Re: [therightkey] RA vs CA
"Jeremy Rowley" <jeremy.rowley@digicert.com> Wed, 08 January 2014 18:34 UTC
Return-Path: <jeremy.rowley@digicert.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id EC5E31AE073 for <therightkey@ietfa.amsl.com>;
Wed, 8 Jan 2014 10:34:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.84
X-Spam-Level:
X-Spam-Status: No,
score=-4.84 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1,
DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3,
RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsQxpHkMFdx5 for
<therightkey@ietfa.amsl.com>; Wed, 8 Jan 2014 10:33:58 -0800 (PST)
Received: from mail.digicert.com (mail.digicert.com [64.78.193.232]) by
ietfa.amsl.com (Postfix) with ESMTP id E0DEF1ADBD7 for <therightkey@ietf.org>;
Wed, 8 Jan 2014 10:33:58 -0800 (PST)
Received: from JROWLEYL1 (unknown [67.137.52.8]) (using TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by
mail.digicert.com (Postfix) with ESMTPSA id 7B2628FA055;
Wed, 8 Jan 2014 11:33:49 -0700 (MST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digicert.com; s=mail;
t=1389206029; bh=RdkJjnjtZqdJYAMHujGJqMpfJzdSQJD2j7KgU+KhO48=;
h=From:To:Cc:References:In-Reply-To:Subject:Date;
b=Apn7fizKbRZmF/rEjwaEccnoQvy6eDEB09YEbDgfmHEuxX/4fsCgXWeFS6f1g1/Bj
rfJE6I+q/uTYZbq7gMCVGWtJY6Zzw1fLb8G0RZJiRd14GniCTyi7Gu+4LxlAIswsjT
rh/J9OLsOmFzkDH1P0FML6iLO7MLx3vhnTmlFoko=
From: "Jeremy Rowley" <jeremy.rowley@digicert.com>
To: "'Ben Laurie'" <benl@google.com>, "'Ralph Holz'" <holz@net.in.tum.de>
References: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com>
In-Reply-To: <CABrd9SRDArFhJwTsJKoOaqnpW5-mShLYXsybbNROgkPSgfEh5Q@mail.gmail.com>
Date: Wed, 8 Jan 2014 11:33:49 -0700
Message-ID: <011b01cf0ca0$2d258cd0$8770a670$@digicert.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFuuk0rOt0bp7TcLsgVMFXzk0y/EZs7ywpQ
Content-Language: en-us
Cc: therightkey@ietf.org, 'Seth David Schoen' <schoen@eff.org>
Subject: Re: [therightkey] RA vs CA
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>,
<mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>,
<mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2014 18:34:01 -0000
The role of the RA varies a lot depending on the CA and industry. For example, some CAs use RAs only to collect face to face documentation (similar to a notary). The CA will still do a record check, verify the identity, etc. The existence of an RA does not necessarily mean the CA is signing whatever is put in front of it. The only way to know the scope of the RA function is to ask the CA. Jeremy -----Original Message----- From: therightkey [mailto:therightkey-bounces@ietf.org] On Behalf Of Ben Laurie Sent: Wednesday, January 08, 2014 11:30 AM To: Ralph Holz Cc: therightkey@ietf.org; Seth David Schoen Subject: [therightkey] RA vs CA On 27 December 2013 10:06, Ralph Holz <holz@net.in.tum.de> wrote: > Hi, > > [The EFF's count] > >>> You can't calculate the number of CAs the way the EFF tried to. An >>> intermediate certificate does not equate to a CA. Pretending it does >>> to peddle an alternative PKI scheme calls into question their veracity. >>> >> >> I disagree strongly. I have an intermediate certificate. I am as >> powerful CA as a result. >> Please also see these estimates which are even higher: >> >> https://zakird.com/slides/durumeric-https-imc13.pdf >> >> "Identified 1,832 CA certificates belonging to 683 organizations" >> "311 (45%) of the organizations were provided certificates by German >> National Research and Education Network (DFN) " > > I was there at IMC and spoke with Zakir. He was not aware of the fact > that the private keys to all the intermediate certificates are held by > the central DFN Verein, not the RAs themselves. In the case of DFN, > the intermediate certs only identify the RAs. The RAs do not carry > signing power. What is the function of an RA, then, if not to tell a CA "sign this"? _______________________________________________ therightkey mailing list therightkey@ietf.org https://www.ietf.org/mailman/listinfo/therightkey
- [therightkey] RA vs CA Ben Laurie
- Re: [therightkey] RA vs CA Jeremy Rowley
- Re: [therightkey] RA vs CA Jeremy Rowley
- Re: [therightkey] RA vs CA Ralph Holz
- Re: [therightkey] RA vs CA Phillip Hallam-Baker