[Cryptography] The EFF 650 CAs lie
Rob Stradling
rob at sectigo.com
Tue May 5 08:46:42 EDT 2020
On 02/05/2020 04:52, Phillip Hallam-Baker wrote:
> On Fri, May 1, 2020 at 5:21 PM Rob Stradling wrote:
>
> Here's a new number for you, FWIW. Using the (quoting PHB) "a CA is
> a body that has control of at least one Certificate signing key"
> metric, I reckon there are about "170 CAs" at the moment.
>
> Now that is an interesting data point. Any idea what would be driving
> the change?
The change from what?
(You've reminded us of the flaws with the EFF's "650 CAs" soundbite, so
I presume that's not the datapoint you're comparing "170 CAs" against).
> Are these unconstrained CAs that can issue any cert or a cross certified
> issuer operating under a constrained intermediate?
Unconstrained.
CAs are not required (by Mozilla's policy, etc) to disclose technically
constrained CA certificates to the CCADB, and so most are not disclosed.
(I just re-ran my analysis but filtered out "CA Owners" that only
operated technically constrained CA certificates; however, the resulting
list was unchanged).
BTW, ~10 of those ~170 don't operate intermediate CAs capable of issuing
trusted server authentication certs. (My analysis included them because
they're capable of issuing trusted S/MIME and/or Code Signing certs).
> This is one of the reasons accuracy matters. If we accepted the 650 CAs
> number as valid, this would look like a reduction. But the number seems
> to actually be increasing. And its hard to see what the commercial
> driver would be for that at the moment what with one of the dominant
> players giving away the product for free.
>
> If it is driven by governmental concerns, that would be interesting.
> Though another possibility is that the cost of setting up a CA has
> reduced over time due to standardization of practices and procedures,
> the time taken for a CA to be useful has reduced due to mandatory
> browser updates and former affiliates to major CAs are trying to
> establish their own.
>
> It would be interesting to know what the reason is.
--
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited
More information about the cryptography
mailing list