[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
Erwann ABALEA
erwann at abalea.com
Mon Nov 7 09:25:17 PST 2011
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
2011/11/6 Peter Eckersley <pde at eff.org>:
> On Sun, Nov 06, 2011 at 12:51:11AM +0100, Erwann ABALEA wrote:
>
>> In practice, you can only register root CAs into browsers, and you're
>> strongly advised to *not* issue certificates directly under the root,
>> like it was the case some years ago with the big CA vendors selling
>> X.509v1 certificates. So a company acting as a CA has at least one
>> root CA,
>
> There are certainly some companies that act as CAs that are "only"
> subordinate/intermediate CAs. We know this with a fair degree of certainty,
> because companies that operate root CAs have asked us, "can you use the
> Observatory to tell us what this company we issued a sub-CA to has been
> signing with it?".
I agree, such companies exist. We too have certified a few companies'
CAs that are not present in the Observatory results.
Fortunately, from my point of view, the DigiNotar experience (if we
only take this one) will change things:
- the price of such certifications will be much greater
- the issuing CA will perform annual audits on the subordinate CAs,
*and* ask them to perform third-party audits
all this should be based on the risks the issuing CA is taking by
delegating trust.
>> Add to this imposed segmentation some levels (for example in Europe, we have
>> qualified certificates,
>
> Do you mean the X509v3 Name Constraints field? We only saw two CAs that used
> that (https://mail1.eff.org/pipermail/observatory/2011-April/000206.html)
No. See RFC3739 for some background. You can just consider these as
other "Class {1,2,3}" certificates variations.
>> and in France we have other "France-only" rules). Those CA certificates can
>> be counted as different CAs if you stick to pure X.509 rules, but they are
>> all held by the same one company, and operated by the same people, only
>> applying different validation rules. Does that still count as so many CAs? I
>> doubt so.
>
> The 650 number came from the number of distinct values for the "Organization"
> field in the DN. We saw more than 1500 CA certificates, and around 1200
> DNs.
That's big. I hadn't previously read that "650" was an already
stripped-down value.
--
Erwann.
- Previous message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Next message: [SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Observatory
mailing list