On Sun, Nov 17, 2013 at 4:30 AM, Randy Bush <randy@xxxxxxx> wrote:
Their number of intermediate certs is more accurate. But they make the same mistake of conflating an intermediate cert with control of a CA. Also rather odd to be talking about VeriSign which has not been in the CA business for three years now.
i'll try once again,
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
randy
Their number of intermediate certs is more accurate. But they make the same mistake of conflating an intermediate cert with control of a CA. Also rather odd to be talking about VeriSign which has not been in the CA business for three years now.
The DFN root which has 300+ members issues an intermediary cert to every university in its network. But they maintain full control of all the private keys and these reside in the same type of secure crypto hardware as the embedded root.
The reason this is done is to enable access control restrictions of the type 'only to a site in my university'.