[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

[Phillip Hallam-Baker]

On Sat, Nov 5, 2011 at 11:40 AM, Matthias Hunstock <
matthias.hunstock at tu-ilmenau.de> wrote:

> Am 05.11.2011 16:35, schrieb Phillip Hallam-Baker:
>
> > The most that can be supported by the evidence they have is that we do
> > not know if those LRAs have that capability or not. Note that that is a
> > completely valid criticism and one that we are already moving to address.
>
> I am member of one of these LRAs and I can tell you that we can NOT
> issue a cert for twitter.com.
>
> That's the only reason I spoke up, because the ongoing bashing of the
> DFN-CA starts to get annoying.
>

The only problem that I have had with DFN is that they never replied to my
queries asking them about their issue practices.

Issuing under a separate intermediate cert per LRA is quite definitely the
right way to go about issue.


The problem is that the EFF has been claiming 650 CAs when at least 200 are
not CAs. DFN just happens to be managing those 200 LRAs.

Since the point has now been proven I think that the EFF needs to publicly
withdraw its claim of 650 CAs.


Note that the same objection applies to the remaining 450 organizations.
i.e. it is not possible to determine whether an intermediate cert with a
different subject to the issuer is issued to an LRA or is a cross cert for
a CA.

CA cross certs are really very rare. They cost a great deal of money for a
start.


-- 
Website: http://hallambaker.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111105/3f400c87/attachment.html>