[cryptography] Interactive graph of the CA ecosystem

Ralph Holz holz at net.in.tum.de
Fri Dec 14 11:23:23 EST 2012


>> Hm, I do have a question. Thawte EV has an "outbound" link to "Thawte
>> Root", similarly TUM has an "outbound" link to DFN. I would understand
>> "outbound" as indicating the direction of the signature, i.e. DFN ->
>> TUM. So I would have expected the link between TUM and DFN to be
>> "inbound" when I click on TUM. But it seems to be consistenly applied,
>> so I guess that was a conscious choice?
> Well, we chose to represent the relationships between the certificates
> the other way round - the child certificates point to their parent CA. However,
> this is a purely semantical issue - for your point of view we just would
> have to reverse all links.

Fair enough. I don't know if my view is a minority or majority view, but
I'd change it. :)

>> […DFN Certificates and how they are granted...]
> Thank you very much, it is interesting to know the exact way this is done
> at the Moment. I also think that each Institution (like the TUM) can only
> issue certificates for a fixed set of domains. Other domains might require
> manual DFN intervention.
> But I am not a hundred percent positive about that - I mainly got that impression
> from some threads on the Mozilla bug tracker where they discussed the DFN.

That is an interesting question indeed. Any domain under the 2LD of a
German university is certainly within their CPS. However, we have
registered 2LDs under ORG and NET now, with WHOIS identifying us as TUM,
and will ask them to certify those. I'll report if that is possible or
not. :)


Ralph Holz
Network Architectures and Services
Technische Universität München
Phone +49 89 28918043
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the cryptography mailing list