[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

[Erwann ABALEA]

2011/11/5 Phillip Hallam-Baker <hallam at gmail.com>:
[...]
> The problem is that the EFF has been claiming 650 CAs when at least 200 are
> not CAs. DFN just happens to be managing those 200 LRAs.
> Since the point has now been proven I think that the EFF needs to publicly
> withdraw its claim of 650 CAs.
>
> Note that the same objection applies to the remaining 450 organizations.
> i.e. it is not possible to determine whether an intermediate cert with a
> different subject to the issuer is issued to an LRA or is a cross cert for a
> CA.

I'm silently lurking here and there, reading different opinions,
analyzing different projects and approaches.
I'm also an actor in this "evil CA world", since 1998.

>From a pure X.509 point of view, as long as you have 650 entities with
a unique name, then you have 650 CAs.

In practice, you can only register root CAs into browsers, and you're
strongly advised to *not* issue certificates directly under the root,
like it was the case some years ago with the big CA vendors selling
X.509v1 certificates. So a company acting as a CA has at least one
root CA, and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code
signing, timestamping, ...). Add to this imposed segmentation some
levels (for example in Europe, we have qualified certificates, and in
France we have other "France-only" rules). Those CA certificates can
be counted as different CAs if you stick to pure X.509 rules, but they
are all held by the same one company, and operated by the same people,
only applying different validation rules. Does that still count as so
many CAs? I doubt so.

-- 
Erwann.