There is a problem here with the conventional nomenclature. The term CA can mean the legal entity or the machine in control of the private key. As with the original RSA paper that asserted Alice is a Turing machine, this is a problem.
The EFF study conflates the term RA with issue under an intermediate certificate, the two are completely separate. There are plenty of examples of an RA that issues directly under the CA root and there are plenty of examples where a CA manages an intermediate root directly. The best definition of the RA function is that the RA is responsible for authorizing issue of certificates. But authorization from the RA is only a necessary condition, it is not necessarily sufficient. In the WebPKI an affiliate or enterprise customer may run an RA, but the CA is now required to perform certain validation functions directly. Since you probably don't want to have the validation taking place in the room with the private key the logical arrangement is again a RA. On Wed, Jan 8, 2014 at 1:30 PM, Ben Laurie <[email protected]> wrote: > On 27 December 2013 10:06, Ralph Holz <[email protected]> wrote: > > Hi, > > > > [The EFF's count] > > > >>> You can't calculate the number of CAs the way the EFF tried to. An > >>> intermediate certificate does not equate to a CA. Pretending it does to > >>> peddle an alternative PKI scheme calls into question their veracity. > >>> > >> > >> I disagree strongly. I have an intermediate certificate. I am as > >> powerful CA as a result. > >> Please also see these estimates which are even higher: > >> > >> https://zakird.com/slides/durumeric-https-imc13.pdf > >> > >> "Identified 1,832 CA certificates belonging to 683 organizations" > >> "311 (45%) of the organizations were provided certificates by > >> German National Research and Education Network (DFN) " > > > > I was there at IMC and spoke with Zakir. He was not aware of the fact > > that the private keys to all the intermediate certificates are held by > > the central DFN Verein, not the RAs themselves. In the case of DFN, the > > intermediate certs only identify the RAs. The RAs do not carry signing > > power. > > What is the function of an RA, then, if not to tell a CA "sign this"? > _______________________________________________ > therightkey mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/therightkey > -- Website: http://hallambaker.com/
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
