[SSL Observatory] Number of CAs
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Thu Dec 8 13:58:35 PST 2011
Erwann ABALEA <erwann at abalea.com> writes:
>How did you come to write that the software used by VeriSign and most CAs is
>based on OpenSSL and a few graphical front-ends such as TinyCA, without any
>expensive hardware?
That's probably quite accurate, most people who want to issue certs download
and build OpenSSL and start cranking them out. I think you've interpreted the
text to mean "most commercial CAs" whereas in fact it's saying "most
crank-out-certificates operations".
>The fact that DigiNotar, and now KPN have proven do be bad actors doesn't
>mean that all of the others are as bad.
DigiNotar's software was exquisitely homebrew, nothing else had quite that
range and variety of bugs.
(Many European commercial CAs also homebrew their stuff... from looking at
some of the publicly visible bugs there, it's actually a liability, not a
feature).
Peter.
More information about the Observatory
mailing list