Hi, > In practice, you can only register root CAs into browsers, and you're > strongly advised to *not* issue certificates directly under the root, > like it was the case some years ago with the big CA vendors selling > X.509v1 certificates. So a company acting as a CA has at least one > root CA, and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code > signing, timestamping, ...). Add to this imposed segmentation some > levels (for example in Europe, we have qualified certificates, and in > France we have other "France-only" rules). Those CA certificates can > be counted as different CAs if you stick to pure X.509 rules, but they > are all held by the same one company, and operated by the same people, > only applying different validation rules. Does that still count as so > many CAs? I doubt so.
That's the point Phillip was referring, too. But the more interesting question to me seems here: if CAs = the companies operate sub-CAs, why do so many CA = companies have several root certificates in NSS? The latest count of roots in NSS was 150+; and I remember someone from Mozilla recently mentioned that the number of companies is much lower, near 35-40 or so. And correct me if I am wrong - but isn't it so that some CAs = companies have root certs for DV *and* EV in the NSS root store? Ralph -- Dipl.-Inform. Ralph Holz I8: Network Architectures and Services Technische Universität München http://www.net.in.tum.de/de/mitarbeiter/holz/
signature.asc
Description: OpenPGP digital signature
