[Cryptography] The EFF 650 CAs lie

[Rob Stradling]

On 29/04/2020 04:36, Phillip Hallam-Baker wrote:
> Years ago, the EFF set up its infamous Certificate Observatory, looked 
> at the network of public intermediate certificates that had been issued, 
> called each intermediate a 'CA' and issued what has become the zombie 
> lie of 650 CAs.
> 
> It was not a deliberate lie at the time it was said but it has become a 
> lie since with the obstinate refusal to correct the record. I am going 
> to be taping a module on PKI for my course on cryptography and it would 
> be much better for all concerned if I could say the EFF has finally 
> retracted this claim.
> 
> I have no idea who I could contact at EFF who could get this fixed but 
> the lie continues to be repeated and it is high time it was retracted.
> 
> As was explained at the time and on numerous occasions since, a CA is a 
> body that has control of at least one Certificate signing key. The vast 
> majority of the '650 CA's identified in the study control no signing 
> keys. They are simply customers of a CA whose certificates are issued 
> off a separate intermediate root.

Here's a new number for you, FWIW.  Using the "a CA is a body that has 
control of at least one Certificate signing key" metric, I reckon there 
are about "170 CAs" at the moment.

The CCADB (https://ccadb.org) provides information on which body 
controls which keys.  I used crt.sh to cross-reference the CCADB 
information against the major browser trusted root stores (to exclude 
expired, not yet trusted, and no longer trusted CAs from this calculation).

https://gist.github.com/robstradling/bea075063bb9890ba307ce6253f2e868
(first revision was the list generated by crt.sh; second revision was 
manually curated to remove likely duplicates).

-- 
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited