Just thought I would let you know about a podcast called Sophos Techknow – Understanding SSL. Hopefully there won’t be much new for the regular readers of this blog, but the information may be valuable for those new to the SSL industry. I did want to make note of a few things.
The podcasters discuss 650 CAs in the SSL industry. Although there may be 650 root certificates embedded in software, this does not mean that there are that many CAs. Most commercial CAs have more than one root. Entrust is currently embedding four roots, but also have three embedded roots that are obsolete.
You may have a browser that has all seven. There are some CAs that have more than one brand and have multiple roots for each. There are also CAs that use their roots for different purposes, such as SSL, EV SSL, code-signing and secure email. All increase the number of root certificates, but don’t increase the number of CAs. I haven’t done the counting, but the number of CAs (i.e., organizations that run CAs with embedded roots) is more likely to be closer to 150 than 650.
The podcast also discusses the different ways that certificates are verified. My interpretation is that they were talking about two ways, DV and EV. There are three ways that certificate requests are verified:
- Domain Validated (DV) – verify that the applicant controls the domain
- Organization Validated (OV) – verify that a specific entity controls the domain
- Enhanced Validated (EV) – more specific entity verification as described by the CAB/Forum EV Guidelines
I state this because OV certificates have been issued since the beginning of SSL time. They are the No. 1 certificate type issued to identify the subscriber of the certificate. EV certificate popularity is up and coming, but OV still makes up 31 percent of the installed SSL base according to the Netcraft data I reviewed.
Please enjoy the podcast.