[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

[Peter Eckersley]

On Mon, Nov 07, 2011 at 05:46:18PM +0100, Ralph Holz wrote:
>
> That's the point Phillip was referring, too. But the more interesting
> question to me seems here: if CAs = the companies operate sub-CAs, why
> do so many CA = companies have several root certificates in NSS? 

I think everyone here agrees that multiple CA certificates does not equal
independent sub-CAs.

> The latest count of roots in NSS was 150+; and I remember someone from
> Mozilla recently mentioned that the number of companies is much lower, near
> 35-40 or so.

The Microsoft trusted root certificate program does a clearer job of
indicating which root CAs are controlled by which organizations.

https://social.technet.microsoft.com/wiki/contents/articles/2592.aspx

That latest version of that list appears to contain 320 root certs, with 111
organizations listed as controlling them.  In a few instances, perhaps one
could argue that different listed organizations are potentially equivalent.  For
instance, these two:

Government of Latvia, Latvian Post 
Government of Latvia, Latvian State Radio & Television Centre (LVRTC) 

But in a case like that I'm inclined to trust Microsoft's judgement in
determining that these CAs were controlled by different organizations.

-- 
Peter Eckersley                            pde at eff.org
Technology Projects Director      Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993