[cryptography] what has the NSA broken?

Ralph Holz holz at net.in.tum.de
Sun Sep 8 07:52:21 EDT 2013

Hi David,

>>> Most private keys are issued by, not merely certified by, the CAs.
>> Can you give numerical evidence for this claim?
> Device certificates (those that go into mass manufactured products)
> typically have the CA provide both keys and cert. The back and forth of
> keygen->CSR->Sign->Return per product does not fit in the mindset of a
> manufacturer.
> I suspect this is more certs than all the web site certs put together.

An interesting point, certainly. Two caveats, both of which I have to
systematically verify for SSL, however (I have already verified them for

1) Mass-produced devices like to use default keys - Heninger et al.
showed that quite conclusively last year. I.e. we are not looking at
distinct certificates, and not such ones for private use. I can verify
that with our latest scan of today, which was IPv4-wide. It will take me
a bit to wade through the subjects, issuers, SKID and AKID.

2) On the same line: why have a device key signed by a CA anyway if you
are going to use it for all devices of one line?

3) When we look at distinct certs, I am not so sure that your argument
"more than all Web certs put together" still holds. Again, I need a
moment to check that.


Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
Phone +
PGP: A805 D19C E23E 6BBB E0C4  86DC 520E 0C83 69B0 03EF

More information about the cryptography mailing list