An Interactive Graph of the Certificate Authority Ecosystem 39
An anonymous reader writes "Researchers of the International Computer Science Institute in Berkeley have created an interactive diagram that shows root-CAs, their intermediates, the relationships between them and how many certificates have been signed by them. The graph was generated by passively monitoring the Internet uplinks of a number of (mostly) edu sites for SSL connections and their certificate Information. Among other things the graph shows that one GoDaddy intermediate signed more than 74,000 certificates and that a German CA uses more than 200 sub-CAs for administrative reasons."
The graphic is a lie (Score:5, Insightful)
The graph, while cool, sucks!
It implies a root signer, which isn't really there. By clumping all the various networks identified within a circle, they make it look like there are connections between the networks that don't really exist.
Look carefully around the edge between the inner and outer circles, there's nothing that bridges them.
Now look carefully around the outer circle, you'll see it isn't one continuous network, it's a bunch of small networks just sitting next to each other.
The whole reason for putting data in a graphic is so that you can draw new meaning from visual clues because the human brain is so good at interpreting visual information. However, if you force stuff into shapes like this, you imply meaning that isn't really there.
Re:sub-CA hell (Score:4, Insightful)
And why is that? This is actually exactly how the CA structure was designed to work, not that commercial "we'll protect you from anyone we don't take money from"-crap, involving RAs and other unchecked entities that can use a CA to vouch for something that they haven't even checked themselves, a practice that somehow made it into the gold standard.
The DFN is the german academic research network, and so the guys running that network can vouch for every organisation connected to it. Each organisation is supposed to be able to vouch for the certificates they issue. What's your problem with that?
Personally, I think the whole PKI thing is FUBAR, since only one super is allowed to vouch for a sub and you're effectively forced to trust someone else's CA collection (down to a certain vendor silently undoing your changes to the store on your operating system come every update check). To make digital trust workable I, end user, have to be able to choose whom to trust, a choice I currently do not have, in fact cannot have lest my intarwebz stop functioning!
But in the case of the DFN, the hierarchy is exceptionally clear and one of the few places where it actually makes sense. And maintaining 200 sub-certificates is a lot less work than maintaining millions upon millions of certificates issued on a couple bucks and a grainy copy of your passport. What does that prove anyway?