On Sun, Nov 17, 2013 at 3:20 AM, Yoav Nir <ynir(_at_)checkpoint(_dot_)com>
wrote:
Hi, phil
I think we all agree that there are not 600 root CAs (just looking at the
root store of your favorite OS or browser shows that), and the actual
number of organizations is "only" several dozens.
What both the EFF and this discussion are missing, is that the number of
organizations running root CAs is not the biggest part of the problem. In
addition to the root CAs, the big organizations have sub-CAs and RAs. I
trust you remember that ComodoHacker did not actually hack Comodo. He
hacked instantssl.it. And those researchers didn't trick Verisign into
signing a sub-CA certificate using an MD5 collision, they did it to
RapidSSL[1].
So how many InstantSSL.it and RapidSSLs are there? Don't they outnumber
the root CAs? Are they subject to the same rules set by the CABF?
NameConstraints are very rare on the web, so these Sub-CAs or RAs can issue
a certificate for anything. Isn't that right?
The reason that name constraints were not very common on the web was that
the PKIX specification requires them to be marked critical which makes them
unusable as there is enough legacy infrastructure that does not recognize
them and will reject NCs marked critical to make this unacceptable.
The industry has found a solution which is to ignore the PKIX
specification. According to the industry standard, it is now acceptable to
use NCs that are not marked critical. The IETF can correct the spec or not,
but that is now the de facto standard.
Also according to the requirements of Mozilla and other browsers, any party
that has the capability of issuing certificates under a root has to be
audited. I can't tell you if the transition process is complete or not,
there are so many deadlines for different things I can't keep them all
straight.
So hopefully the number of those parties is currently zero. But that does
not rule out the possibility of a Flame like situation.
--
Website: http://hallambaker.com/