs; but did not > chain > to a "trusted root").
Ondrej, Most (but not all) of the CAs that I worked with over the years did not have anybody on the operations side full time that would know how to place a revocation reason into the CRL. Which is why the majority of CRL entries include an unspecified reason code or the ever popular reason code "NULL". Without taking anything away from the work of the folks at the EFF (I appreciate their effort and have been a long-time financial supporter of the EFF), determining the number of CA compromises from looking at "CA Compromise" in reason codes is like determining car theft statistics from the number of car thieves that turn themselves in at the police station. Sure, once in a while a fellow that has not been suspected of any crime will walk into a police station and decide to turn himself in. Every cop will have a story or two along those lines. But the number of crimes (and criminals) far exceed the number of criminals that choose to turn themselves in to the police. It does not require disclosing of any confidential information to come to the conclusion that more certificates have been revoked due to CA compromise than certs were issued due to CA compromise. Indeed, you only need to look through the database for certs that very publicly have been revoked due to CA compromise to find a some that lack that reason code in the CRL. Lastly, I am not trying to insinuate that having your CA compromised is or should ever become a crime. --Lucky Green _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
