On Sun, Nov 17, 2013 at 3:20 AM, Yoav Nir <ynir@xxxxxxxxxxxxxx> wrote:
--
Website: http://hallambaker.com/
Hi, phil
I think we all agree that there are not 600 root CAs (just looking at the root store of your favorite OS or browser shows that), and the actual number of organizations is "only" several dozens.
What both the EFF and this discussion are missing, is that the number of organizations running root CAs is not the biggest part of the problem. In addition to the root CAs, the big organizations have sub-CAs and RAs. I trust you remember that ComodoHacker did not actually hack Comodo. He hacked instantssl.it. And those researchers didn't trick Verisign into signing a sub-CA certificate using an MD5 collision, they did it to RapidSSL[1].
So how many InstantSSL.it and RapidSSLs are there? Don't they outnumber the root CAs? Are they subject to the same rules set by the CABF? NameConstraints are very rare on the web, so these Sub-CAs or RAs can issue a certificate for anything. Isn't that right?
The reason that name constraints were not very common on the web was that the PKIX specification requires them to be marked critical which makes them unusable as there is enough legacy infrastructure that does not recognize them and will reject NCs marked critical to make this unacceptable.
The industry has found a solution which is to ignore the PKIX specification. According to the industry standard, it is now acceptable to use NCs that are not marked critical. The IETF can correct the spec or not, but that is now the de facto standard.
Also according to the requirements of Mozilla and other browsers, any party that has the capability of issuing certificates under a root has to be audited. I can't tell you if the transition process is complete or not, there are so many deadlines for different things I can't keep them all straight.
So hopefully the number of those parties is currently zero. But that does not rule out the possibility of a Flame like situation.
Website: http://hallambaker.com/