On Sun, Nov 17, 2013 at 4:30 AM, Randy Bush <randy(_at_)psg(_dot_)com> wrote:
i'll try once again,
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
randy
Their number of intermediate certs is more accurate. But they make the same
mistake of conflating an intermediate cert with control of a CA. Also
rather odd to be talking about VeriSign which has not been in the CA
business for three years now.
The DFN root which has 300+ members issues an intermediary cert to every
university in its network. But they maintain full control of all the
private keys and these reside in the same type of secure crypto hardware as
the embedded root.
The reason this is done is to enable access control restrictions of the
type 'only to a site in my university'.
--
Website: http://hallambaker.com/