[SSL Observatory] The Trust Tree: An interactive graph of the CA ecosystem
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Mon Dec 17 12:04:42 PST 2012
Hi,
sorry that it took a while - but I created a second version now that simply
removes all sub-CAs of the DFN. It is available at
http://notary.icsi.berkeley.edu/trust-tree-no-dfn/
(I know - something where you could remove it live would be nicer. Perhaps
in the future…)
Bernhard
On Dec 14, 2012, at 8:18 AM, Ben Wilson <ben at digicert.com> wrote:
> I’d like an option that removes or shrinks the DFNVerein PKI.
>
> From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On Behalf Of Bernhard Amann
> Sent: Thursday, December 13, 2012 10:24 PM
> To: observatory at eff.org
> Subject: [SSL Observatory] The Trust Tree: An interactive graph of the CA ecosystem
>
> Hi All,
>
> We just released an interactive graph that shows the relationship
> between the root-CAs of the Mozilla root-store and their intermediates
> at http://notary.icsi.berkeley.edu/trust-tree/.
>
> Root-CAs are pictured as red nodes, intermediate CAs are green.
> The node diameter scales logarithmically with the number of
> certificates signed by the node. Similarly, the color of the green
> nodes scales proportional to the diameter.
>
> The data source for this graph is the ICSI SSL notary [1], which was
> previously mentioned on this mailing list. We have been passively
> monitoring the Internet uplinks of a number of (mostly) edu
> networks for certificate and SSL information for about 10 months.
>
> Clicking on individual nodes reveals additional information about the
> CAs, especially the number of valid child certificates we currently
> know for it.
>
> In the graph, the CA that directly signed the largest number of certificates
> is the Go Daddy Secure Certification Authority, an intermediate of
> GoDaddy. Our current dataset contains over 74,000 certificates
> that it signed.
>
> The DFN-Verein CA has signed the largest number of intermediate
> CA certificates. As you might know it provides certificates for
> many German higher education and research institutions. It creates
> a unique sub-CA for each institution for which it issues certificates.
> Our data set currently contains more than 200 sub-CAs of it.
> The DFN does this for administrative reasons. The control of the
> private keys of all sub-CAs remains at the DFN and they check
> each certificate request.
>
> If you have any questions or comments about this, please let us
> know.
>
> Bernhard
>
> [1]: http://notary.icsi.berkeley.edu/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20121217/db9975af/attachment.html>
More information about the Observatory
mailing list