2011/11/6 Peter Eckersley <[email protected]>: > On Sun, Nov 06, 2011 at 12:51:11AM +0100, Erwann ABALEA wrote: > >> In practice, you can only register root CAs into browsers, and you're >> strongly advised to *not* issue certificates directly under the root, >> like it was the case some years ago with the big CA vendors selling >> X.509v1 certificates. So a company acting as a CA has at least one >> root CA, > > There are certainly some companies that act as CAs that are "only" > subordinate/intermediate CAs. We know this with a fair degree of certainty, > because companies that operate root CAs have asked us, "can you use the > Observatory to tell us what this company we issued a sub-CA to has been > signing with it?".
I agree, such companies exist. We too have certified a few companies' CAs that are not present in the Observatory results. Fortunately, from my point of view, the DigiNotar experience (if we only take this one) will change things: - the price of such certifications will be much greater - the issuing CA will perform annual audits on the subordinate CAs, *and* ask them to perform third-party audits all this should be based on the risks the issuing CA is taking by delegating trust. >> Add to this imposed segmentation some levels (for example in Europe, we have >> qualified certificates, > > Do you mean the X509v3 Name Constraints field? We only saw two CAs that used > that (https://mail1.eff.org/pipermail/observatory/2011-April/000206.html) No. See RFC3739 for some background. You can just consider these as other "Class {1,2,3}" certificates variations. >> and in France we have other "France-only" rules). Those CA certificates can >> be counted as different CAs if you stick to pure X.509 rules, but they are >> all held by the same one company, and operated by the same people, only >> applying different validation rules. Does that still count as so many CAs? I >> doubt so. > > The 650 number came from the number of distinct values for the "Organization" > field in the DN. We saw more than 1500 CA certificates, and around 1200 > DNs. That's big. I hadn't previously read that "650" was an already stripped-down value. -- Erwann.
