On Sun, Nov 06, 2011 at 12:51:11AM +0100, Erwann ABALEA wrote: > In practice, you can only register root CAs into browsers, and you're > strongly advised to *not* issue certificates directly under the root, > like it was the case some years ago with the big CA vendors selling > X.509v1 certificates. So a company acting as a CA has at least one > root CA,
There are certainly some companies that act as CAs that are "only" subordinate/intermediate CAs. We know this with a fair degree of certainty, because companies that operate root CAs have asked us, "can you use the Observatory to tell us what this company we issued a sub-CA to has been signing with it?". > and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code > signing, timestamping, ...). > Add to this imposed segmentation some levels (for example in Europe, we have > qualified certificates, Do you mean the X509v3 Name Constraints field? We only saw two CAs that used that (https://mail1.eff.org/pipermail/observatory/2011-April/000206.html) > and in France we have other "France-only" rules). Those CA certificates can > be counted as different CAs if you stick to pure X.509 rules, but they are > all held by the same one company, and operated by the same people, only > applying different validation rules. Does that still count as so many CAs? I > doubt so. The 650 number came from the number of distinct values for the "Organization" field in the DN. We saw more than 1500 CA certificates, and around 1200 DNs. -- Peter Eckersley [email protected] Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
