[Cryptography] The EFF 650 CAs lie
Rob Stradling
rob at sectigo.com
Mon May 4 08:48:19 EDT 2020
On 29/04/2020 04:36, Phillip Hallam-Baker wrote:
> Years ago, the EFF set up its infamous Certificate Observatory, looked
> at the network of public intermediate certificates that had been issued,
> called each intermediate a 'CA' and issued what has become the zombie
> lie of 650 CAs.
>
> It was not a deliberate lie at the time it was said but it has become a
> lie since with the obstinate refusal to correct the record. I am going
> to be taping a module on PKI for my course on cryptography and it would
> be much better for all concerned if I could say the EFF has finally
> retracted this claim.
>
> I have no idea who I could contact at EFF who could get this fixed but
> the lie continues to be repeated and it is high time it was retracted.
>
> As was explained at the time and on numerous occasions since, a CA is a
> body that has control of at least one Certificate signing key. The vast
> majority of the '650 CA's identified in the study control no signing
> keys. They are simply customers of a CA whose certificates are issued
> off a separate intermediate root.
Here's a new number for you, FWIW. Using the "a CA is a body that has
control of at least one Certificate signing key" metric, I reckon there
are about "170 CAs" at the moment.
The CCADB (https://ccadb.org) provides information on which body
controls which keys. I used crt.sh to cross-reference the CCADB
information against the major browser trusted root stores (to exclude
expired, not yet trusted, and no longer trusted CAs from this calculation).
https://gist.github.com/robstradling/bea075063bb9890ba307ce6253f2e868
(first revision was the list generated by crt.sh; second revision was
manually curated to remove likely duplicates).
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
More information about the cryptography
mailing list