Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security

Jacob Appelbaum <> Mon, 23 December 2013 18:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 0DB991AE23A for <>; Mon, 23 Dec 2013 10:33:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 2.099
X-Spam-Level: **
X-Spam-Status: No, score=2.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FSL_HELO_BARE_IP_2=1.999, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q8DkoBBJ0HbU for <>; Mon, 23 Dec 2013 10:33:37 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 29C6D1AE234 for <>; Mon, 23 Dec 2013 10:33:36 -0800 (PST)
Received: by with SMTP id z2so6517882wiv.6 for <>; Mon, 23 Dec 2013 10:33:33 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:message-id:date:from:mime-version:to:subject :references:in-reply-to:openpgp:content-type :content-transfer-encoding; bh=lTmPon5ycHArp89IXpl+ESm1xkj66DBc0+ees7QaTMA=; b=Ht6Owmfe2iKumpetXtiJwNG5BXLdeoL5cGdi6SCvWUEuC/h4ZYGa0gbRZlKVO4cR2y 6jyz2Wcn6lcEGmctwXNo7aLnqynM4PGqdqMvUNqJ6opw0ZiCtu6lZV3QdUJLJI3r9ST8 rpR/yRIpBnZbcNZH4ZLZYyJS3xZrieto5+6m8xHPRr4/VWNf5qLB1PTNrbPcv7ennTQg Ozer6u0yhNfgi1d5spDQi575ZX8IY30MYCT9c7uJoRlacjaM0HDhhNOx4bHKOHBnugIp XzuwE/OCnoxrHawp87nqA/VUVAD5K72DdM55Lp2YzmPGwyBB5jJ61p7ymXxU4vBWF+hC Xt6g==
X-Gm-Message-State: ALoCoQk7fU7ImTFy5e5qlPmzr40lb/kLue0YWjv/7KWzWDmk9XSBTDb8eenJuNhJJdx0I1nQ7Fl4
X-Received: by with SMTP id p9mr14115506wib.42.1387823613116; Mon, 23 Dec 2013 10:33:33 -0800 (PST)
Received: from ( []) by with ESMTPSA id r10sm10585244wje.10.2013. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 23 Dec 2013 10:33:32 -0800 (PST)
Message-ID: <>
Date: Mon, 23 Dec 2013 18:29:24 +0000
From: Jacob Appelbaum <>
MIME-Version: 1.0
To:, Seth David Schoen <>
References: <> <> <> <>
In-Reply-To: <>
OpenPGP: id=4193A197
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Dec 2013 18:33:39 -0000

Phillip Hallam-Baker:
> On Sun, Dec 15, 2013 at 8:50 PM, Tao Effect <> wrote:
>> And for someone who is accusing others of being 'fraudulent', not a good
>> move to start off repeating figures already exposed as bogus like the oft
>> repeated but still untrue claim of 600 CAs.
>> I thought the EFF was a reputable source.
>> There has been no update or correction to their post:
> Which kind of calls their credibility into question.

No, I don't think so, actually.

> HALF the 'CAs' in
> their graph are from the DFN root. You can check that out for yourself, it
> is a German CA that issues certs to higher education institutions. As has
> been demonstrated (and agreed by the EFF people), DFN do not sign certs for
> key signing keys they do not hold.

Their count isn't off simply because you want to reduce a large number
of keys into a single entity.

> You can't calculate the number of CAs the way the EFF tried to. An
> intermediate certificate does not equate to a CA. Pretending it does to
> peddle an alternative PKI scheme calls into question their veracity.

I disagree strongly. I have an intermediate certificate. I am as
powerful CA as a result.

Please also see these estimates which are even higher:

"Identified 1,832 CA certificates  belonging to 683 organizations"
"311 (45%) of the organizations were provided certificates by
German National Research and Education Network (DFN) "

"More than 1200 root and intermediate CAs can currently sign
certificates for any domain and be trusted by popular browsers."

> I have tried to get members of the EFF board to look into this but they
> never get back. Too much trouble to get it right.

I've cc'ed Seth Schoen from the EFF - I'd be surprised if he had no

Later you said:

> 1) Failing to examine the issue when the DFN root accounted for half of the
> purported '600 CAs'

Other estimates appear to be much higher than the EFF count. What is
your qualification for what counts as a CA? For example - Debian
GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships
with another, heck Microsoft even adds new CA certs dynamically, right?
So what is your metric exactly?

> 2) Continuing to count the DFN as 300 CAs when they know it is one.

The number matters because it isn't just an issue of control over a
single signing key. I'd be interested to hear how many of those
CAs/sub-CAs are able to sign leaf certificates.

All the best,