[Cryptography] The EFF 650 CAs lie

[Viktor Dukhovni]

On Tue, Apr 28, 2020 at 11:36:45PM -0400, Phillip Hallam-Baker wrote:

> Years ago, the EFF set up its infamous Certificate Observatory, looked at
> the network of public intermediate certificates that had been issued,
> called each intermediate a 'CA' and issued what has become the zombie lie
> of 650 CAs.
> 
> It was not a deliberate lie at the time it was said but it has become a lie
> since with the obstinate refusal to correct the record. I am going to be
> taping a module on PKI for my course on cryptography and it would be much
> better for all concerned if I could say the EFF has finally retracted this
> claim.

Does the exact number matter much?  Suppose it is ~65, is that
qualitatively different?

On a Fedora 31 system, the OS installs 138 self-signed trust anchors,
when I extract just the "O=" component of the subject DN (falling back
on "CN=" when "O=" is absent), I gest 69 unique case-insensitive names:

    AC Camerfirma S.A.
    ACCV
    AS Sertifitseerimiskeskus
    Actalis S.p.A./03358520967
    AddTrust AB
    AffirmTrust
    Agencia Catalana de Certificacio (NIF Q-0801176-I)
    Amazon
    Atos
    Autoridad de Certificacion Firmaprofesional CIF A62634068
    Baltimore
    Buypass AS-983163327
    COMODO CA Limited
    China Financial Certification Authority
    Chunghwa Telecom Co., Ltd.
    Cybertrust, Inc
    D-Trust GmbH
    Dhimyotis
    DigiCert Inc
    Digital Signature Trust Co.
    Disig a.s.
    E-TuğFra EBG Bilişim Teknolojileri ve Hizmetleri A.Ş.
    Entrust, Inc.
    Entrust.net
    FNMT-RCM
    GUANG DONG CERTIFICATE AUTHORITY CO.,LTD.
    GeoTrust Inc.
    GlobalSign
    GlobalSign nv-sa
    GoDaddy.com, Inc.
    Google Trust Services LLC
    Government Root Certification Authority
    Hellenic Academic and Research Institutions Cert. Authority
    Hongkong Post
    IZENPE S.A.
    IdenTrust
    Internet Security Research Group
    Japan Certification Services, Inc.
    Krajowa Izba Rozliczeniowa S.A.
    LuxTrust S.A.
    Microsec Ltd.
    NetLock Kft.
    Network Solutions L.L.C.
    QuoVadis Limited
    SECOM Trust Systems CO.,LTD.
    SECOM Trust.net
    SSL Corporation
    SecureTrust Corporation
    Sonera
    Staat der Nederlanden
    Starfield Technologies, Inc.
    SwissSign AG
    T-Systems Enterprise Services GmbH
    TAIWAN-CA
    TeliaSonera
    The Go Daddy Group, Inc.
    The USERTRUST Network
    TrustCor Systems S. de R.L.
    Trustis Limited
    Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK
    UniTrust
    Unizeto Technologies S.A.
    VeriSign, Inc.
    WISeKey
    XRamp Security Services Inc
    certSIGN
    eMudhra Inc
    eMudhra Technologies Limited
    thawte, Inc.

A few of these are clearly alternative names for the same organisation,
but it seems safe to estimate that there are at least ~50 distinct
entities on the above list.

So, OK perhaps an order of magnitude fewer than 650, but does it make
enough of a difference to call the larger naïve estimates "lies"?

I still don't know who most of these are, and probably would prefer to
not unconditionally (i.e. without name constraints) trust all of them.

-- 
    Viktor.