The Bro Blog

Thursday, December 13, 2012

The Tree of Trust

As we mentioned in our preceding blog posting, ICSI has been harvesting details about SSL connections and their contained certificates since the beginning of this year.
We use the data to provide a notary service to the community, which can be used to retrieve information about individual certificates.

To enable a better understanding of the relationships between root and intermediate Certificate Authorities (CAs), we created  the tree of trust, an interactive graph which shows the relationships between root and intermediate CAs.

In this graph, each node represents a CA, where red nodes correspond to root CAs and green nodes to intermediates. The node diameter scales logarithmically with the number of certificates signed by the node. Similarly, the color of the green nodes scales proportional to the diameter.

Clicking on a CA reveals further information, including the exact number of certificates that have been signed by it, the full subject, and the validity periods. Moreover, the search bar allows for quick location of a CA by name.

We generated the graph by validating all currently existing certificates in our notary database. For all certificates that chained up to one of the roots in the current Mozilla root-store, we recorded the whole path. For the tree of trust, we merged all the paths together and summed up the number of certificates that each CA signed.

In the graph, the CA that signed the largest number of certificates is the Go Daddy Secure Certification Authority, an intermediate of GoDaddy. Our current dataset contains over 74,000 certificates that it signed.

The DFN-Verein CA has signed the largest number of intermediate CA certificates. The DFN provides certificates for German higher education institutions and also for many German research institutions. It creates a unique sub-CA for each institution for which it issues certificates. This behavior has administrative reasons and the DFN retains full control over all their child-CAs by not revealing the private key of the sub-CA to the individual institutions.