On Sun, Nov 6, 2011 at 1:49 PM, Peter Eckersley <[email protected]> wrote:
> On Sun, Nov 06, 2011 at 12:51:11AM +0100, Erwann ABALEA wrote: > > > In practice, you can only register root CAs into browsers, and you're > > strongly advised to *not* issue certificates directly under the root, > > like it was the case some years ago with the big CA vendors selling > > X.509v1 certificates. So a company acting as a CA has at least one > > root CA, > > There are certainly some companies that act as CAs that are "only" > subordinate/intermediate CAs. We know this with a fair degree of > certainty, > because companies that operate root CAs have asked us, "can you use the > Observatory to tell us what this company we issued a sub-CA to has been > signing with it?". Nobody has ever disputed the fact that some of the intermediate certs are cross certificates. What has now been proven is that most of those certificates are not cross certificates. Yet you still cling to making that claim. Who is your supervisor at the EFF? Is there someone we can take this up with who is interested in the truth of the claims made? -- Website: http://hallambaker.com/
