[Cryptography] The EFF 650 CAs lie

Rob Stradling rob at sectigo.com
Mon May 4 08:48:19 EDT 2020

On 29/04/2020 04:36, Phillip Hallam-Baker wrote:
> Years ago, the EFF set up its infamous Certificate Observatory, looked 
> at the network of public intermediate certificates that had been issued, 
> called each intermediate a 'CA' and issued what has become the zombie 
> lie of 650 CAs.
> It was not a deliberate lie at the time it was said but it has become a 
> lie since with the obstinate refusal to correct the record. I am going 
> to be taping a module on PKI for my course on cryptography and it would 
> be much better for all concerned if I could say the EFF has finally 
> retracted this claim.
> I have no idea who I could contact at EFF who could get this fixed but 
> the lie continues to be repeated and it is high time it was retracted.
> As was explained at the time and on numerous occasions since, a CA is a 
> body that has control of at least one Certificate signing key. The vast 
> majority of the '650 CA's identified in the study control no signing 
> keys. They are simply customers of a CA whose certificates are issued 
> off a separate intermediate root.

Here's a new number for you, FWIW.  Using the "a CA is a body that has 
control of at least one Certificate signing key" metric, I reckon there 
are about "170 CAs" at the moment.

The CCADB (https://ccadb.org) provides information on which body 
controls which keys.  I used crt.sh to cross-reference the CCADB 
information against the major browser trusted root stores (to exclude 
expired, not yet trusted, and no longer trusted CAs from this calculation).

(first revision was the list generated by crt.sh; second revision was 
manually curated to remove likely duplicates).

Rob Stradling
Senior Research & Development Scientist
Sectigo Limited

More information about the cryptography mailing list