Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
Rob Stradling <rob.stradling@comodo.com> Tue, 31 December 2013 14:31 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: therightkey@ietfa.amsl.com
Delivered-To: therightkey@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09701AE28E for <therightkey@ietfa.amsl.com>; Tue, 31 Dec 2013 06:31:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.41
X-Spam-Level: *
X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_MISMATCH_NET=0.611, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7CLl-liabDV for <therightkey@ietfa.amsl.com>; Tue, 31 Dec 2013 06:31:52 -0800 (PST)
Received: from ian.brad.office.comodo.net (eth5.brad-fw.brad.office.ccanet.co.uk [178.255.87.226]) by ietfa.amsl.com (Postfix) with ESMTP id 5FA121AE027 for <therightkey@ietf.org>; Tue, 31 Dec 2013 06:31:51 -0800 (PST)
Received: (qmail 7616 invoked by uid 1000); 31 Dec 2013 14:31:43 -0000
Received: from nigel.brad.office.comodo.net (HELO [192.168.0.58]) (192.168.0.58) (smtp-auth username rob, mechanism plain) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (CAMELLIA256-SHA encrypted) ESMTPSA; Tue, 31 Dec 2013 14:31:43 +0000
Message-ID: <52C2D54F.8000209@comodo.com>
Date: Tue, 31 Dec 2013 14:31:43 +0000
From: Rob Stradling <rob.stradling@comodo.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: Jacob Appelbaum <jacob@appelbaum.net>, therightkey@ietf.org, Seth David Schoen <schoen@eff.org>
References: <22429D73-4EFC-4091-8F5B-BAD38968EA54@taoeffect.com> <CAMm+LwiMXdEnHqD0y_S-fP6081Tk=A=7-9LsJQhRuawmmmfdTg@mail.gmail.com> <FEFA307D-97E0-4C58-AB43-5B9AB8E8FC70@taoeffect.com> <CAMm+Lwjwww28tV_qvqQVH3xo1xqvjb6z++258+LOqgxWn-Oh9w@mail.gmail.com> <52B88104.9040607@appelbaum.net>
In-Reply-To: <52B88104.9040607@appelbaum.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [therightkey] DNSNMC deprecates Certificate Authorities and fixes HTTPS security
X-BeenThere: therightkey@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <therightkey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/therightkey>, <mailto:therightkey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/therightkey/>
List-Post: <mailto:therightkey@ietf.org>
List-Help: <mailto:therightkey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/therightkey>, <mailto:therightkey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2013 14:31:55 -0000
On 23/12/13 18:29, Jacob Appelbaum wrote: > Phillip Hallam-Baker: <snip> >> You can't calculate the number of CAs the way the EFF tried to. An >> intermediate certificate does not equate to a CA. Pretending it does to >> peddle an alternative PKI scheme calls into question their veracity. > > I disagree strongly. I have an intermediate certificate. I am as > powerful CA as a result. Jake, you're only that powerful if you control the intermediate private key. <snip> > Other estimates appear to be much higher than the EFF count. What is > your qualification for what counts as a CA? For example - Debian > GNU/Linux ships with one set of ca-certificates, Chrome on Windows ships > with another, heck Microsoft even adds new CA certs dynamically, right? > So what is your metric exactly? I would prefer to count the number of distinct organizations that control at least 1 private key that is associated with at least 1 non-Name-Constrained root or intermediate certificate that chains to (or is) a root in the Microsoft, Mozilla and/or Apple root store and which can issue certs that are trusted for Server Authentication. It's not possible to measure this purely by examining the body of root/intermediate certificates that are known to exist (although this body of certificates is of course useful for cross-referencing). >> 2) Continuing to count the DFN as 300 CAs when they know it is one. > > The number matters because it isn't just an issue of control over a > single signing key. I'd be interested to hear how many of those > CAs/sub-CAs are able to sign leaf certificates. All of the DFN Sub-CAs are able to sign leaf certificates, but it is _only_ DFN that controls the private keys that would be used to sign these leaf certificates. The various German universities are essentially only RAs, even though they are named as the Subjects of the intermediate certificates. Many Sub-CA certificates issued by major commercial Root CAs exist purely for branding reasons. i.e. the Subject is at most an RA, and sometimes only a Reseller. On the other hand, if there are still any RAs/Resellers that control root or intermediate private keys, then by my metric they should be counted as CAs. My gut feeling is that the real number (by my metric) is likely to be a lot nearer to 60 than to 600. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [therightkey] DNSNMC deprecates Certificate Autho… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Ali-Reza Anghaie
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ben Laurie
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Lambert
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Tao Effect
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Jacob Appelbaum
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Phillip Hallam-Baker
- Re: [therightkey] DNSNMC deprecates Certificate A… Santosh Chokhani
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Paul Hoffman
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Leif Johansson
- Re: [therightkey] DNSNMC deprecates Certificate A… Rob Stradling
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] DNSNMC deprecates Certificate A… Carl Wallace
- Re: [therightkey] DNSNMC deprecates Certificate A… Stephen Farrell
- Re: [therightkey] DNSNMC deprecates Certificate A… Ralph Holz
- Re: [therightkey] algorithm blacklisting Jacob Appelbaum