[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

[Peter Eckersley]

On Sun, Nov 06, 2011 at 12:51:11AM +0100, Erwann ABALEA wrote:
 
> In practice, you can only register root CAs into browsers, and you're
> strongly advised to *not* issue certificates directly under the root,
> like it was the case some years ago with the big CA vendors selling
> X.509v1 certificates. So a company acting as a CA has at least one
> root CA, 

There are certainly some companies that act as CAs that are "only"
subordinate/intermediate CAs.  We know this with a fair degree of certainty,
because companies that operate root CAs have asked us, "can you use the
Observatory to tell us what this company we issued a sub-CA to has been
signing with it?".

> and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code
> signing, timestamping, ...). 

> Add to this imposed segmentation some levels (for example in Europe, we have
> qualified certificates, 

Do you mean the X509v3 Name Constraints field?  We only saw two CAs that used
that  (https://mail1.eff.org/pipermail/observatory/2011-April/000206.html)

> and in France we have other "France-only" rules).  Those CA certificates can
> be counted as different CAs if you stick to pure X.509 rules, but they are
> all held by the same one company, and operated by the same people, only
> applying different validation rules. Does that still count as so many CAs? I
> doubt so.

The 650 number came from the number of distinct values for the "Organization"
field in the DN.  We saw more than 1500 CA certificates, and around 1200
DNs.

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993