[Cryptography] The EFF 650 CAs lie

Phillip Hallam-Baker phill at hallambaker.com
Fri May 1 23:52:37 EDT 2020

On Fri, May 1, 2020 at 5:21 PM Rob Stradling <rob at sectigo.com> wrote:

> Here's a new number for you, FWIW.  Using the (quoting PHB) "a CA is a
> body that has control of at least one Certificate signing key" metric, I
> reckon there are about "170 CAs" at the moment.

Now that is an interesting data point. Any idea what would be driving the

Are these unconstrained CAs that can issue any cert or a cross certified
issuer operating under a constrained intermediate?

This is one of the reasons accuracy matters. If we accepted the 650 CAs
number as valid, this would look like a reduction. But the number seems to
actually be increasing. And its hard to see what the commercial driver
would be for that at the moment what with one of the dominant players
giving away the product for free.

If it is driven by governmental concerns, that would be interesting. Though
another possibility is that the cost of setting up a CA has reduced over
time due to standardization of practices and procedures, the time taken for
a CA to be useful has reduced due to mandatory browser updates and
former affiliates to major CAs are trying to establish their own.

It would be interesting to know what the reason is.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200501/d12a1281/attachment.htm>

More information about the cryptography mailing list