[SSL Observatory] Tangent - coercibility of different authority structures
Ralph Holz
holz at net.in.tum.de
Mon Sep 26 06:17:13 PDT 2011
Hi,
> What the observatory measured was intermediate certificates with
> different subject names. An intermediate certificate does not imply a CA
> or even an RA capability.
>
> Repeating a false claim does not make it true.
What does remain true is that the number of keys increases the attack
surface if the keys are not under the same rigid control of one entity.
What is also true is that, e.g. Mozilla has no clue how many
sub-ordinate CAs are out there as these are often considered trade
secrets and not disclosed to the browser vendors. See the Mozilla lists
for discussions on that topic. Mozilla might soon try and close that gap.
While you are correct that an intermediate certificate does not imply a
CA, I do tend to see a larger attack surface here, and would certainly
not venture to say "all's good".
Ralph
--
Dipl.-Inform. Ralph Holz
I8: Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110926/400c707b/attachment.sig>
More information about the Observatory
mailing list