Hi, >> The 650 number came from the number of distinct values for the "Organization" >> field in the DN. We saw more than 1500 CA certificates, and around 1200 >> DNs. > > That's big. I hadn't previously read that "650" was an already > stripped-down value.
Ah. That clears that up. Well done. It should also address Phillip's concern, at least on a "coarser" level. A question that remains is how many "O" strings actually semantically identify the same organisation, and how many of these CA certs have been found to issue signatures. @Peter, did you attempt to check for similarities in the "O" or "OU" strings? BTW, I just had a look at the Defcon slides again - EFF do mention "651 organisations" as opposed to 1,500+ CA certs. And to be clear, roughly that latter number is "trustable" from the Mozilla or Windows root store. Ralph
signature.asc
Description: OpenPGP digital signature
