[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Peter Eckersley
pde at eff.org
Sun Nov 6 10:49:04 PST 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
On Sun, Nov 06, 2011 at 12:51:11AM +0100, Erwann ABALEA wrote:
> In practice, you can only register root CAs into browsers, and you're
> strongly advised to *not* issue certificates directly under the root,
> like it was the case some years ago with the big CA vendors selling
> X.509v1 certificates. So a company acting as a CA has at least one
> root CA,
There are certainly some companies that act as CAs that are "only"
subordinate/intermediate CAs. We know this with a fair degree of certainty,
because companies that operate root CAs have asked us, "can you use the
Observatory to tell us what this company we issued a sub-CA to has been
signing with it?".
> and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code
> signing, timestamping, ...).
> Add to this imposed segmentation some levels (for example in Europe, we have
> qualified certificates,
Do you mean the X509v3 Name Constraints field? We only saw two CAs that used
that (https://mail1.eff.org/pipermail/observatory/2011-April/000206.html)
> and in France we have other "France-only" rules). Those CA certificates can
> be counted as different CAs if you stick to pure X.509 rules, but they are
> all held by the same one company, and operated by the same people, only
> applying different validation rules. Does that still count as so many CAs? I
> doubt so.
The 650 number came from the number of distinct values for the "Organization"
field in the DN. We saw more than 1500 CA certificates, and around 1200
DNs.
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list