[SSL Observatory] The Trust Tree: An interactive graph of the CA ecosystem

Ben Wilson ben at digicert.com
Fri Dec 14 08:18:10 PST 2012


I'd like an option that removes or shrinks the DFNVerein PKI.   

 

From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On
Behalf Of Bernhard Amann
Sent: Thursday, December 13, 2012 10:24 PM
To: observatory at eff.org
Subject: [SSL Observatory] The Trust Tree: An interactive graph of the CA
ecosystem

 

Hi All,

 

We just released an interactive graph that shows the relationship

between the root-CAs of the Mozilla root-store and their intermediates 

at http://notary.icsi.berkeley.edu/trust-tree/. 

 

Root-CAs are pictured as red nodes, intermediate CAs are green. 

The node diameter scales logarithmically with the number of 

certificates signed by the node. Similarly, the color of the green 

nodes scales proportional to the diameter.

 

The data source for this graph is the ICSI SSL notary [1], which was

previously mentioned on this mailing list. We have been passively 

monitoring the Internet uplinks of a number of (mostly) edu

networks for certificate and SSL information for about 10 months.

 

Clicking on individual nodes reveals additional information about the 

CAs, especially the number of valid child certificates we currently 

know for it.

 

In the graph, the CA that directly signed the largest number of certificates

is the Go Daddy Secure Certification Authority, an intermediate of 

GoDaddy. Our current dataset contains over 74,000 certificates 

that it signed.

 

The DFN-Verein CA has signed the largest number of intermediate 

CA certificates. As you might know it provides certificates for 

many German higher education and research institutions. It creates 

a unique sub-CA for each institution for which it issues certificates.

Our data set currently contains more than 200 sub-CAs of it.

The DFN does this for administrative reasons. The control of the

private keys of all sub-CAs remains at the DFN and they check

each certificate request.

 

If you have any questions or comments about this, please let us

know.

 

Bernhard

 

[1]: http://notary.icsi.berkeley.edu/
<http://notary.icsi.berkeley.edu/trust-tree/> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20121214/ada831fc/attachment.html>


More information about the Observatory mailing list