They claimed 600 CAs on the Internet. Their claim was disproved, the intermediate roots are not under direct control of the customers.
They did not retract or clarify That is not how reputable academics do their work. They were making a political statement using Fox News type tactics. On Wed, Sep 14, 2011 at 11:31 AM, Daniel Kahn Gillmor <[email protected] > wrote: > On 09/14/2011 11:13 AM, Daniel Kahn Gillmor wrote: > >> This is why the bogus EFF study came up > >> with the absurd number of 600 CAs. What they have never come clean on is > the > >> fact that 150 of those 'CAs' are in fact merely intermediate roots tied > to a > >> single customer that are managed in the same infrastructure as the root > CA > >> operations. > > > > if those intermediate authorities are not explicitly domain-restricted > > *in their own certificate*, then yes -- the risk is larger. i don't > > sorry -- this got cut off somehow. > > ... i don't think EFFs study is bogus in its analysis. "the same > infrastructure" doesn't mean "using the same access controls" -- > certainly customers in control of an intermediate root have more access > to that root than other people, so there are additional risks to relying > parties from them if they're not explicitly domain-restricted. > > Were these 150 intermediate certs explicitly domain-restricted in the > certificates themselves? > > --dkg > > -- Website: http://hallambaker.com/
_______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
