[Cryptography] The EFF 650 CAs lie
Viktor Dukhovni
cryptography at dukhovni.org
Wed Apr 29 16:20:48 EDT 2020
On Tue, Apr 28, 2020 at 11:36:45PM -0400, Phillip Hallam-Baker wrote:
> Years ago, the EFF set up its infamous Certificate Observatory, looked at
> the network of public intermediate certificates that had been issued,
> called each intermediate a 'CA' and issued what has become the zombie lie
> of 650 CAs.
>
> It was not a deliberate lie at the time it was said but it has become a lie
> since with the obstinate refusal to correct the record. I am going to be
> taping a module on PKI for my course on cryptography and it would be much
> better for all concerned if I could say the EFF has finally retracted this
> claim.
Does the exact number matter much? Suppose it is ~65, is that
qualitatively different?
On a Fedora 31 system, the OS installs 138 self-signed trust anchors,
when I extract just the "O=" component of the subject DN (falling back
on "CN=" when "O=" is absent), I gest 69 unique case-insensitive names:
AC Camerfirma S.A.
ACCV
AS Sertifitseerimiskeskus
Actalis S.p.A./03358520967
AddTrust AB
AffirmTrust
Agencia Catalana de Certificacio (NIF Q-0801176-I)
Amazon
Atos
Autoridad de Certificacion Firmaprofesional CIF A62634068
Baltimore
Buypass AS-983163327
COMODO CA Limited
China Financial Certification Authority
Chunghwa Telecom Co., Ltd.
Cybertrust, Inc
D-Trust GmbH
Dhimyotis
DigiCert Inc
Digital Signature Trust Co.
Disig a.s.
E-TuğFra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.
Entrust, Inc.
Entrust.net
FNMT-RCM
GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.
GeoTrust Inc.
GlobalSign
GlobalSign nv-sa
GoDaddy.com, Inc.
Google Trust Services LLC
Government Root Certification Authority
Hellenic Academic and Research Institutions Cert. Authority
Hongkong Post
IZENPE S.A.
IdenTrust
Internet Security Research Group
Japan Certification Services, Inc.
Krajowa Izba Rozliczeniowa S.A.
LuxTrust S.A.
Microsec Ltd.
NetLock Kft.
Network Solutions L.L.C.
QuoVadis Limited
SECOM Trust Systems CO.,LTD.
SECOM Trust.net
SSL Corporation
SecureTrust Corporation
Sonera
Staat der Nederlanden
Starfield Technologies, Inc.
SwissSign AG
T-Systems Enterprise Services GmbH
TAIWAN-CA
TeliaSonera
The Go Daddy Group, Inc.
The USERTRUST Network
TrustCor Systems S. de R.L.
Trustis Limited
Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK
UniTrust
Unizeto Technologies S.A.
VeriSign, Inc.
WISeKey
XRamp Security Services Inc
certSIGN
eMudhra Inc
eMudhra Technologies Limited
thawte, Inc.
A few of these are clearly alternative names for the same organisation,
but it seems safe to estimate that there are at least ~50 distinct
entities on the above list.
So, OK perhaps an order of magnitude fewer than 650, but does it make
enough of a difference to call the larger naïve estimates "lies"?
I still don't know who most of these are, and probably would prefer to
not unconditionally (i.e. without name constraints) trust all of them.
--
Viktor.
More information about the cryptography
mailing list