Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

[Jacob Appelbaum <jacob@appelbaum.net>]

Phillip Hallam-Baker:
> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <contact@taoeffect.com> wrote:
> 
>> And for someone who is accusing others of being 'fraudulent', not a good
>> move to start off repeating figures already exposed as bogus like the oft
>> repeated but still untrue claim of 600 CAs.
>>
>>
>> I thought the EFF was a reputable source.
>>
>> There has been no update or correction to their post:
>> https://www.eff.org/deeplinks/2011/10/how-secure-https-today
>>
> 
> Which kind of calls their credibility into question.

No, I don't think so, actually.

> HALF the 'CAs' in
> their graph are from the DFN root. You can check that out for yourself, it
> is a German CA that issues certs to higher education institutions. As has
> been demonstrated (and agreed by the EFF people), DFN do not sign certs for
> key signing keys they do not hold.

Their count isn't off simply because you want to reduce a large number
of keys into a single entity.

> 
> You can't calculate the number of CAs the way the EFF tried to. An
> intermediate certificate does not equate to a CA. Pretending it does to
> peddle an alternative PKI scheme calls into question their veracity.
> 

I disagree strongly. I have an intermediate certificate. I am as
powerful CA as a result.

Please also see these estimates which are even higher:

https://zakird.com/slides/durumeric-https-imc13.pdf

"Identified 1,832 CA certificates  belonging to 683 organizations"
"311 (45%) of the organizations were provided certificates by
German National Research and Education Network (DFN) "

http://link.springer.com/chapter/10.1007%2F978-3-642-39884-1_28

"More than 1200 root and intermediate CAs can currently sign
certificates for any domain and be trusted by popular browsers."

> I have tried to get members of the EFF board to look into this but they
> never get back. Too much trouble to get it right.

I've cc'ed Seth Schoen from the EFF - I'd be surprised if he had no
response.

Later you said:

> 1) Failing to examine the issue when the DFN root accounted for half of the
> purported '600 CAs'
> 

Other estimates appear to be much higher than the EFF count. What is
your qualification for what counts as a CA? For example - Debian
GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships
with another, heck Microsoft even adds new CA certs dynamically, right?
So what is your metric exactly?

> 2) Continuing to count the DFN as 300 CAs when they know it is one.

The number matters because it isn't just an issue of control over a
single signing key. I'd be interested to hear how many of those
CAs/sub-CAs are able to sign leaf certificates.


All the best,
Jacob