On 09/14/2011 11:13 AM, Daniel Kahn Gillmor wrote: >> This is why the bogus EFF study came up >> with the absurd number of 600 CAs. What they have never come clean on is the >> fact that 150 of those 'CAs' are in fact merely intermediate roots tied to a >> single customer that are managed in the same infrastructure as the root CA >> operations. > > if those intermediate authorities are not explicitly domain-restricted > *in their own certificate*, then yes -- the risk is larger. i don't
sorry -- this got cut off somehow.
... i don't think EFFs study is bogus in its analysis. "the same
infrastructure" doesn't mean "using the same access controls" --
certainly customers in control of an intermediate root have more access
to that root than other people, so there are additional risks to relying
parties from them if they're not explicitly domain-restricted.
Were these 150 intermediate certs explicitly domain-restricted in the
certificates themselves?
--dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
