[SSL Observatory] Perspectives on Convergence of EFF, EPIC, SSL, TOR, NSA, ET CETERA

Ralph Holz holz at net.in.tum.de
Mon Nov 7 15:08:40 PST 2011


Hi,

Apologies if I'm spamming the list, but I am still trying to get to the
bottom of this:

> The problem is that the EFF has been claiming 650 CAs when at least
> 200 are not CAs. DFN just happens to be managing those 200 LRAs.

As I understand Peter's comment from the other thread, their methodology
was to distinguish organisations by the "O" field. This yields 650
certificates that have CA:True, are trustable via the root stores and
distinguished as organisations in the DN.

Your objection to this is that this still does not identify "CA
capability" because, as in the case of DFN, control over issuance is
still with another, higher authority.

Consider these subjects of 2 certificates with CA:True in the EFF data,
where the issue is DFN in both cases:

C=DE, O=Technische Universitaet Muenchen, CN=Zertifizierungsstelle der TUM

C=DE, O=Technische Universitaet Ilmenau, CN=TU Ilmenau
CA/emailAddress=pki at tu-ilmenau.de

According to the EFF methodology, these would be counted as CAs because
the O strings are distinct. Yet as Matthias has said for the third
example, they cannot *arbitrarily* issue to any domain name, and the
guidelines for what they can issue are somewhere in the DFN policies.

Would that be a correct summary of the whole thing?

(I didn't go into the cross-signing issue yet - the above does not
constitute cross-signing for me)

Ralph

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 554 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111108/cf2ab6b6/attachment.sig>


More information about the Observatory mailing list