To add some clarification on why the EFF probably over-counted: We create intermediate certificates all the time for customers, typically for access control or to minimize the potential impact of the intermediate's revocation. However, the intermediate stays within our PKI and is subject to our verification process and control. This doesn't make it a separate issuer. The RA tells us who is authorized to get a certificate off that intermediate, but they don't dictate the validation or issuance process.
Again (and unfortunately), the scope of control over an intermediate varies widely depending on the CA. Jeremy -----Original Message----- From: therightkey [mailto:[email protected]] On Behalf Of Jeremy Rowley Sent: Wednesday, January 08, 2014 11:34 AM To: 'Ben Laurie'; 'Ralph Holz' Cc: [email protected]; 'Seth David Schoen' Subject: Re: [therightkey] RA vs CA The role of the RA varies a lot depending on the CA and industry. For example, some CAs use RAs only to collect face to face documentation (similar to a notary). The CA will still do a record check, verify the identity, etc. The existence of an RA does not necessarily mean the CA is signing whatever is put in front of it. The only way to know the scope of the RA function is to ask the CA. Jeremy -----Original Message----- From: therightkey [mailto:[email protected]] On Behalf Of Ben Laurie Sent: Wednesday, January 08, 2014 11:30 AM To: Ralph Holz Cc: [email protected]; Seth David Schoen Subject: [therightkey] RA vs CA On 27 December 2013 10:06, Ralph Holz <[email protected]> wrote: > Hi, > > [The EFF's count] > >>> You can't calculate the number of CAs the way the EFF tried to. An >>> intermediate certificate does not equate to a CA. Pretending it does >>> to peddle an alternative PKI scheme calls into question their veracity. >>> >> >> I disagree strongly. I have an intermediate certificate. I am as >> powerful CA as a result. >> Please also see these estimates which are even higher: >> >> https://zakird.com/slides/durumeric-https-imc13.pdf >> >> "Identified 1,832 CA certificates belonging to 683 organizations" >> "311 (45%) of the organizations were provided certificates by German >> National Research and Education Network (DFN) " > > I was there at IMC and spoke with Zakir. He was not aware of the fact > that the private keys to all the intermediate certificates are held by > the central DFN Verein, not the RAs themselves. In the case of DFN, > the intermediate certs only identify the RAs. The RAs do not carry > signing power. What is the function of an RA, then, if not to tell a CA "sign this"? _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
