<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Bernhard,<br>
<br>
Thank you for providing this terrific tool!<br>
<br>
The search capability that you included is also very helpful. For
the CAs that I can't remember the CNs of their certs, I can use
<a class="moz-txt-link-freetext" href="http://tinyurl.com/MozillaBuiltInCAs">http://tinyurl.com/MozillaBuiltInCAs</a> to find the one I'm
interested in, then start typing the CN into the search area at
the top of the page, get the pulldown list, select the cert of
interest, and go right to that node. Very cool!<br>
<br>
I hope that most of these CA certs will become name constrained
soon!<br>
<br>
Thanks!<br>
Kathleen<br>
<br>
<br>
On 12/13/12 9:23 PM, Bernhard Amann wrote:<br>
</div>
<blockquote
cite="mid:C5F5DFFD-43C4-4CAB-AD3E-FF0AA2038165@icsi.berkeley.edu"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hi All,
<div><br>
</div>
<div>We just released an interactive graph that shows the
relationship</div>
<div>between the root-CAs of the Mozilla root-store and their
intermediates </div>
<div>at <a moz-do-not-send="true"
href="http://notary.icsi.berkeley.edu/trust-tree/">http://notary.icsi.berkeley.edu/trust-tree/</a>. </div>
<div><br>
</div>
<div>Root-CAs are pictured as red nodes, intermediate CAs are
green. </div>
<div>The node diameter scales logarithmically with the number of </div>
<div>certificates signed by the node. Similarly, the color of the
green </div>
<div>nodes scales proportional to the diameter.</div>
<div><br>
</div>
<div>
<div>The data source for this graph is the ICSI SSL notary [1],
which was</div>
<div>previously mentioned on this mailing list. We have been
passively </div>
<div>monitoring the Internet uplinks of a number of (mostly) edu</div>
<div>networks for certificate and SSL information for about 10
months.</div>
</div>
<div><br>
</div>
<div>Clicking on individual nodes reveals additional information
about the </div>
<div>CAs, especially the number of valid child certificates we
currently </div>
<div>know for it.</div>
<div><br>
</div>
<div>
<div>In the graph, the CA that directly signed the largest
number of certificates</div>
<div>is the Go Daddy Secure Certification Authority, an
intermediate of </div>
<div>GoDaddy. Our current dataset contains over 74,000
certificates </div>
<div>that it signed.</div>
</div>
<div><br>
</div>
<div>
<div>The DFN-Verein CA has signed the largest number of
intermediate </div>
<div>CA certificates. As you might know it provides certificates
for </div>
<div>many German higher education and research institutions. It
creates </div>
<div>a unique sub-CA for each institution for which it issues
certificates.</div>
<div>Our data set currently contains more than 200 sub-CAs of
it.</div>
<div>The DFN does this for administrative reasons. The control
of the</div>
<div>private keys of all sub-CAs remains at the DFN and they
check</div>
<div>each certificate request.</div>
<div><br>
</div>
</div>
<div>If you have any questions or comments about this, please let
us</div>
<div>know.</div>
<div><br>
</div>
<div>Bernhard</div>
<div><br>
</div>
<div>[1]: <a moz-do-not-send="true"
href="http://notary.icsi.berkeley.edu/trust-tree/">http://notary.icsi.berkeley.edu/</a></div>
</blockquote>
<br>
</body>
</html>