On 23/12/13 18:29, Jacob Appelbaum wrote:
Phillip Hallam-Baker:
<snip>
You can't calculate the number of CAs the way the EFF tried to. An
intermediate certificate does not equate to a CA. Pretending it does to
peddle an alternative PKI scheme calls into question their veracity.
I disagree strongly. I have an intermediate certificate. I am as
powerful CA as a result.
Jake, you're only that powerful if you control the intermediate private key.
<snip>
Other estimates appear to be much higher than the EFF count. What is
your qualification for what counts as a CA? For example - Debian
GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships
with another, heck Microsoft even adds new CA certs dynamically, right?
So what is your metric exactly?
I would prefer to count the number of distinct organizations that
control at least 1 private key that is associated with at least 1
non-Name-Constrained root or intermediate certificate that chains to (or
is) a root in the Microsoft, Mozilla and/or Apple root store and which
can issue certs that are trusted for Server Authentication.
It's not possible to measure this purely by examining the body of
root/intermediate certificates that are known to exist (although this
body of certificates is of course useful for cross-referencing).
2) Continuing to count the DFN as 300 CAs when they know it is one.
The number matters because it isn't just an issue of control over a
single signing key. I'd be interested to hear how many of those
CAs/sub-CAs are able to sign leaf certificates.
All of the DFN Sub-CAs are able to sign leaf certificates, but it is
_only_ DFN that controls the private keys that would be used to sign
these leaf certificates. The various German universities are
essentially only RAs, even though they are named as the Subjects of the
intermediate certificates.
Many Sub-CA certificates issued by major commercial Root CAs exist
purely for branding reasons. i.e. the Subject is at most an RA, and
sometimes only a Reseller.
On the other hand, if there are still any RAs/Resellers that control
root or intermediate private keys, then by my metric they should be
counted as CAs.
My gut feeling is that the real number (by my metric) is likely to be a
lot nearer to 60 than to 600.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey