[SSL Observatory] Number of CAs

Wed Dec 7 12:43:33 PST 2011

What the CAs are willing to do and what they can do are likely to be two
different things.

The problem that comes up is that if CA X has created an intermediary for
an external organization it is going to be for a customer. That customer
relationship is going to be governed by a contract and the terms of that
agreement may not have anticipated revealing the information at issue.

I expect this to be fixed, but fixing it is far from simple.

I don't have any problem with the EFF publishing their results, What I do
have a serious problem with is the lack of disclaimers when they are touted
as evidence for the need for change. The methodology does not result in a
figure of 650, it results in a number of 50-650 or as we would say in
physics, 350+/-300.

Give the error bars on the number and we are all in agreement.

With this approach it is in everyone's interest to take the DFN data into
account and instead refer to 250+/-200.

On Wed, Dec 7, 2011 at 2:07 PM, Adam Langley <agl at google.com> wrote:

> On Wed, Dec 7, 2011 at 1:56 PM, Ben Wilson <ben at digicert.com> wrote:
> > In an earlier post you wrote that the number “650+” for separate CAs
> came from the number of distinct values for the "Organization" field in the
> DN (out of more than 1500 CA certificates and 1200 DNs).  Many of us in the
> CA industry believe—from a purely objective standpoint—that the threat
> surface in need of attention is smaller.  Is anyone else besides a few of
> us CAs interested in analyzing this same general area (number of CAs) with
> different criteria in mind?  If the PKI hierarchies involved and physical
> location of CA keys were considered, then different conclusions could be
> made.  For instance, what would the map look like if the DFN-Verien root
> were removed?  It’s just that the number “650” is now being used regularly
> in various venues to argue that the problem is that there are too many weak
> links—but while there may be a statistical correlation (the more cars there
> are, the more likely you are to get into an accident), the large number
> alone does not lead directly to the conclusions being made.  As someone
> mentioned to me recently, it’s just a number, but what it connotes might be
> something more and statistics and visual representations support the case
> one tries to make.  All I am saying is that a number alone only tells us
> “how many” – it doesn’t tell us anything about “good” or “bad.”  In other
> words, a purely quantitative analysis without corresponding qualitative
> criteria brings about a different result and leads to a different
> conclusion than what course of action might be best.  Just some thoughts.
>
> Certainly there is a great deal of information that is not known. The
> EFF have published their full data set and methodology and, while the
> resulting number is almost certainly wrong, it's pretty much the best
> that can be done from an external vantage.
>
> I'm sure that, if yourself and other CAs were willing to publish the
> number of externally controlled, intermediate CA certificates that
> have been issued, such data would be warmly received. (Although, in
> your case, the EFF's data doesn't show any, which is great.)
>
>
> Cheers
>
> AGL
>

-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111207/53cfebe8/attachment.html>