[SSL Observatory] The Trust Tree: An interactive graph of the CA ecosystem

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Mon Dec 17 12:04:42 PST 2012 

Hi,

sorry that it took a while - but I created a second version now that simply
removes all sub-CAs of the DFN. It is available at 

http://notary.icsi.berkeley.edu/trust-tree-no-dfn/

(I know - something where you could remove it live would be nicer. Perhaps
in the future…)

Bernhard

On Dec 14, 2012, at 8:18 AM, Ben Wilson <ben at digicert.com> wrote:

> I’d like an option that removes or shrinks the DFNVerein PKI.   
>  
> From: observatory-bounces at eff.org [mailto:observatory-bounces at eff.org] On Behalf Of Bernhard Amann
> Sent: Thursday, December 13, 2012 10:24 PM
> To: observatory at eff.org
> Subject: [SSL Observatory] The Trust Tree: An interactive graph of the CA ecosystem
>  
> Hi All,
>  
> We just released an interactive graph that shows the relationship
> between the root-CAs of the Mozilla root-store and their intermediates 
> at http://notary.icsi.berkeley.edu/trust-tree/. 
>  
> Root-CAs are pictured as red nodes, intermediate CAs are green. 
> The node diameter scales logarithmically with the number of 
> certificates signed by the node. Similarly, the color of the green 
> nodes scales proportional to the diameter.
>  
> The data source for this graph is the ICSI SSL notary [1], which was
> previously mentioned on this mailing list. We have been passively 
> monitoring the Internet uplinks of a number of (mostly) edu
> networks for certificate and SSL information for about 10 months.
>  
> Clicking on individual nodes reveals additional information about the 
> CAs, especially the number of valid child certificates we currently 
> know for it.
>  
> In the graph, the CA that directly signed the largest number of certificates
> is the Go Daddy Secure Certification Authority, an intermediate of 
> GoDaddy. Our current dataset contains over 74,000 certificates 
> that it signed.
>  
> The DFN-Verein CA has signed the largest number of intermediate 
> CA certificates. As you might know it provides certificates for 
> many German higher education and research institutions. It creates 
> a unique sub-CA for each institution for which it issues certificates.
> Our data set currently contains more than 200 sub-CAs of it.
> The DFN does this for administrative reasons. The control of the
> private keys of all sub-CAs remains at the DFN and they check
> each certificate request.
>  
> If you have any questions or comments about this, please let us
> know.
>  
> Bernhard
>  
> [1]: http://notary.icsi.berkeley.edu/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20121217/db9975af/attachment.html>

More information about the Observatory mailing list