Phillip Hallam-Baker: > On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <cont...@taoeffect.com> wrote: > >> And for someone who is accusing others of being 'fraudulent', not a good >> move to start off repeating figures already exposed as bogus like the oft >> repeated but still untrue claim of 600 CAs. >> >> >> I thought the EFF was a reputable source. >> >> There has been no update or correction to their post: >> https://www.eff.org/deeplinks/2011/10/how-secure-https-today >> > > Which kind of calls their credibility into question.
No, I don't think so, actually. > HALF the 'CAs' in > their graph are from the DFN root. You can check that out for yourself, it > is a German CA that issues certs to higher education institutions. As has > been demonstrated (and agreed by the EFF people), DFN do not sign certs for > key signing keys they do not hold. Their count isn't off simply because you want to reduce a large number of keys into a single entity. > > You can't calculate the number of CAs the way the EFF tried to. An > intermediate certificate does not equate to a CA. Pretending it does to > peddle an alternative PKI scheme calls into question their veracity. > I disagree strongly. I have an intermediate certificate. I am as powerful CA as a result. Please also see these estimates which are even higher: https://zakird.com/slides/durumeric-https-imc13.pdf "Identified 1,832 CA certificates belonging to 683 organizations" "311 (45%) of the organizations were provided certificates by German National Research and Education Network (DFN) " http://link.springer.com/chapter/10.1007%2F978-3-642-39884-1_28 "More than 1200 root and intermediate CAs can currently sign certificates for any domain and be trusted by popular browsers." > I have tried to get members of the EFF board to look into this but they > never get back. Too much trouble to get it right. I've cc'ed Seth Schoen from the EFF - I'd be surprised if he had no response. Later you said: > 1) Failing to examine the issue when the DFN root accounted for half of the > purported '600 CAs' > Other estimates appear to be much higher than the EFF count. What is your qualification for what counts as a CA? For example - Debian GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships with another, heck Microsoft even adds new CA certs dynamically, right? So what is your metric exactly? > 2) Continuing to count the DFN as 300 CAs when they know it is one. The number matters because it isn't just an issue of control over a single signing key. I'd be interested to hear how many of those CAs/sub-CAs are able to sign leaf certificates. All the best, Jacob _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
