[cryptography] Interactive graph of the CA ecosystem

Ralph Holz holz at net.in.tum.de
Fri Dec 14 07:25:03 EST 2012


> We just released an interactive graph that shows the relationship
> between the root-CAs of the Mozilla root-store and their intermediates 
> at http://notary.icsi.berkeley.edu/trust-tree/. 

Nice one, and nice to hear from you, too. :)

My regards to the team - I imagine Robin is among them. Tell him I
haven't forgotten about the daily update thing, just busy.:)

> Root-CAs are pictured as red nodes, intermediate CAs are green. 
> The node diameter scales logarithmically with the number of 
> certificates signed by the node. Similarly, the color of the green 
> nodes scales proportional to the diameter.

Hm, I do have a question. Thawte EV has an "outbound" link to "Thawte
Root", similarly TUM has an "outbound" link to DFN. I would understand
"outbound" as indicating the direction of the signature, i.e. DFN ->
TUM. So I would have expected the link between TUM and DFN to be
"inbound" when I click on TUM. But it seems to be consistenly applied,
so I guess that was a conscious choice?

> The DFN-Verein CA has signed the largest number of intermediate 
> CA certificates. As you might know it provides certificates for 
> many German higher education and research institutions. It creates 
> a unique sub-CA for each institution for which it issues certificates.
> Our data set currently contains more than 200 sub-CAs of it.
> The DFN does this for administrative reasons. The control of the
> private keys of all sub-CAs remains at the DFN and they check
> each certificate request.

Yes, thanks for noting - that's an important issue that too many blog
posts have failed to note.

As a matter of fact, I have spoken to the local TUM certification guys a
few weeks ago and know the procedure that is applied for DFN certs. It
has become a whole lot more strict now and checks are diligent, meaning
it is very clear who made the CSR (me) and it is linked to official
documentation (passport + my position within staff).

Yet it does remain a bit tricky. E.g. DFN requires that the certificate
is only issued if the "real person" applying for it (-> me) is
"responsible" for the local certification process (our sub-domain). The
tricky part is that "responsible" is a vague description. What does it

* That I have root on the Web server (I do)?
* That I usually do all the cert stuff (no, only for my stuff and if I
find the time for other sub-domains)?
* That there is an official position in the hierarchy declaring someone
responsible (there is not)?

So the local guys have to fall back to checking my identity via the
intranet and assuming I have the "correct position" within staff. I
imagine most DFN certifications are like that. A whole lot better than
domain-only validation by e-mail, though.

I guess this problem occurs a myriad times in certification.


Ralph Holz
Network Architectures and Services
Technische Universität München
Phone +49 89 28918043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the cryptography mailing list