On Mon, Nov 07, 2011 at 05:46:18PM +0100, Ralph Holz wrote: > > That's the point Phillip was referring, too. But the more interesting > question to me seems here: if CAs = the companies operate sub-CAs, why > do so many CA = companies have several root certificates in NSS?
I think everyone here agrees that multiple CA certificates does not equal independent sub-CAs. > The latest count of roots in NSS was 150+; and I remember someone from > Mozilla recently mentioned that the number of companies is much lower, near > 35-40 or so. The Microsoft trusted root certificate program does a clearer job of indicating which root CAs are controlled by which organizations. https://social.technet.microsoft.com/wiki/contents/articles/2592.aspx That latest version of that list appears to contain 320 root certs, with 111 organizations listed as controlling them. In a few instances, perhaps one could argue that different listed organizations are potentially equivalent. For instance, these two: Government of Latvia, Latvian Post Government of Latvia, Latvian State Radio & Television Centre (LVRTC) But in a case like that I'm inclined to trust Microsoft's judgement in determining that these CAs were controlled by different organizations. -- Peter Eckersley [email protected] Technology Projects Director Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993
