[SSL Observatory] Number of CAs
Ben Wilson
ben at digicert.com
Wed Dec 7 10:56:58 PST 2011
Peter,
In an earlier post you wrote that the number "650+" for separate CAs came
from the number of distinct values for the "Organization" field in the DN
(out of more than 1500 CA certificates and 1200 DNs). Many of us in the CA
industry believe-from a purely objective standpoint-that the threat surface
in need of attention is smaller. Is anyone else besides a few of us CAs
interested in analyzing this same general area (number of CAs) with
different criteria in mind? If the PKI hierarchies involved and physical
location of CA keys were considered, then different conclusions could be
made. For instance, what would the map look like if the DFN-Verien root
were removed? It's just that the number "650" is now being used regularly
in various venues to argue that the problem is that there are too many weak
links-but while there may be a statistical correlation (the more cars there
are, the more likely you are to get into an accident), the large number
alone does not lead directly to the conclusions being made. As someone
mentioned to me recently, it's just a number, but what it connotes might be
something more and statistics and visual representations support the case
one tries to make. All I am saying is that a number alone only tells us
"how many" - it doesn't tell us anything about "good" or "bad." In other
words, a purely quantitative analysis without corresponding qualitative
criteria brings about a different result and leads to a different conclusion
than what course of action might be best. Just some thoughts.
Ben
Benjamin T. Wilson, JD CISSP
General Counsel and SVP Industry Relations
DigiCert, Inc.
<http://www.digicert.com/> Visit DigiCert.com
Online: <http://www.digicert.com/> www.DigiCert.com
Email: <mailto:ben at digicert.com> ben at digicert.com
Toll Free: 1-800-896-7973 (US & Canada)
Direct: 1-801-701-9678
Fax: 1-866-842-0223 (Toll Free if calling from the US or Canada)
_____
The information contained in this transmission may contain privileged and
confidential information. It is intended only for the use of the person(s)
named above. If you are not the intended recipient, you are hereby notified
that any review, dissemination, distribution or duplication of this
communication is strictly prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the
original message. Thank You
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111207/e3f85d6e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 2926 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111207/e3f85d6e/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5461 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111207/e3f85d6e/attachment.bin>
More information about the Observatory
mailing list