There aren't a lot of root CAs, but there is a very large number of intermediary CAs. The problem is every one of them has the same power to sign certificates for anything/any domain.
On Fri, Jan 4, 2013 at 3:01 PM, yersinia <yersinia.spi...@gmail.com> wrote: > On Fri, Jan 4, 2013 at 8:41 PM, John Case <c...@sdf.org> wrote: > > > > Let's assume hardware is zero ... it's a really variable cost, so I > assume > > (correct me if I'm wrong) that it is a trivial cost compared to legal and > > audit costs, etc. > > > > So what does it cost to start a root CA, get properly audited (as I see > the > > root CAs are) and get yourself included into, say, firefox or chrome ? > > > > A followup question would be: > > > > Is inclusion of a root CA in the major browsers a "shall issue" process ? > > hat is, you meet the criteria and you get in ? Or is it a subjective, > > political process ? > > > > Finally, it seems to me that since there re so few root CAs (~30 ?) and > the > > service provided is such an arbitrary, misunderstood one, that existing > CAs > > would be actively trying to prevent new entrants ... and establish > > themsevles as toll collectors with a pseudo monopoly ... what evidence > (if > > any) do we have that they are pursuing such an ecosystem ? > > Many today say that there are too many root CA, not a few. Is not it? > https://www.eff.org/observatory. > > have i missing something ? > > best > > > > Thank you. > > _______________________________________________ > > cryptography mailing list > > cryptography@randombit.net > > http://lists.randombit.net/mailman/listinfo/cryptography > _______________________________________________ > cryptography mailing list > cryptography@randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography >
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography