[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

Ralph Holz holz at net.in.tum.de
Mon Nov 7 08:46:18 PST 2011


Hi,

> In practice, you can only register root CAs into browsers, and you're
> strongly advised to *not* issue certificates directly under the root,
> like it was the case some years ago with the big CA vendors selling
> X.509v1 certificates. So a company acting as a CA has at least one
> root CA, and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code
> signing, timestamping, ...). Add to this imposed segmentation some
> levels (for example in Europe, we have qualified certificates, and in
> France we have other "France-only" rules). Those CA certificates can
> be counted as different CAs if you stick to pure X.509 rules, but they
> are all held by the same one company, and operated by the same people,
> only applying different validation rules. Does that still count as so
> many CAs? I doubt so.

That's the point Phillip was referring, too. But the more interesting
question to me seems here: if CAs = the companies operate sub-CAs, why
do so many CA = companies have several root certificates in NSS? The
latest count of roots in NSS was 150+; and I remember someone from
Mozilla recently mentioned that the number of companies is much lower,
near 35-40 or so.

And correct me if I am wrong - but isn't it so that some CAs = companies
have root certs for DV *and* EV in the NSS root store?

Ralph

-- 
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111107/5dc4001d/attachment.sig>


More information about the Observatory mailing list