[SSL Observatory] Number of CAs
Adam Langley
agl at google.com
Wed Dec 7 11:07:33 PST 2011
On Wed, Dec 7, 2011 at 1:56 PM, Ben Wilson <ben at digicert.com> wrote:
> In an earlier post you wrote that the number “650+” for separate CAs came from the number of distinct values for the "Organization" field in the DN (out of more than 1500 CA certificates and 1200 DNs). Many of us in the CA industry believe—from a purely objective standpoint—that the threat surface in need of attention is smaller. Is anyone else besides a few of us CAs interested in analyzing this same general area (number of CAs) with different criteria in mind? If the PKI hierarchies involved and physical location of CA keys were considered, then different conclusions could be made. For instance, what would the map look like if the DFN-Verien root were removed? It’s just that the number “650” is now being used regularly in various venues to argue that the problem is that there are too many weak links—but while there may be a statistical correlation (the more cars there are, the more likely you are to get into an accident), the large number alone does not lead directly to the conclusions being made. As someone mentioned to me recently, it’s just a number, but what it connotes might be something more and statistics and visual representations support the case one tries to make. All I am saying is that a number alone only tells us “how many” – it doesn’t tell us anything about “good” or “bad.” In other words, a purely quantitative analysis without corresponding qualitative criteria brings about a different result and leads to a different conclusion than what course of action might be best. Just some thoughts.
Certainly there is a great deal of information that is not known. The
EFF have published their full data set and methodology and, while the
resulting number is almost certainly wrong, it's pretty much the best
that can be done from an external vantage.
I'm sure that, if yourself and other CAs were willing to publish the
number of externally controlled, intermediate CA certificates that
have been issued, such data would be warmly received. (Although, in
your case, the EFF's data doesn't show any, which is great.)
Cheers
AGL
More information about the Observatory
mailing list