On Thu, Nov 03, 2011 at 10:16:00PM -0400, Phillip Hallam-Baker wrote: > If someone is going to claim that there are '650 CAs' then they could at > least ask why the DFN root has 200 intermediates chained and if they are > actually CAs as being claimed. >
Previously I was unsure about whether the real number of CAs was more or less than 650, though I now believe it is significantly higher, because people keep telling me they are seeing huge numbers of universally trusted CAs operating on networks that we haven't been able to scan. There is, however, an important difference between the number of key storage systems that could be compromised in such a way that the attacker learns the private key, and the number of CAs that can be compromised in such a way that the attacker makes herself a certificate for arbitrary domains like mailserver.mycorporation.com. In the case of the DFN subordinate that we observed beneath Deutsch Telekom's root, my best estimate is that the private keys for its sub-CAs are physically controlled by DFN (ie, only one place you could steal those private keys from), but what they sign is determined remotely on computers at the 200 institutions named in these CAs (ie, 200 systems you could break into in order to perform a CA-certified attack on the target of your choice). https://www.pki.dfn.de/ca-auslagerung/ Funky Google translation from German: Outsourcing of a CA The DFN-PKI provides outsource all users in the German research network allows the tasks of their own certification bodies to the DFN-Verein. The basis for the separation of the technical functions of a certification authority (CA) of the organizational tasks of a Registration Authority (RA). The DFN-Verein organizes on behalf of the user's certification authority. So this is the user any special hardware and software infrastructure necessary and the local staff costs can be significantly reduced compared with a non-paged CA. The registration authority remains with the user. The services of a registrar (eg verification of identity and authenticity) can DFN-users as through existing organizational units such as enrollment offices are provided. For the work processes and information exchange between the user and the DFN DFN-Verein customized, secure interfaces are provided. DFN-PKI test The DFN-PKI test offers the opportunity to familiarize themselves with the functioning of ports and try to "playful" way all the steps in an external certification authority. If you have questions about outsourcing your certificate authority, or to request the necessary forms, please send an e-mail to [email protected].
