Hi, sorry that it took a while - but I created a second version now that simply removes all sub-CAs of the DFN. It is available at
http://notary.icsi.berkeley.edu/trust-tree-no-dfn/ (I know - something where you could remove it live would be nicer. Perhaps in the future…) Bernhard On Dec 14, 2012, at 8:18 AM, Ben Wilson <[email protected]> wrote: > I’d like an option that removes or shrinks the DFNVerein PKI. > > From: [email protected] [mailto:[email protected]] On > Behalf Of Bernhard Amann > Sent: Thursday, December 13, 2012 10:24 PM > To: [email protected] > Subject: [SSL Observatory] The Trust Tree: An interactive graph of the CA > ecosystem > > Hi All, > > We just released an interactive graph that shows the relationship > between the root-CAs of the Mozilla root-store and their intermediates > at http://notary.icsi.berkeley.edu/trust-tree/. > > Root-CAs are pictured as red nodes, intermediate CAs are green. > The node diameter scales logarithmically with the number of > certificates signed by the node. Similarly, the color of the green > nodes scales proportional to the diameter. > > The data source for this graph is the ICSI SSL notary [1], which was > previously mentioned on this mailing list. We have been passively > monitoring the Internet uplinks of a number of (mostly) edu > networks for certificate and SSL information for about 10 months. > > Clicking on individual nodes reveals additional information about the > CAs, especially the number of valid child certificates we currently > know for it. > > In the graph, the CA that directly signed the largest number of certificates > is the Go Daddy Secure Certification Authority, an intermediate of > GoDaddy. Our current dataset contains over 74,000 certificates > that it signed. > > The DFN-Verein CA has signed the largest number of intermediate > CA certificates. As you might know it provides certificates for > many German higher education and research institutions. It creates > a unique sub-CA for each institution for which it issues certificates. > Our data set currently contains more than 200 sub-CAs of it. > The DFN does this for administrative reasons. The control of the > private keys of all sub-CAs remains at the DFN and they check > each certificate request. > > If you have any questions or comments about this, please let us > know. > > Bernhard > > [1]: http://notary.icsi.berkeley.edu/
