On Sat, Nov 5, 2011 at 11:40 AM, Matthias Hunstock < [email protected]> wrote:
> Am 05.11.2011 16:35, schrieb Phillip Hallam-Baker: > > > The most that can be supported by the evidence they have is that we do > > not know if those LRAs have that capability or not. Note that that is a > > completely valid criticism and one that we are already moving to address. > > I am member of one of these LRAs and I can tell you that we can NOT > issue a cert for twitter.com. > > That's the only reason I spoke up, because the ongoing bashing of the > DFN-CA starts to get annoying. > The only problem that I have had with DFN is that they never replied to my queries asking them about their issue practices. Issuing under a separate intermediate cert per LRA is quite definitely the right way to go about issue. The problem is that the EFF has been claiming 650 CAs when at least 200 are not CAs. DFN just happens to be managing those 200 LRAs. Since the point has now been proven I think that the EFF needs to publicly withdraw its claim of 650 CAs. Note that the same objection applies to the remaining 450 organizations. i.e. it is not possible to determine whether an intermediate cert with a different subject to the issuer is issued to an LRA or is a cross cert for a CA. CA cross certs are really very rare. They cost a great deal of money for a start. -- Website: http://hallambaker.com/
