IETF Logo Mail Archive

Re: [therightkey] RA vs CA

"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 08 January 2014 18:38 UTC

Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA4061AE0AE for <therightkey@ietfa.amsl.com>; Wed, 8 Jan 2014 10:38:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.84
X-Spam-Level:
X-Spam-Status: No, score=-4.84 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpmQt6H3MZIz for <therightkey@ietfa.amsl.com>; Wed, 8 Jan 2014 10:38:32 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by ietfa.amsl.com (Postfix) with ESMTP id 81F931AE085 for <therightkey@ietf.org>; Wed, 8 Jan 2014 10:38:32 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.8]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.digicert.com (Postfix) with ESMTPSA id 42EA41AE0E2; Wed, 8 Jan 2014 11:38:23 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail; t=1389206303; bh=S69G/64c+Qc5AiAt4H3210oAd0eZr2oYzJsIEfAPNb4=; h=From:To:Cc:References:In-Reply-To:Subject:Date; b=PK5wHij5X/+VT3tKhwAPC7kdidhm/g2flCqANcOfiycD5HDVHJsPF/JO2zTgK3Tuv LtF28McBppOb/AGo/xBoIlYRLnuSarAEur2v1P54Z9URrFGBkAGx0nHHiiGmyKQoOj hfkTqgsNOJ156zqaII4j9nfqa/lCivz+j3kgBy1U=
From: "Jeremy Rowley" <jeremy.rowley@digicert.com>
To: "'Ben Laurie'" <benl@google.com>, "'Ralph Holz'" <holz@net.in.tum.de>
References: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com> <011b01cf0ca0$2d258cd0$8770a670$@digicert.com>
In-Reply-To: <011b01cf0ca0$2d258cd0$8770a670$@digicert.com>
Date: Wed, 8 Jan 2014 11:38:23 -0700
Message-ID: <013a01cf0ca0$d0533b50$70f9b1f0$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFuuk0rOt0bp7TcLsgVMFXzk0y/EQEmAuz8mzKb7iA=
Content-Language: en-us
Cc: therightkey@ietf.org, 'Seth David Schoen' <schoen@eff.org>
Subject: Re: [therightkey] RA vs CA
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 18:38:34 -0000

To add some clarification on why the EFF probably over-counted:

We create intermediate certificates all the time for customers, typically
for access control or to minimize the potential impact of the intermediate's
revocation. However, the intermediate stays within our PKI and is subject to
our verification process and control.  This doesn't make it a separate
issuer.  The RA tells us who is authorized to get a certificate off that
intermediate, but they don't dictate the validation or issuance process. 

Again (and unfortunately), the scope of control over an intermediate varies
widely depending on the CA. 

Jeremy

-----Original Message-----
From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Jeremy
Rowley
Sent: Wednesday, January 08, 2014 11:34 AM
To: 'Ben Laurie'; 'Ralph Holz'
Cc: therightkey@ietf.org; 'Seth David Schoen'
Subject: Re: [therightkey] RA vs CA

The role of the RA varies a lot depending on the CA and industry. For
example, some CAs use RAs only to collect face to face documentation
(similar to a notary).  The CA will still do a record check, verify the
identity, etc.  The existence of an RA does not necessarily mean the CA is
signing whatever is put in front of it.  The only way to know the scope  of
the RA function is to ask the CA.

Jeremy

-----Original Message-----
From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Ben
Laurie
Sent: Wednesday, January 08, 2014 11:30 AM
To: Ralph Holz
Cc: therightkey@ietf.org; Seth David Schoen
Subject: [therightkey] RA vs CA

On 27 December 2013 10:06, Ralph Holz <holz@net.in.tum.de> wrote:
> Hi,
>
> [The EFF's count]
>
>>> You can't calculate the number of CAs the way the EFF tried to. An 
>>> intermediate certificate does not equate to a CA. Pretending it does 
>>> to peddle an alternative PKI scheme calls into question their veracity.
>>>
>>
>> I disagree strongly. I have an intermediate certificate. I am as 
>> powerful CA as a result.
>> Please also see these estimates which are even higher:
>>
>> https://zakird.com/slides/durumeric-https-imc13.pdf
>>
>> "Identified 1,832 CA certificates  belonging to 683 organizations"
>> "311 (45%) of the organizations were provided certificates by German 
>> National Research and Education Network (DFN) "
>
> I was there at IMC and spoke with Zakir. He was not aware of the fact 
> that the private keys to all the intermediate certificates are held by 
> the central DFN Verein, not the RAs themselves. In the case of DFN, 
> the intermediate certs only identify the RAs. The RAs do not carry 
> signing power.

What is the function of an RA, then, if not to tell a CA "sign this"?
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey

_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey

v2.8.7 | Report a Bug | By Email