[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Ralph Holz
holz at net.in.tum.de
Mon Nov 7 08:46:18 PST 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Hi,
> In practice, you can only register root CAs into browsers, and you're
> strongly advised to *not* issue certificates directly under the root,
> like it was the case some years ago with the big CA vendors selling
> X.509v1 certificates. So a company acting as a CA has at least one
> root CA, and then several sub-CAs (for EV, OV, DV, Test, S/MIME, code
> signing, timestamping, ...). Add to this imposed segmentation some
> levels (for example in Europe, we have qualified certificates, and in
> France we have other "France-only" rules). Those CA certificates can
> be counted as different CAs if you stick to pure X.509 rules, but they
> are all held by the same one company, and operated by the same people,
> only applying different validation rules. Does that still count as so
> many CAs? I doubt so.
That's the point Phillip was referring, too. But the more interesting
question to me seems here: if CAs = the companies operate sub-CAs, why
do so many CA = companies have several root certificates in NSS? The
latest count of roots in NSS was 150+; and I remember someone from
Mozilla recently mentioned that the number of companies is much lower,
near 35-40 or so.
And correct me if I am wrong - but isn't it so that some CAs = companies
have root certs for DV *and* EV in the NSS root store?
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111107/5dc4001d/attachment.sig>
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list