So you accept the criticism but now claim an even higher number of 'CAs' based on data that you admit that you cannot measure?<div><br></div><div>And you don't see that you have a credibility problem?</div><div>
<br></div><div><br></div><div>I notice that you made no response on the question of peer review. For the avoidance of confusion could you either confirm that you have not sought peer review or state the journal where your paper has been accepted?</div>
<div><br><br><div class="gmail_quote">On Fri, Nov 4, 2011 at 8:42 PM, Peter Eckersley <span dir="ltr"><<a href="mailto:pde@eff.org">pde@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Thu, Nov 03, 2011 at 10:16:00PM -0400, Phillip Hallam-Baker wrote:<br>
<br>
> If someone is going to claim that there are '650 CAs' then they could at<br>
> least ask why the DFN root has 200 intermediates chained and if they are<br>
> actually CAs as being claimed.<br>
><br>
<br>
</div>Previously I was unsure about whether the real number of CAs was more or less<br>
than 650, though I now believe it is significantly higher, because people keep<br>
telling me they are seeing huge numbers of universally trusted CAs operating<br>
on networks that we haven't been able to scan.<br>
<br>
There is, however, an important difference between the number of key storage<br>
systems that could be compromised in such a way that the attacker learns the<br>
private key, and the number of CAs that can be compromised in such a way that<br>
the attacker makes herself a certificate for arbitrary domains like<br>
<a href="http://mailserver.mycorporation.com" target="_blank">mailserver.mycorporation.com</a>.<br>
<br>
In the case of the DFN subordinate that we observed beneath Deutsch Telekom's<br>
root, my best estimate is that the private keys for its sub-CAs are<br>
physically controlled by DFN (ie, only one place you could steal those private<br>
keys from), but what they sign is determined remotely on computers at the 200<br>
institutions named in these CAs (ie, 200 systems you could break into in order<br>
to perform a CA-certified attack on the target of your choice).<br>
<br>
<a href="https://www.pki.dfn.de/ca-auslagerung/" target="_blank">https://www.pki.dfn.de/ca-auslagerung/</a><br>
<br>
Funky Google translation from German:<br>
<br>
Outsourcing of a CA<br>
<br>
The DFN-PKI provides outsource all users in the German research network<br>
allows the tasks of their own certification bodies to the DFN-Verein. The<br>
basis for the separation of the technical functions of a certification<br>
authority (CA) of the organizational tasks of a Registration Authority (RA).<br>
<br>
The DFN-Verein organizes on behalf of the user's certification authority.<br>
So this is the user any special hardware and software infrastructure<br>
necessary and the local staff costs can be significantly reduced compared<br>
with a non-paged CA.<br>
<br>
The registration authority remains with the user. The services of a<br>
registrar (eg verification of identity and authenticity) can DFN-users as<br>
through existing organizational units such as enrollment offices are<br>
provided.<br>
<br>
For the work processes and information exchange between the user and the<br>
DFN DFN-Verein customized, secure interfaces are provided.<br>
<br>
DFN-PKI test<br>
<br>
The DFN-PKI test offers the opportunity to familiarize themselves with the<br>
functioning of ports and try to "playful" way all the steps in an external<br>
certification authority.<br>
<br>
If you have questions about outsourcing your certificate authority, or to<br>
request the necessary forms, please send an e-mail to <a href="mailto:pki@dfn.de">pki@dfn.de</a>.<br>
<br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Website: <a href="http://hallambaker.com/">http://hallambaker.com/</a><br><br>
</div>