Hi, Apologies if I'm spamming the list, but I am still trying to get to the bottom of this:
> The problem is that the EFF has been claiming 650 CAs when at least > 200 are not CAs. DFN just happens to be managing those 200 LRAs. As I understand Peter's comment from the other thread, their methodology was to distinguish organisations by the "O" field. This yields 650 certificates that have CA:True, are trustable via the root stores and distinguished as organisations in the DN. Your objection to this is that this still does not identify "CA capability" because, as in the case of DFN, control over issuance is still with another, higher authority. Consider these subjects of 2 certificates with CA:True in the EFF data, where the issue is DFN in both cases: C=DE, O=Technische Universitaet Muenchen, CN=Zertifizierungsstelle der TUM C=DE, O=Technische Universitaet Ilmenau, CN=TU Ilmenau CA/[email protected] According to the EFF methodology, these would be counted as CAs because the O strings are distinct. Yet as Matthias has said for the third example, they cannot *arbitrarily* issue to any domain name, and the guidelines for what they can issue are somewhere in the DFN policies. Would that be a correct summary of the whole thing? (I didn't go into the cross-signing issue yet - the above does not constitute cross-signing for me) Ralph
signature.asc
Description: OpenPGP digital signature
